Revisiting SETA to increase health data stewardship

Training for Information Security – A.J. Burns and M. Eric Johnson, Vanderbilt University

A.J. Burns photo (Vandebilt)

A.J. Burns, Vanderbilt

In today’s digital economy, the uses and users of organizational information are growing rapidly. Perhaps in no industry is this more evident than in the health sector. As the chain of custody of personal health information becomes increasingly complex, many organizations are seeking new ways to train employees to increase health data stewardship. The most common channel for organizational influence over employees’ security-related behaviors are the firm’s security education, training and awareness (SETA) initiatives, yet relatively little research has investigated theoretical approaches to understanding SETA’s motivational effectiveness.

portrait of Eric Johnson

M. Eric Johnson, Dean of the Owen School of Management

Recent research presented at the Hawaiian International Conference on Systems Sciences (HICSS 2015) provides a diagnostic approach to SETA’s influence on employee motivation through the lens of expectancy theory (also known as VIE Theory). The findings show that when it comes to motivating security behaviors, proactive and ommisive behaviors are influenced by distinct expectancy dimensions. Interestingly, expectancies (i.e., the perception that one’s effort will lead to behavior) and instrumentalities (i.e., the perception that one’s behavior will lead to a desired outcome) were positively related to information security precaution taking; while security valence (i.e., the perception that it is good to protect one’s firm from security threats) was negatively related to the withdrawal from information security-enhancing behaviors (or security psychological distancing). These results provide a framework for future study and should help organizations dealing with sensitive information develop SETA initiatives by targeting the distinct expectancy dimensions.

See the full paper at http://conferences.computer.org/hicss/2015/papers/7367d930.pdf

Dr. Avi Rubin to deliver keynote at the AMIA Annual Symposium

rubin_thawDr. Avi Rubin will be the opening keynote speaker at the upcoming AMIA (American Medical Informatics Association) Annual Symposium on November 14, 2015 to be held in San Francisco, CA. Dr. Rubin will focus his remarks on the vulnerability of medical devices and electronic health record systems. For more information about the upcoming AMIA symposium – Click here.

THaW quoted on Anthem story

When KQED radio needed input on the breaking news about the Anthem hacking incident, they reached out to THaW.  David Kotz, PI, is quoted in this brief story on KQED: ; the tagline is “California’s largest private insurer, Anthem, said on Wednesday it has been hacked. The insurer said hackers broke into databases that stored customers’ personal information such as birthdays, social security numbers and employment information.”

 

THaW goes to India

image of historic vidhana-soudha building in BangaloreTHaW PI David Kotz presented a keynote talk at the Workshop on Networked Healthcare Technologies (NetHealth) today in Bangalore, India. This talk provided an overview of the economic and technical trends leading to the THaW project, a summary of a few THaW projects underway, and a research agenda for security and privacy in healthcare IT. The talk was well received and was a wonderful opportunity for interchange of ideas in both the US and India contexts.

A ‘building code’ for building secure code in medical devices

Carl Landwehr portrait

Carl Landwehr

Last month, a broad mix of experts convened by THaW researcher Carl Landwehr convened in New Orleans to begin drafting a “building code” for medical-device software.  They’ve just released their report, and there is already talk about taking some of these ideas into the various standards bodies. Check out their report and feel free to leave comments on their site.  — dave

THaW at the mHealth Privacy & Security Symposium

Perhaps the largest annual event related to mHealth is the mHealth Summit, held near Washington DC.  Today, the summit kicked off with a Privacy & Security Symposium, including a panel on Medical Device Security anchored by both Kevin Fu and Darren Lacey from the THaW team.  Kevin, Darren and the other panelists spoke about some of the security concerns that medical devices pose for patients, clinicians, and hospitals.  The audience brought together a broad mix of medical practitioners, device and software vendors, security professionals, and computer scientists.

photo of the panelists

Kevin Fu and Darren Lacey at the center of a panel session at the mHealth Summit.

Constructing a ‘building code’ for medical device software security

The following summary of the recent ‘building code’ workshop sponsored in part by THaW held on November 19-21, 2014 is provided by Dr. Carl Landwehr —

Forty people with diverse backgrounds in medical device software development, standards, regulation, security, and software engineering met in New Orleans November 19-21 with the goal of constructing a “building code” for medical device software security and a related research agenda. The workshop was sponsored by National Science Foundation through both the Trustworthy Health and Wellness (THaW) center and a separate workshop grant to George Washington University’s Cyber Security Policy and Research Institute (CSPRI) as well as the IEEE Computer Society’s Cybersecurity initiative.

The idea of exploiting building code metaphor originated with THaW’s Carl Landwehr, who organized the meeting with the help of a Steering Group that included THaW leadership as well as several others from the worlds of medical devices, software engineering, and security. Tom Haigh, recently retired from Adventium, served as Vice-Chair.

Building codes for physical structures grow out of industry and professional society groups – suppliers, builders and architects – rather than from government, although adoption of codes by government provides the legal basis for enforcement.  Building codes generally apply to designs, building processes, and the finished product. Code enforcement relies on inspections of structures during construction and of the finished product and also on certification of the skills of the participants in the design, construction, and inspection processes. Inspectors must be knowledgeable and skilled, but the training requirement is not burdensome, and decisions as to whether a building meets the code or not are typically straightforward. Codes also take account of different domains of use of structures: code requirements for single-family dwellings differ from those for public buildings, for example. Although building codes arose largely from safety considerations (e.g. reducing the risk of widespread damage to cities from fires, hurricanes, or earthquakes), security from malicious attack has also motivated some aspects of building codes.

The workshop aimed to develop an analog to building codes focused on the security properties of software rather than the structure and characteristics of physical building.  The objective of this code for software security is to increase assurance that software developed for the domain of medical devices will be free of many of the security vulnerabilities that plague software generally.  Evidence to date is that a large fraction of exploitable security flaws are not design flaws but rather implementation flaws. An initial building code for medical device software security could focus on assuring that the final software that operates the device is free of these kinds of flaws, although it could address aspects of the development process as well.  For example, the code might specify that modules written in a language that permits buffer overflows be subject to particular inspection or testing requirements, while modules written in type-safe languages might require a lesser degree of testing but a stronger inspection of components that translate the source language to executable form.

About 35 separate items were proposed for inclusion in an initial draft building code. Although the final report is still in development, only about half of these elements are likely to be included in the consensus version of the code.

Several participants in the workshop who are active in related standards bodies and professional societies have indicated an interest in moving the code forward in those groups.

FDA visits NIST federal advisory committee on security and privacy (audio available)

As previously referenced in the official blog of the Ann Arbor Research Center for Medical Device Security,the NIST Information Security and Privacy Advisory Board (ISPAB) held a public panel on October 24, 2014 entitled “Updates on Embedded Device Cybersecurity: Medical Devices to Automobiles.”

Professor Kevin Fu has provided an audio recording of this meeting that can be found here — http://blog.secure-medicine.org/2014/10/fda-visits-nist-federal-advisory.html

THaW paper at CIST (INFORMS)

THaW professor Eric Johnson (Vanderbilt) recently presented a new paper at the Conference on Information Systems and Technology (CIST), a division of INFORMS.

See the video abstract. A full version of the paper is under review at a journal.

Meaningful healthcare security: Does “Meaningful-use” attestation improve information security performance?
Juhee Kwon and M. Eric Johnson
Abstract:
Certification mechanisms are often employed to signal performance of difficult-to-observe management practices. In the healthcare sector, financial incentives linked to “meaningful-use” attestation have been a key policy initiative of the Obama administration to accelerate electronic health record (EHR) adoption while also focusing healthcare providers on protecting sensitive healthcare data. Given the rapid push for safe digitization of patient data, this study examines how hospital attestation influences the occurrence of subsequent data breaches and also how breach performance is associated with penalties from prior breaches. Using a propensity score matching technique combined with a difference-in-differences approach, we analyze a matched sample of 869 U.S. hospitals. We find that hospitals that attest to having reached Stage-1 meaningful-use standards observe reduced external breaches in the short term, but do not see continued improvement in the following year. On the other hand, attesting hospitals observe short-term increases in accidental internal breaches, but eventually see longer-term reductions. We do not find any link between malicious internal breaches and attestation. Further, we find that the interaction between meaningful-use attestation (carrot) and prior failure resulting in penalties (stick) enhances short-term reductions of accidental internal and external breaches. Our findings offer both theoretical and practical insights into the effective design of certification mechanisms and breach regulations.

DHS to investigate medical device security

The Department of Homeland Security (specifically the agency’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT) is starting to investigate cyber-security vulnerabilities in medical devices, according to recent news reports.

THaW co-PI Kevin Fu commented on the story: “It’s very easy to sort of sensationalize these problems,” said Kevin Fu, who runs the Archimedes Research Center for Medical Device Security at the University of Michigan.

THaW’s Kevin Fu and Darren Lacey were both key players in this week’s FDA workshop “Collaborative Approaches for Medical Device and Healthcare Cybersecurity”.