THaW paper at CIST (INFORMS)

THaW professor Eric Johnson (Vanderbilt) recently presented a new paper at the Conference on Information Systems and Technology (CIST), a division of INFORMS.

See the video abstract. A full version of the paper is under review at a journal.

Meaningful healthcare security: Does “Meaningful-use” attestation improve information security performance?
Juhee Kwon and M. Eric Johnson
Abstract:
Certification mechanisms are often employed to signal performance of difficult-to-observe management practices. In the healthcare sector, financial incentives linked to “meaningful-use” attestation have been a key policy initiative of the Obama administration to accelerate electronic health record (EHR) adoption while also focusing healthcare providers on protecting sensitive healthcare data. Given the rapid push for safe digitization of patient data, this study examines how hospital attestation influences the occurrence of subsequent data breaches and also how breach performance is associated with penalties from prior breaches. Using a propensity score matching technique combined with a difference-in-differences approach, we analyze a matched sample of 869 U.S. hospitals. We find that hospitals that attest to having reached Stage-1 meaningful-use standards observe reduced external breaches in the short term, but do not see continued improvement in the following year. On the other hand, attesting hospitals observe short-term increases in accidental internal breaches, but eventually see longer-term reductions. We do not find any link between malicious internal breaches and attestation. Further, we find that the interaction between meaningful-use attestation (carrot) and prior failure resulting in penalties (stick) enhances short-term reductions of accidental internal and external breaches. Our findings offer both theoretical and practical insights into the effective design of certification mechanisms and breach regulations.

DHS to investigate medical device security

The Department of Homeland Security (specifically the agency’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT) is starting to investigate cyber-security vulnerabilities in medical devices, according to recent news reports.

THaW co-PI Kevin Fu commented on the story: “It’s very easy to sort of sensationalize these problems,” said Kevin Fu, who runs the Archimedes Research Center for Medical Device Security at the University of Michigan.

THaW’s Kevin Fu and Darren Lacey were both key players in this week’s FDA workshop “Collaborative Approaches for Medical Device and Healthcare Cybersecurity”.

THaW leads panel at Grace Hopper Conference

Two THaW researchers led a panel on designing mobile and wearable devices for health and wellness at the Grace Hopper Conference in Phoenix, Arizona on October 10th, 2014. The panel was co-hosted by Dr. Klara Nahrstedt (THaW Co-PI and Professor of Computer Science at UIUC), and Aarathi Prasad (Ph.D. Candidate at Dartmouth College). Panelists included Ruzena Bajcsy (Professor of EECS at UC Berkeley), Jung Ook Hong (research scientist at Fitbit), and Janet Campbell (product lead at Epic). The panel discussed issues related to usability, security, and privacy that mobile and wearable health and wellness application developers should be aware of. Jung discussed the effect that data presentation has on user’s behavior; for example, users are more likely to take 10,000 steps than 8,000 steps because they receive an encouraging message to take a few more steps to cross the daily 10,000 step-count goal. Ruzena talked about the challenges faced by elderly users of mHealth technologies, such as small fonts and complicated buttons on a device. Klara presented the security and privacy issues that arise when people use mobile and wearable health and wellness devices and discussed the different THaW projects briefly. Finally, Janet talked about the issues of sending data to an EHR, such as identifying the patient whose data is in the EHR.

photo of 5 panelists

Jung Ook Hong, Klara Nahrstedt, Ruzena Bajcsy, Janet Campbell, Aarathi Prasad

 

THaW’s Professor Kevin Fu on Slashdot

Professor Kevin Fu Answers Your Questions About Medical Device Security

Almost a year ago you had a chance to ask professor Kevin Fu about medical device security. A number of events (including the collapse of his house) conspired to delay the answering of those questions. Professor Fu has finally found respite from calamity, coincidentally at a time when the FDA has issued guidance on the security of medical devices. Below you’ll find his answers to your old but not forgotten questions.

Fu: I apologize for the year-long delay, but my queue has rather overflowed after part of my house collapsed. See slide #11 for more information on the delay.

Medical device security is a challenging area because it covers a rather large set of disciplines including software engineering, clinical care, patient safety, electrical engineering, human factors, physiology, regulatory affairs, cryptography, etc. There are a lot of well meaning security engineers who have not yet mastered the culture and principles of health care and medicine, and similarly there are a lot of well meaning medical device manufacturers who have not yet mastered the culture and principles of information security and privacy. I started out as a gopher handing out authentication tokens for a paperless medical record system at a hospital in the early 1990s, but in the last decade have focused my attention on security of embedded devices with application to health and wellness.

I huddled with graduate students from my SPQR Lab at Michigan, and we wrote up the following responses to the great questions. We were not able to answer every question, but readers can find years worth of in-depth technical papers on blog.secure-medicine.org and spqr.eecs.umich.edu/publications.php and thaw.org.

Link to the original slashdot posting here.

THaW on TV

Blog post from Professor Kevin Fu –

NBC Chicago interviews patients, physicians, and researchers on medical device security

The TV headline is hyperbolic, but the content is level headed.

Tammy Leitner of NBC Chicago interviewed a number of patients, physicians, and researchers about the challenges of medical device security. Here’s a link to the full video.

Had this interview happened in 2008, the tone would have likely been more confrontational. Remember when Archimedes researchers demonstrated radio-controlled security flaws in pacemaker/defibrillators (also see the Schneier commentary)? Back in 2008, manufacturers and FDA were not accustomed to interacting with security researchers reporting such software-based flaws. It’s completely understandable. Imagine if an unfamiliar person showed up at your front door to point out security problems of your house. The outcome might be unpleasant. Thus, interactions initially got off to a rocky start. But that’s the past.

Fast forward to 2014, and times have changed significantly for the better. The forward-thinking manufacturers, influential researchers, and health care providers regularly interact and help each other to improve medical device security. A few positive examples that brought researchers, clinicians, manufacturers, and regulators together include the draft technical information report on medical device cybersecurity by AAMI (the IETF equivalent of the medical manufacturing world), the Archimedes workshop, and the upcoming FDA workshop on medical device security.

So if you’re a future graduate student or budding security researcher, I’d encourage you to read the technical papers from the short history of medical device security. It’s no longer a cat-and-mouse game of pointing out buffer overflows and SQL injection attacks. The future is about interdisciplinary computing and health care research to produce technology, best practices, and policies that improve medical device security without interfering with the workflow or delivery of health care.

Link to original blog post here.

ZEBRA press

THaW’s article about Zero-Effort Bilateral Recurring Authentication (ZEBRA) triggered a lot of press coverage: such as Communications of the ACM (CACM)VICE Motherboard, Dartmouth NowGizmagThe Register UKPlanet Biometrics*, Computer Business Review*,  Fierce Health ITDaily Science NewsSenior Tech Insider, Motherboard, Homeland Security Newswire, and NFC World. They’re all intrigued by ZEBRA’s ability to continuously authenticate the user of a desktop terminal and to log them out if they leave or if someone else steps in to use the keyboard. Some(*) mistakenly believe our ZEBRA method uses biometrics; quite the contrary, ZEBRA is designed to be user-agnostic and thus requires no per-user training period. (ZEBRA correlates the bracelet wearer’s movements with the keyboard and mouse movements, not with a prior model of the wearer’s movements as do methods built on behavioral biometrics.)  ZEBRA could be combined with a biometric authentication of the wearer to the bracelet, and can be combined with other methods of initial authentication of wearer to system (such as username/password, or fingerprints) making it an extremely versatile tool that adds strength to existing approaches. The Dartmouth THaW team continues to refine ZEBRA. [Note: since the time this paper was published we have learned of a relevant trademark on the name “Zebra”. Thus, we have renamed our approach “BRACE” and will use that name in future publications.]

photo of Shimmer device on a wrist, wherein the hand is using a mouse and the other hand is using a keyboard

Our experiments used the Shimmer research device, though in principle it could work with any fitness band.

THaW annual meeting

Our team held its annual in-person meeting, this year on the edge of the Green on the beautiful campus of Dartmouth College. Two days of enriching technical talks about work in progress, brainstorming sessions about upcoming programs, and valued feedback from our NSF program officers… plus opportunities for our five-university group to build connections and collaborative bonds. A few hardy souls hiked to the top of nearby Mount Cardigan the morning after the meeting, in a stiff breeze that reminded us all Fall is approaching.

Group photo at the Dartmouth meeting, September 2014

Group photo at the Dartmouth meeting, September 2014

THaW hikers atop Mount Cardigan on a blustery NH day (AJ, Carl, Shrirang, David, Faraz).

THaW hikers atop Mount Cardigan on a blustery NH day (AJ, Carl, Shrirang, David, Faraz).

Jenna Wiens joins THaW team

Jenna Wiens is an Assistant Professor in EECS at the University of Michigan. In the fall of 2014, she joined the CSE division after completing her PhD at MIT.

Professor Wiens primary research interests lie at the intersection of machine learning and medicine. She especially enjoys solving the technical challenges that arise when considering the practical application of machine learning in clinical settings. Currently, she is focused on developing accurate patient risk stratification approaches that leverage data across time and space, with the ultimate goal of reducing the rate of healthcare-associated infections among patients admitted to hospitals in the US.

Information Leakage in Mobile Health Sensors and Applications

Anthony Louie recently completed his senior thesis, Information Leakage in Mobile Health Sensors and Applications. Here is the abstract from his thesis:

Mobile health sensors and applications are at risk to information leakage due to the vulnerabilities present on mobile platforms and the risks of using wireless sensors. A possible vulnerability that has not been adequately researched in this area however is data leakage related specifically to how the sensor and the mobile device are designed interact with each other. Such vulnerabilities may exist because of how the health sensors are implemented through the operating system and how hardware is used in the devices. Through an analysis of a mobile health sensor we provide an idea of the current state of mobile health sensor security.

A copy of Louie’s thesis can be found here – Anthony-Louie-Final-Information Leakage in Mobile Health Sensors and Applications

What it takes to move healthcare IT forward

rubin_thaw
What it takes to move healthcare IT forward
Professor Rubin discusses why health care security is different than other areas of IT security. He also delves into the challenges facing securing healthcare IT and why health care professionals are resistant to cybersecurity.He also provides insight in to the goals and objectives of the Thaw Project.For more see Professor Rubins interview in Tech Target — ThaW Researcher “Avi Rubin on what it takes to move healthcare IT security forward” June, 2014