Security and Privacy: Mobile Medical Applications
David Kotz, PhD – Dartmouth College
September 8, 2015 12pm-1pm ET
NSF CISE: Smart and Connected Health Presentation and Webcast
4201 Wilson Boulevard, Arlington VA, Room 110
Mobile medical applications offer tremendous opportunities to improve quality and access to care, reduce cost, and improve individual wellness and public health. These new technologies, whether in the form of software for smartphones as specialized devices to be worn, carried, or applied as needed, may also pose risks if they are not designed or configured with security and privacy in mind. For example, a patient’s insulin pump may accept dosage instructions from unauthorized smartphones running a spoofed application; another patient’s fertility-tracking app may be probing the Bluetooth network for its associated device, exposing her use of this app to nearby strangers. In this webinar, Dr. David Kotz presents an overview of the security and privacy challenges posed by mobile medical applications, including important open issues that require further research.
Webcast Access: https://nsf.webex.com/nsf/onstage/g.php?d=744297685&t=a
In an article in the most recent issue of the Communications of the ACM, the authors (Kotz, Fu, Gunter and Rubin) state:
The benefits of healthcare IT will be elusive if its security challenges are not adequately addressed. Security remains one of the most important concerns in a recent survey of the health and mHealth sectors, and research has illustrated the risks incurred by cyber-attacks on medical devices such as pace-makers. More than two-thirds (69%) of respondents say their organization’s IT security does not meet expectations for FDA-approved medical devices.
Privacy protection is also critical for healthcare IT; although this column focuses on security, it should be noted that many security breaches lead to disclosure of personal information and thus an impact on patient privacy.
The authors identify three critical research challenges:
- Usable authentication tools
- Trustworthy control of medical devices
- Trust through accountability
For more information on the challenges facing securing healthcare IT please see Communications of the ACM.
According to Professor Avi Rubin of Johns Hopkins University, the educational outreach program held in conjunction with the Baltimore Polytechnic Institute was successful. Despite some logistical snags, the discussions with the students were lively, and they seemed genuinely interested in the privacy implications of data aggregation. Professor Rubin and Joe Carrigan also covered some basic statistics, and spoke with the students about career paths in technology.
“PhDs Benjamin Ransford and Denis Foo Kune developed the platform which uses the “traditionally undesirable” power consumption side channel to detect malware with the accuracy of desktop anti-virus at run-time without the need to modify the hardware or software of systems.”
— Darren Pauli, 27 April 2015, The Register
To read more about Kune’s WattsUpDoc platform click here.
Professor Kevin Fu participated recently on a panel entitled, “Will Health Tech Ever Be Hack Proof?” at the New America symposium on Our Data, Our Health: The Future of Mobile Health Technology (26 March 2015). Joining Kevin to explore the personal, economic and regulatory implications of securing health related technology were Lucia Savage, Chief Privacy Officer, National Coordinator for Health IT, Alvaro Bedoya, Executive Director, Center on Privacy and Technology, Georgetown, and the panel’s moderator was Peter Singer, Strategist and Senior Fellow, New America. The video of this panel discussion can be found here.
A summary of the panel discussion described above can be found in this issue of CIO. [CIO]
Bring Your Own Device (BYOD) Practices in Healthcare– A.J. Burns and M. Eric Johnson, Vanderbilt University
Despite the many impressive technology-enabled advances in modern medicine over the past several decades, concerns over costs, reliability, and security have hindered the adoption of IT in the health sector. However, as in other industries, healthcare has seen dramatic increases in the use of personally-owned devices. In fact, 88.6 percent of those working in healthcare report using their smartphone for work. All the while, 54 percent of US organizations report that they’re unable to determine if off-site employees are using technology and informational resources in a way that addresses corporate and regulatory requirements. This lack of oversight is especially problematic for the health sector where research reveals that healthcare workers often fail to maintain basic security hygiene on their devices (e.g., 41 percent report having no password protection).
The trend toward mobile computing is radically transforming how individuals interact with IT. For example, in 2014, comScore reported that for the first time, more than half of all digital media in the US was consumed in a mobile app. In the health sector, enabled by low entry barriers and lax (often non-existent) regulation, the number of mobile health (mHealth) apps available to consumers now exceeds 100,000, with millions of total yearly downloads. Yet when it comes to these available apps, the industry provides little transparency about either the mHealth data’s security and privacy or the usage patterns among physicians and patients that have downloaded these apps. In a recent special issue on IT security in IEEE IT Professional, THaW researchers highlight emerging issues related to mobility and security in healthcare: BYOD and the mHealth application ecosystem.
Link to IEEE IT Professional publication (see pages 23-29).
Training for Information Security – A.J. Burns and M. Eric Johnson, Vanderbilt University
A.J. Burns, Vanderbilt
In today’s digital economy, the uses and users of organizational information are growing rapidly. Perhaps in no industry is this more evident than in the health sector. As the chain of custody of personal health information becomes increasingly complex, many organizations are seeking new ways to train employees to increase health data stewardship. The most common channel for organizational influence over employees’ security-related behaviors are the firm’s security education, training and awareness (SETA) initiatives, yet relatively little research has investigated theoretical approaches to understanding SETA’s motivational effectiveness.
M. Eric Johnson, Dean of the Owen School of Management
Recent research presented at the Hawaiian International Conference on Systems Sciences (HICSS 2015) provides a diagnostic approach to SETA’s influence on employee motivation through the lens of expectancy theory (also known as VIE Theory). The findings show that when it comes to motivating security behaviors, proactive and ommisive behaviors are influenced by distinct expectancy dimensions. Interestingly, expectancies (i.e., the perception that one’s effort will lead to behavior) and instrumentalities (i.e., the perception that one’s behavior will lead to a desired outcome) were positively related to information security precaution taking; while security valence (i.e., the perception that it is good to protect one’s firm from security threats) was negatively related to the withdrawal from information security-enhancing behaviors (or security psychological distancing). These results provide a framework for future study and should help organizations dealing with sensitive information develop SETA initiatives by targeting the distinct expectancy dimensions.
See the full paper at http://conferences.computer.org/hicss/2015/papers/7367d930.pdf
Dr. Avi Rubin will be the opening keynote speaker at the upcoming AMIA (American Medical Informatics Association) Annual Symposium on November 14, 2015 to be held in San Francisco, CA. Dr. Rubin will focus his remarks on the vulnerability of medical devices and electronic health record systems. For more information about the upcoming AMIA symposium – Click here.
When KQED radio needed input on the breaking news about the Anthem hacking incident, they reached out to THaW. David Kotz, PI, is quoted in this brief story on KQED: Hackers Target Anthem, Scrape Personal Data; the tagline is “California’s largest private insurer, Anthem, said on Wednesday it has been hacked. The insurer said hackers broke into databases that stored customers’ personal information such as birthdays, social security numbers and employment information.”