THaW on TV

Blog post from Professor Kevin Fu –

NBC Chicago interviews patients, physicians, and researchers on medical device security

The TV headline is hyperbolic, but the content is level headed.

Tammy Leitner of NBC Chicago interviewed a number of patients, physicians, and researchers about the challenges of medical device security. Here’s a link to the full video.

Had this interview happened in 2008, the tone would have likely been more confrontational. Remember when Archimedes researchers demonstrated radio-controlled security flaws in pacemaker/defibrillators (also see the Schneier commentary)? Back in 2008, manufacturers and FDA were not accustomed to interacting with security researchers reporting such software-based flaws. It’s completely understandable. Imagine if an unfamiliar person showed up at your front door to point out security problems of your house. The outcome might be unpleasant. Thus, interactions initially got off to a rocky start. But that’s the past.

Fast forward to 2014, and times have changed significantly for the better. The forward-thinking manufacturers, influential researchers, and health care providers regularly interact and help each other to improve medical device security. A few positive examples that brought researchers, clinicians, manufacturers, and regulators together include the draft technical information report on medical device cybersecurity by AAMI (the IETF equivalent of the medical manufacturing world), the Archimedes workshop, and the upcoming FDA workshop on medical device security.

So if you’re a future graduate student or budding security researcher, I’d encourage you to read the technical papers from the short history of medical device security. It’s no longer a cat-and-mouse game of pointing out buffer overflows and SQL injection attacks. The future is about interdisciplinary computing and health care research to produce technology, best practices, and policies that improve medical device security without interfering with the workflow or delivery of health care.

Link to original blog post here.

ZEBRA press

THaW’s article about Zero-Effort Bilateral Recurring Authentication (ZEBRA) triggered a lot of press coverage: such as VICE MotherboardGizmagThe Register UKPlanet Biometrics*, Computer Business Review*,  Fierce Health ITDaily Science NewsSenior Tech Insider, and NFC World. They’re all intrigued by ZEBRA’s ability to continuously authenticate the user of a desktop terminal and to log them out if they leave or if someone else steps in to use the keyboard. Some(*) mistakenly believe our ZEBRA method uses biometrics; quite the contrary, ZEBRA is designed to be user-agnostic and thus requires no per-user training period. (ZEBRA correlates the bracelet wearer’s movements with the keyboard and mouse movements, not with a prior model of the wearer’s movements as do methods built on behavioral biometrics.)  ZEBRA could be combined with a biometric authentication of the wearer to the bracelet, and can be combined with other methods of initial authentication of wearer to system (such as username/password, or fingerprints) making it an extremely versatile tool that adds strength to existing approaches. The Dartmouth THaW team continues to refine ZEBRA.

THaW annual meeting

Our team held its annual in-person meeting, this year on the edge of the Green on the beautiful campus of Dartmouth College. Two days of enriching technical talks about work in progress, brainstorming sessions about upcoming programs, and valued feedback from our NSF program officers… plus opportunities for our five-university group to build connections and collaborative bonds. A few hardy souls hiked to the top of nearby Mount Cardigan the morning after the meeting, in a stiff breeze that reminded us all Fall is approaching.

Group photo at the Dartmouth meeting, September 2014

Group photo at the Dartmouth meeting, September 2014

THaW hikers atop Mount Cardigan on a blustery NH day (AJ, Carl, Shrirang, David, Faraz).

THaW hikers atop Mount Cardigan on a blustery NH day (AJ, Carl, Shrirang, David, Faraz).

Jenna Wiens joins THaW team

Jenna Wiens is an Assistant Professor in EECS at the University of Michigan. In the fall of 2014, she joined the CSE division after completing her PhD at MIT.

Professor Wiens primary research interests lie at the intersection of machine learning and medicine. She especially enjoys solving the technical challenges that arise when considering the practical application of machine learning in clinical settings. Currently, she is focused on developing accurate patient risk stratification approaches that leverage data across time and space, with the ultimate goal of reducing the rate of healthcare-associated infections among patients admitted to hospitals in the US.

Information Leakage in Mobile Health Sensors and Applications

Anthony Louie recently completed his senior thesis, Information Leakage in Mobile Health Sensors and Applications. Here is the abstract from his thesis:

Mobile health sensors and applications are at risk to information leakage due to the vulnerabilities present on mobile platforms and the risks of using wireless sensors. A possible vulnerability that has not been adequately researched in this area however is data leakage related specifically to how the sensor and the mobile device are designed interact with each other. Such vulnerabilities may exist because of how the health sensors are implemented through the operating system and how hardware is used in the devices. Through an analysis of a mobile health sensor we provide an idea of the current state of mobile health sensor security.

A copy of Louie’s thesis can be found here – Anthony-Louie-Final-Information Leakage in Mobile Health Sensors and Applications

What it takes to move healthcare IT forward

rubin_thaw
What it takes to move healthcare IT forward
Professor Rubin discusses why health care security is different than other areas of IT security. He also delves into the challenges facing securing healthcare IT and why health care professionals are resistant to cybersecurity.He also provides insight in to the goals and objectives of the Thaw Project.For more see Professor Rubins interview in Tech Target — ThaW Researcher “Avi Rubin on what it takes to move healthcare IT security forward” June, 2014 

Security Threats to Android Apps

Dongjing He recently submitted her thesis, Security Threats to Android Apps, for her MS degree at the University of Illinois at Urbana-Champaign. He’s research addressed two security vulnerabilities with mobile applications: deficiencies in mobile app development and design ambiguities of the Android operating system. Specifically, He used a three stage study of mHealth apps to investigate potential breach opportunities arising from the reliance on unsecured Internet communications and third party servers. He also researched and discovered side-channel leaks on Android devices. He proposes defense strategies for both vulnerabilities.

Coverage of He’s work can be found in these two articles:

http://mobihealthnews.com/33828/student-study-of-android-health-apps-most-prevalent-security-issues/

http://healthitsecurity.com/2014/06/09/mhealth-android-app-security-review-attack-surfaces/

Avi Rubin on what it takes to move healthcare IT security forward

Avi Rubin was recently interviewed by Marcus J. Ranum on the issues surrounding healthcare IT security.  The interview appeared on TechTarget.

Avi offers answers to some of the most perplexing issues surrounding healthcare IT security:

  • What makes healthcare IT different from other areas of IT security?
  • What are some of the major challenges facing the delivery of a secure healthcare IT infrastructure?
  • Why are health care professional resistant to attempts at securing healthcare IT?

Avi also provides insight into the goals of the THaW project, and the difference between destructive and constructive security research.

The interview is well worth a few minutes of your time.

 

Privacy and Security in the Genomic Era (preprint)

Carl Gunter’s THaW group has released an article on “Privacy and Security in the Genomic Era”, submitted to ACM Computing Surveys. This article has a lot more information than a mere literature survey, and it may be beneficial for newcomers in this area. For convenience, a preprint is available on arXiv, and the abstract is below.

They also created an online tutorial (with text, images and videos) to learn the basic biology required to understand this (and in general other) genomic privacy papers.

Authors: Muhammad Naveed, Erman Ayday, Ellen W. Clayton, Jacques Fellay, Carl A. Gunter, Jean-Pierre Hubaux, Bradley A. Malin, XiaoFeng Wang

Abstract:

Genome sequencing technology has advanced at a rapid pace and it is now possible to generate highly-detailed genotypes inexpensively. The collection and analysis of such data has the potential to support various applications, including personalized medical services. While the benefits of the genomics revolution are trumpeted by the biomedical community, the increased availability of such data has major implications for personal privacy; notably because the genome has certain essential features, which include (but are not limited to) (i) an association with certain diseases, (ii) identification capability (e.g., forensics), and (iii) revelation of family relationships. Moreover, direct-to-consumer DNA testing increases the likelihood that genome data will be made available in less regulated environments, such as the Internet and for-profit companies. The problem of genome data privacy thus resides at the crossroads of computer science, medicine, and public policy. While the computer scientists have addressed data privacy for various data types, there has been less attention dedicated to genomic data. Thus, the goal of this paper is to provide a systematization of knowledge for the computer science community. In doing so, we address some of the (sometimes erroneous) beliefs of this field and we report on a survey we conducted about genome data privacy with biomedical specialists. Then, after characterizing the genome privacy problem, we review the state-of-the-art regarding privacy attacks on genomic data and strategies for mitigating such attacks, as well as contextualizing these attacks from the perspective of medicine and public policy. This paper concludes with an enumeration of the challenges for genome data privacy and presents a framework to systematize the analysis of threats and the design of countermeasures as the field moves forward.

Does “Meaningful-Use” Attestation Improve Information Security Performance?

We’re pleased to announce a new THaW paper, to appear in the Workshop on the Economics of Information Security (WEIS), June 23-24, to be held at Penn State.

Juhee Kwon and M. Eric Johnson.  Meaningful Healthcare Security: Does “Meaningful-Use” Attestation Improve Information Security Performance?

Abstract:
Voluntary mechanisms are often employed to signal performance of difficult-to-observe management practices. In the healthcare sector, financial incentives linked to “meaningful-use” attestation have been a key policy initiative of the Obama administration to accelerate electronic health record (EHR) system adoption while also focusing providers on protecting sensitive healthcare data. As one of the core requirements, meaningful-use attestation requires healthcare providers to attest to having implemented security mechanisms for assessing the potential risks and vulnerabilities to their data. In this paper, we examine whether meaningful-use attestation is achieving its security objective. Using a propensity score matching technique, we analyze a matched sample of 925 U.S. hospitals. We find that external breaches motivate hospitals to pursue meaningful use and that achieving meaningful use does indeed reduce such breaches. We also find that hospitals that achieve meaningful use observe short-term increases in accidental breaches, but see longer-term reductions. These results have implications for managers and policy makers as well as researchers interested in organizational theory and quality management.

We’ll post the paper itself after the workshop.