THaW Co-Hosts Workshop For Building Secure Connected Healthcare Organizations

pano_20161118_113707

In mid-November THaW was excited to co-host, along with the Center For Digital Strategies at the Tuck School of Business and the Owen School of Management, a workshop on building secure connected healthcare organizations.

The workshop was attended by CISOs from twelve interested healthcare organizations, as well as members of the THaW project. It provided for a day of conversation about cybersecurity best practices and challenges. Over the course of the workshop, with moderation by Eric Johnson and Hans Brechbuhl, the group touched upon a wide array of subjects; we are now happy to present some key insights and a summary of the day’s proceedings. Highlights include insights regarding phishing attacks, medical device security, and the emerging Internet of things.

Click through below to review the document, and feel free to share with your colleagues!

Overview: Building Secure Connected Healthcare Organizations

Eric Johnson talks with Paul Connelly: Healthcare Analytics and Information Security

THaW contributor Eric Johnson recently sat down with VP and CISO of Hospital Corporation of America Paul Connelly to discuss advancements in healthcare analytics and information security. Over the course of the discussion the two touch on the sheer volume of data created by HCA, and how analytics can be used to give that data value in contributing to informed decision making, while at the same time protecting patient security.

Click here, or play the embedded video above, to hear the discussion in full.

Wanda – Securely introducing mobile devices

A few months ago we announced the results of our Wanda project, as published in INFOCOM 2016.  Today we’re excited to share this new video description of the project! Thanks to Abby Starr and Shiyao Peng of Dartmouth’s DALI lab, and Tim Pierson of the THaW team, for this fun and informative production.

Nearly every setting is increasingly populated with wireless and mobile devices – whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. We call our approach Wanda – a `magic wand’ that accomplishes all three of the above goals – and evaluate a prototype implementation.

When it Comes to Medical Device Security, the Dos Outweigh the Don’ts

THaW researchers A.J. Burns, Eric Johnson and Peter Honeyman, have compiled a compelling chronology of medical device security in their recently published article in Communications of the ACM, “A Brief Chronology of Medical Device Security” (see the THaW blog’s publication page for complete reference information and a link to the article).

The authors identify three key points relating to medical devices:

  1. Frightening language and misinformation often characterize discussions of cybersecurity and medical devices.
  2. There are always security trade-offs when designing, deploying, and maintaining medical devices.
  3. Medical devices are often not that different than other network-enabled digital devices, in terms of their vulnerability to network-based cyberattack.

The authors further identify four major periods that span the evolution of medical devices:

  1. Complex systems and accidental disasters
  2. Implantable medical devices
  3. The threat of unauthorized access
  4. Cyber threats to medical device security

The article offers a comprehensive examination of the legislative timeline and the evolving threats to information security in healthcare. They argue that “the steps we take today will largely define the future of medical device security,” and while there is a temptation to publicly wring our hands in despair over medical-device insecurity, “we must resist the temptation to sensationalize the issues…and instead apply sober, rational, systematic approaches to understanding and mitigating security risks.”

The authors conclude by challenging the medical-device community to better secure these devices:

“…it is safe to say that patients’ reluctance to accept medically indicated devices due to concerns about security poses a greater threat to their health than any threat stemming from medical device security…it is incumbent on our field to continue to prioritize the security of medical devices as a part of our fiduciary responsibility to act in the interests of those who rely on these life-saving devices.”

For complete reference information and a link to the article, please visit the THaW publication page.

THaW researcher, Kevin Fu, Questions Recent MedSec Findings

“For decades, there’s been an unofficial truce between cybersecurity researchers and companies: When good guy hackers find a problem, they give companies a chance to fix it before going public.

But a cybersecurity firm called MedSec just upended that truce.

(https://www.washingtonpost.com/news/the-switch/wp/2016/09/01/a-new-hacker-money-making-strategy-betting-against-insecure-companies-on-wall-street/)

“While medical device manufacturers must improve the security of their products, claiming the sky is falling is counterproductive.” – ThaW researcher, Kevin Fu

(http://www.engin.umich.edu/college/about/news/stories/2016/august/holes-found-in-report)

MedSec, a medical security firm, has formed an unusual partnership with investment firm Muddy Waters to generate revenue based on MedSec infosec research. When MedSec recently found alleged faults in St. Jude’s implantable heart equipment, it alerted Muddy Waters rather than St. Jude’s as tradition normally dictates. Muddy Waters promptly issued a research report highlighting the alleged faults and shorted St. Jude’s stock, giving MedSec a portion of the proceeds from the short sale.

However, ThaW researcher, Kevin Fu, and University of Michigan colleagues attempted to replicate the MedSec research and determined that MedSec’s findings were “inconclusive”. For more information on the Michigan investigtion see –

(http://www.engin.umich.edu/college/about/news/stories/2016/august/holes-found-in-report)

This saga is far from complete, as Fu’s team continues to look into the MedSec findings.

For more information:

http://engin.umich.edu/college/about/news/stories/2016/august/holes-found-in-report

https://www.washingtonpost.com/news/the-switch/wp/2016/09/01/a-new-hacker-money-making-strategy-betting-against-insecure-companies-on-wall-street/

http://www.startribune.com/so-far-st-jude-medical-weathering-cybersecurity-scrutiny/392212661/

 

mHealth security and privacy – a research agenda

While mHealth has the potential to increase healthcare quality, expand access to services, reduce costs, and improve personal wellness and public health, such benefits may not be fully realized unless greater privacy and security measures are implemented, according to a new paper published in the June issue of Computer.

Professors David Kotz (Dartmouth), Carl A. Gunter (University of Illinois), Santosh Kumar (University of Memphis), and Jonathan P. Weiner (Johns Hopkins), in their paper  (Privacy and Security in Mobile Health: A Research Agenda) challenge the research community to tackle several critical challenges related to security and privacy in mHealth: data sharing and consent management; access control and authentication; confidentiality and anonymity; mHealth smartphone apps; policies and compliance; accuracy and data provenance; and security technology.

With 45 percent of Americans facing chronic disease, which accounts for 75 percent of the annual $2.6+ trillion spent on healthcare, and many developed countries facing aging populations, mobile technology can serve as a great resource to help address these problems – provided mHealth companies and other stakeholders are able to meet the privacy and security challenges associated with these technologies.

For additional information contact Professor David Kotz, the Champion International Professor in the Department of Computer Science at Dartmouth College.

The article can be found in the June issue of Computer.

Ransomware – The Latest Scourge Affecting Medical Institutions

With recent, well-publicized ransomware attacks on major medical institutions, THaW researchers have been tasked with explaining this uptick in nefarious activity. Within the last fortnight, both Kevin Fu and Avi Rubin have been interviewed concerning securing medical IT systems and ransomware specifically. Here are links to their interviews: Fu (MIT Technology Review) and Rubin (C-SPAN Washington Journal).

Dr. Lehmann joins THaW team

Please welcome Dr. Chris Lehman from Vanderbilt University to the THaW team.  Chris is Professor for Pediatrics and Biomedical Informatics at Vanderbilt University where he directs the Clinical Informatics Fellowship Program. He conceived and launched the journal Applied Medical Informatics, devoted to original research and commentary on the use of computer automation in the day-to-day practice of medicine and he served as the Editor-in-Chief since its inception. In 2009, he co-edited Pediatric Informatics, the first textbook on this subject. Dr. Lehmann served on the board of the American Medical Informatics Association from 2008 to 2013 and served two terms as the organization’s secretary. In 2010, he was inducted as a fellow into the American College of Medical Informatics, in 2014 he was elected to the American Pediatric Society, and in 2012 he became a Vice Presidents of the International Medical Informatics Association in charge of the IMIA Yearbook. In 2015, he became President-Elect of the International Medical Informatics Association. In 2010, Dr. Lehmann was appointed Medical Director of the Child Health Informatics Center for the American Academy of Pediatrics, where he was involved in developing the Model Pediatric EHR Format. Dr. Lehmann serves on the federal Health IT Policy Committee and as the chair of the Examination Committee of the American Board of Preventive Medicine, Subcommittee for Clinical Informatics.

Wanda: Securely Introducing Mobile Devices (Magically)

Wanda concept in actionTHaW PhD student, Tim Pierson, along with the Wanda team have built a ‘magic wand’ that simplifies the integration of new medical devices into existing wireless networks. A detailed description of their work is found below in the abstract to their recently accepted IEEE INFOCOM paper.

Abstract: Nearly every setting is increasingly populated with wireless and mobile devices – whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. We present a novel approach we call Wanda – a `magic wand’ that accomplishes all three of the above goals – and evaluate a prototype implementation.

A prepublication version is available here.

Kotz Articulates the Security Challenges of Health and Wellness

Professor Kotz, at the request of the Center for the Clinical Trials Network, presented a webinar on the 26th of January 2016. His presentation was an overview of the THaW research agenda as it relates to the security challenges faced by health care professionals.

Here is a brief synopsis of Professor Kotz’s presentation:

The Mobile medical applications offer tremendous opportunities to improve quality and access to care, reduce cost, and improve individual wellness and public health. These new technologies, whether in the form of software for smartphones as specialized devices to be worn, carried, or applied as needed, may also pose risks if they are not designed or configured with security and privacy in mind. For example, a patient’s insulin pump may accept dosage instructions from unauthorized smartphones running a spoofed application; another patient’s fertility-tracking app may be probing the Bluetooth network for its associated device, exposing her use of this app to nearby strangers. In this webinar, Dr. David Kotz presents an overview of the security and privacy challenges posed by mobile medical applications, including important open issues that require further research.

To view the entire presentation click here.