Vanderbilt researchers receive $2 million ARPA-H contract to improve software security in medical devices

White tablet pc and access security concept on media screen

Vanderbilt Department of Computer Science researchers Kevin Leach and James Weimer have been awarded a $2 million contract from the Advanced Research Projects Agency for Health to develop technology aimed at improving software security in medical devices like insulin pumps, pacemakers and stroke predictors.  

This is the first contract Vanderbilt has received from ARPA-H, an independent entity within the National Institutes of Health with a mission to support “high-impact” solutions for pressing health care needs. Leach, assistant professor of computer science, is principal investigator on the contract, and Weimer is assistant professor of computer science and an expert in medical device security.  

Their proposal, called “BALAM-D: Binary Analysis Lodestar for Assuring Medical Devices,” will create a system that optimizes detection of software defects and vulnerabilities in medical devices and patch them quickly.  

While advances in software have improved detection of security flaws, there is often a long delay between when vulnerabilities are discovered and when software fixes can be developed and deployed. 

“Unfortunately, medical device software may contain vulnerabilities that allow attackers to break in and change behavior” of the devices, said Weimer, who is a faculty affiliate with the Vanderbilt Institute for Software Integrated Systems and the Vanderbilt Institute for Surgery and Engineering. “This could result in things like uncontrolled insulin delivery, changes in heart electrical activity, and other effects resulting in injury or death for patients using these devices.” 

ARPA-H has worked to automatically patch medical device software where no source code is available. When medical devices are designed, software developers compile their source code into binary firmware files, which are not human-readable. Once a device is deployed, if a defect is found, engineers would have to fix the original source code, recompile it, and redeploy the firmware on affected devices. With BALAM-D, Vanderbilt researchers hope to fix defects without having to recompile and redeploy devices, ultimately shortening the time it takes to resolve vulnerabilities—thereby reducing risks associated with vulnerable devices. 

Professor Baris Kasikci at the University of Washington will join Leach and Weimer in developing design-time software to automatically detect and fix vulnerabilities in medical device firmware. The team will also work with Neuralert, a company co-founded by Weimer that makes a stroke detector that was named one of Time’s Best Inventions of 2022 and received FDA “Breakthrough Device” designation.  

“Working with Neuralert will be an excellent opportunity to drive real impact with the research we conduct at Vanderbilt,” said Leach, who is also affiliated with VU-ISIS. “I am thrilled to lead this project and to work with amazing students and engineers to build world-changing technology that will improve safety of and access to health care.”

The project will begin in June and continue for the next two years. 

“Congratulations to Kevin Leach and James Weimer on their outstanding research on software security and medical devices that has earned them this prestigious ARPA-H contract,” Vice Provost for Research and Innovation Padma Raghavan said. “They exemplify Vanderbilt’s culture of interdisciplinary research and entrepreneurship. The new technology they will be creating in collaboration with Neuralert will lead to secure medical devices to address several health care needs.”


About the Vanderbilt Institute for Software Integrated Systems 

Vanderbilt’s Institute for Software Integrated Systems is dedicated to training engineers and computer scientists to design systems that seamlessly integrate people, computers and physical processes. Serving as a national hub for research in cyber-physical systems, cyber-security, advanced transportation systems, the application of AI in engineered systems and the assurance of autonomous systems, VU-ISIS continues to pave the way for advancements in these critical fields. 

About the Vanderbilt Institute for Surgery and Engineering 

The Vanderbilt Institute for Surgery and Engineering fosters collaboration among engineers, computer scientists and physicians. VISE’s mission includes creating, developing, implementing, clinically evaluating and commercializing methods, devices, algorithms and systems to improve clinical processes and outcomes.