May 4–5, 2015: Archimedes Workshop in Ann Arbor, MI

Register now!

The 3rd Annual Archimedes Workshop on Medical Device Security will hold its annual workshop on May 4–5, 2015 at the University of Michigan in Ann Arbor. This invitation-only event brings together solution-oriented experts in medical device manufacturing and computer security to meet and discuss effective ways to improve information security and the new FDA guidance on cybersecurity.

The event is NOT open to the media, and all discussion will be considered off the record unless a speaker expressly gives permission to share. The primary goals are to: (1) introduce experts to each other to solve common problems, and (2) provide engineers with knowledge and anecdotes that help with internal processes to convince executive management on the ROI of improved medical device security.

Tutorials will follow the workshop during the afternoon of May 5, 2015. April 24 is the deadline for hotel reservations and early bird registration.

Please direct any questions to our staff at archimedes@umich.edu.

Hotels and Travel

Hotel Reservations: Note the new location. We have arranged for a group rate at the Ann Arbor Sheraton adjacent to the Briarwood Mall. To get the group rate, reserve by phone at (734) 996-0600 and mention the registration code "Archimedes Room Block." We will provide a scheduled shuttle to/from the hotel and workshop events.

For flights, we recommend arriving on Sunday, May 3rd. We will begin with a reception Sunday evening at the hotel. The technical agenda begins the morning of May 4th and ends by noon on May 5th. Tutorials take place on the afternoon of May 5th. DTW is the closest airport, about 25 minutes from Ann Arbor. All meetings will take place at the University of Michigan College of Engineering. U-M parking passes are available for $10 per day for those who do not wish to take advantage of the free shuttle. Please note your parking/shuttle preference on the registration page.

Speakers

  • Bill Aerts (Director of Information and Product Security, Medtronic)
    How to Work with Security Researchers
  • Mike Ahmadi (Global Director, Critical Systems Security, Codenomicon)
    From Vulnerability to Remediation--Harnessing Academic Knowledge
  • Homa Alemzadeh (PhD Student, University of Illinois)
    Robotic Tele-Surgical Systems: From Safety to Cybersecurity
  • Matt Braun (Director, Networking and Infrastructure, University of New Mexico Hospitals IT)
    Veni, Vidi, Vendors
  • Debra Bruemmer (Principal Information Security Analyst, Office of Information Security, Mayo Clinic)
    Cybersecurity Viepoint from a Large Provider
  • Seth D. Carmody (Staff Fellow, Division of Chemistry and Toxicology Devices, U.S. Food and Drug Administration)(invited)
    I Can Has Cybersecurity
  • Patrick Jungles (Security Program Manager, Microsoft)
    Building-In Security at Microsoft
  • Chandu Ketkar (Technical Manager, Cigital) and Dan Lyon (Senior Consultant, Cigital)
    Technical and Economic Tradeoffs for Medical Device Security
  • Carl Landwehr (George Washington University)
    A Building Code for Software
  • Kevin McDonald (Director, Clinical Information Security, Office of Information Security, Mayo Clinic)
    Cybersecurity Viepoint from a Large Provider
  • Michael McNeil (Global Product Security & Services Officer, Philips Healthcare)
    How to Work with Security Researchers
  • Soundharya Nagasubramanian (Director of Embedded Software, WelchAllyn)
    How to Work with Security Researchers
  • Ben Ransford (CTO, Virta Labs)
    Non-Intrusive Malware Detection for Embedded Systems
  • Dug Song/Jon Oberheide (Founders, Duo Security)
    Two Factor Authentication
  • Mikko Varpiola (Founder, Codenomicon)
    Hands-On Fuzz Testing Tutorial
  • Jenna Wiens (Assistant Professor, University of Michigan)
    Leveraging Data Across Time and Space to Build Predictive Models for Healthcare-Associated Infections
  • Fubin Wu (GuessNet™)
    Tutorial on Risk Management and Cybersecurity

Tentative Schedule of Events

Archimedes begins at 8AM Monday, May 4 and runs thru Tuesday, May 5 at noon. Following the workshop is a separate set of tutorials on the afternoon of May 5.

Most attendees come from large or small medical device manufacturers and level-I trauma centers. Most attendees have backgrounds in system engineering, regulatory affairs, and/or patient safety. Attendees recognize the growing problem of medical device security, but seek to meaningfully define the problem such that it becomes technically solvable, scientifically measurable, humanly acceptable, and economically feasible.

All discussion will be considered OFF THE RECORD unless a speaker expressly gives permission to share. The primary goals are to: (1) introduce experts to each other to solve common problems, and (2) provide engineers with knowledge and anecdotes that show the ROI of improved medical device security. The agenda consists of presentations by invited speakers as well as small break-out groups on focused topics to define problem spaces and find common ground. Registration include the following meals: Monday, May 4th: Breakfast, Lunch, and Dinner; Tuesday, May 5th: Breakfast and Lunch. Attendees may optionally register for a technical tutorial on the afternoon of May 5th.

This workshop is by invitation only.

Workshop principles: No buying, no selling. Check your corporate and institutional affiliations at the door. This event is for technical problem solving and learning how to explain security engineering needs to executive management. Develop a support network of colleagues who are facing the same managerial and technical challenges.

Monday, May 4 (tentative!)
Time Event
8:00AM
Bus leaves Sheraton Hotel
8:15AM
Bus leaves Arbor Lakes Parking Lot
8:15AM
Breakfast
8:45AM
Introductions
9:00AM
Session 1: Panel: How to Work with Security Researchers
Bill Aerts (Director of Information and Product Security, Medtronic)
Michael McNeil (Global Product Security & Services Officer, Philips Healthcare)
Soundharya Nagasubramanian (Director of Embedded Software, WelchAllyn)
10:15AM
Coffee Break
10:45AM
Session 2: Clinical Perspectives
12:00PM
Lunch
1:00PM
Group Photo
1:15PM
Session 3: Operational and Security Engineering Perspectives
2:30PM
Coffee Break
2:45PM
Session 4: Cybersecurity Industry Perspectives
Patrick Jungles (Security Program Manager, Microsoft)
4:00PM
Session 5: Break Out I: Discussions
5:00PM
Bus to dinner and Arbor Lakes
5:30PM
Gala Dinner at the Ann Arbor Hands-On Museum. Dress code: business casual.
9:00PM
Bus to Sheraton Hotel and Arbor Lakes
Tuesday, May 5 (tentative!)
Time Event
8:00AM
Bus leaves Sheraton Hotel
8:20AM
Bus leaves Arbor Lakes Parking Lot
8:15AM
Breakfast
9:00AM
Session 6: Medical Device Security Research
10:15AM
Coffee Break
10:30AM
Session 7: Break Out II: Writing and Reporting Out
12:00PM
Box Lunch
1:00PM
Bus to Sheraton Hotel and Arbor Lakes parking
(no return)
1:00PM
Membership Meetings and Optional Tutorials:
Hands-On Fuzz Testing or
Hazard Analysis with Security
3:00PM
Coffee Break
3:30PM
Tutorials Resume
5:00PM
Bus to Sheraton Hotel and Arbor Lakes parking

Tutorials

Tutorial: Hands-On Fuzz Testing of Real Medical Devices by Mikko Varpiola of Codenomicon

Who should attend:

Engineers, regulators, or providers who wish to better understand how to apply fuzz testing technology to medical device security.

Description:

In this hands-on tutorial, participants will use live fuzz testing on real medical devices to understand how to test for vulnerabilities in medical devices. Because this tutorial involves a large amount of physical equipment, the tutorial is limited to 20 people. We will assign teams to each fuzz testing workstation.

About the speaker:

Mikko Varpiola is a founder of Codenomicon.


Tutorial: Integrate Cybersecurity into Medical Device Risk Management by Fubin Wu of GessNet™

Who should attend:

Managers, engineers, researchers, regulators, and any other stakeholders who are interested in cybersecurity risk analysis for medical devices and how it relates to safety risk management. A basic understanding of medical device safety risk management is preferred, but not required for attending the tutorial.

Description:

The Food and Drug Administration (FDA) issued final guidance in October 2014, entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices." The guidance lays out FDA’s expectations and requirements for cybersecurity information in medical device premarket submissions. In addition to the FDA, there are many other parties, such as hospitals and patients, concerned about cybersecurity as well. How to technically address cybersecurity risk and how to document it and communicate it among stakeholders is a new challenge. Many medical device manufacturers and healthcare organizations have established their safety risk management practices in compliance with applicable regulations or standards, such as ISO 14971 risk management standard. How can cybersecurity risk analysis leverage the existing safety risk management framework? What is the relationship between cybersecurity and safety for medical devices? How to effectively document and communicate cybersecurity to meet the needs of various stakeholders? This tutorial provides examples using GessNet™ TurboAC™ software to illustrate how medical device cybersecurity risk analysis can be comprehensively performed, and how the cybersecurity risk analysis results can be documented and communicated to assure various stakeholders that cybersecurity risk is adequately controlled. The tutorial will first take a quick look at medical device safety risk management practices, and then provide more detailed instructions on how to perform cybersecurity risk analysis for an example device, including how to manage interconnections between cybersecurity and safety risk analysis. The tutorial will also introduce assurance case methods and provide examples of how cybersecurity assurance cases can be generated and used as a communication vehicle to stakeholders. After completing this tutorial, participants will have learned the fundamentals on how medical device cybersecurity risk analysis can be practically performed, how it can be integrated with safety risk analysis, and how it can be documented and communicated to relevant stakeholders.

About the speaker:

Fubin Wu is the Co-founder of GessNet™ (http://www.gessnet.com), a software solution and consulting service provider for medical device safety and cybersecurity risk management. He has designed the TurboAC™ risk management & assurance case software, in close communications with FDA - Office of Science & Engineering Lab (OSEL) and Office of Device Evaluation (ODE), and in collaboration with non-profit organizations, device manufacturers, hospitals, and industry experts. He is a voting member of AAMI Medical Device Security working group in developing guidance for the application of ISO 14971 to security risk management. Fubin spent over 16 years on medical device quality management systems, hardware/software reliability engineering and risk management, serving various roles from quality engineer to quality manager and quality director, and working on various medical device platforms – implantable devices and remote monitoring systems at Medtronic, infusion pumps at Hospira, and blood management standalone software devices at Haemonetics. Fubin has a MS degree in Electrical and Computer Engineering from Oregon Health & Science University (OHSU), and was a software developer at Intel prior to his career with the medical device industry.

Platinum Members:


Medtronic
Philips Healthcare
WelchAllyn
Siemens



Gala Dinner Sponsor:


Codenomicon

Register now!