When it Comes to Medical Device Security, the Dos Outweigh the Don’ts

THaW researchers A.J. Burns, Eric Johnson and Peter Honeyman, have compiled a compelling chronology of medical device security in their recently published article in Communications of the ACM, “A Brief Chronology of Medical Device Security” (see the THaW blog’s publication page for complete reference information and a link to the article).

The authors identify three key points relating to medical devices:

  1. Frightening language and misinformation often characterize discussions of cybersecurity and medical devices.
  2. There are always security trade-offs when designing, deploying, and maintaining medical devices.
  3. Medical devices are often not that different than other network-enabled digital devices, in terms of their vulnerability to network-based cyberattack.

The authors further identify four major periods that span the evolution of medical devices:

  1. Complex systems and accidental disasters
  2. Implantable medical devices
  3. The threat of unauthorized access
  4. Cyber threats to medical device security

The article offers a comprehensive examination of the legislative timeline and the evolving threats to information security in healthcare. They argue that “the steps we take today will largely define the future of medical device security,” and while there is a temptation to publicly wring our hands in despair over medical-device insecurity, “we must resist the temptation to sensationalize the issues…and instead apply sober, rational, systematic approaches to understanding and mitigating security risks.”

The authors conclude by challenging the medical-device community to better secure these devices:

“…it is safe to say that patients’ reluctance to accept medically indicated devices due to concerns about security poses a greater threat to their health than any threat stemming from medical device security…it is incumbent on our field to continue to prioritize the security of medical devices as a part of our fiduciary responsibility to act in the interests of those who rely on these life-saving devices.”

For complete reference information and a link to the article, please visit the THaW publication page.

THaW researcher, Kevin Fu, Questions Recent MedSec Findings

“For decades, there’s been an unofficial truce between cybersecurity researchers and companies: When good guy hackers find a problem, they give companies a chance to fix it before going public.

But a cybersecurity firm called MedSec just upended that truce.

(https://www.washingtonpost.com/news/the-switch/wp/2016/09/01/a-new-hacker-money-making-strategy-betting-against-insecure-companies-on-wall-street/)

“While medical device manufacturers must improve the security of their products, claiming the sky is falling is counterproductive.” – ThaW researcher, Kevin Fu

(http://www.engin.umich.edu/college/about/news/stories/2016/august/holes-found-in-report)

MedSec, a medical security firm, has formed an unusual partnership with investment firm Muddy Waters to generate revenue based on MedSec infosec research. When MedSec recently found alleged faults in St. Jude’s implantable heart equipment, it alerted Muddy Waters rather than St. Jude’s as tradition normally dictates. Muddy Waters promptly issued a research report highlighting the alleged faults and shorted St. Jude’s stock, giving MedSec a portion of the proceeds from the short sale.

However, ThaW researcher, Kevin Fu, and University of Michigan colleagues attempted to replicate the MedSec research and determined that MedSec’s findings were “inconclusive”. For more information on the Michigan investigtion see –

(http://www.engin.umich.edu/college/about/news/stories/2016/august/holes-found-in-report)

This saga is far from complete, as Fu’s team continues to look into the MedSec findings.

For more information:

http://engin.umich.edu/college/about/news/stories/2016/august/holes-found-in-report

https://www.washingtonpost.com/news/the-switch/wp/2016/09/01/a-new-hacker-money-making-strategy-betting-against-insecure-companies-on-wall-street/

http://www.startribune.com/so-far-st-jude-medical-weathering-cybersecurity-scrutiny/392212661/

 

mHealth security and privacy – a research agenda

While mHealth has the potential to increase healthcare quality, expand access to services, reduce costs, and improve personal wellness and public health, such benefits may not be fully realized unless greater privacy and security measures are implemented, according to a new paper published in the June issue of Computer.

Professors David Kotz (Dartmouth), Carl A. Gunter (University of Illinois), Santosh Kumar (University of Memphis), and Jonathan P. Weiner (Johns Hopkins), in their paper  (Privacy and Security in Mobile Health: A Research Agenda) challenge the research community to tackle several critical challenges related to security and privacy in mHealth: data sharing and consent management; access control and authentication; confidentiality and anonymity; mHealth smartphone apps; policies and compliance; accuracy and data provenance; and security technology.

With 45 percent of Americans facing chronic disease, which accounts for 75 percent of the annual $2.6+ trillion spent on healthcare, and many developed countries facing aging populations, mobile technology can serve as a great resource to help address these problems – provided mHealth companies and other stakeholders are able to meet the privacy and security challenges associated with these technologies.

For additional information contact Professor David Kotz, the Champion International Professor in the Department of Computer Science at Dartmouth College.

The article can be found in the June issue of Computer.

Ransomware – The Latest Scourge Affecting Medical Institutions

With recent, well-publicized ransomware attacks on major medical institutions, THaW researchers have been tasked with explaining this uptick in nefarious activity. Within the last fortnight, both Kevin Fu and Avi Rubin have been interviewed concerning securing medical IT systems and ransomware specifically. Here are links to their interviews: Fu (MIT Technology Review) and Rubin (C-SPAN Washington Journal).

Dr. Lehmann joins THaW team

Please welcome Dr. Chris Lehman from Vanderbilt University to the THaW team.  Chris is Professor for Pediatrics and Biomedical Informatics at Vanderbilt University where he directs the Clinical Informatics Fellowship Program. He conceived and launched the journal Applied Medical Informatics, devoted to original research and commentary on the use of computer automation in the day-to-day practice of medicine and he served as the Editor-in-Chief since its inception. In 2009, he co-edited Pediatric Informatics, the first textbook on this subject. Dr. Lehmann served on the board of the American Medical Informatics Association from 2008 to 2013 and served two terms as the organization’s secretary. In 2010, he was inducted as a fellow into the American College of Medical Informatics, in 2014 he was elected to the American Pediatric Society, and in 2012 he became a Vice Presidents of the International Medical Informatics Association in charge of the IMIA Yearbook. In 2015, he became President-Elect of the International Medical Informatics Association. In 2010, Dr. Lehmann was appointed Medical Director of the Child Health Informatics Center for the American Academy of Pediatrics, where he was involved in developing the Model Pediatric EHR Format. Dr. Lehmann serves on the federal Health IT Policy Committee and as the chair of the Examination Committee of the American Board of Preventive Medicine, Subcommittee for Clinical Informatics.

Wanda: Securely Introducing Mobile Devices (Magically)

Wanda concept in actionTHaW PhD student, Tim Pierson, along with the Wanda team have built a ‘magic wand’ that simplifies the integration of new medical devices into existing wireless networks. A detailed description of their work is found below in the abstract to their recently accepted IEEE INFOCOM paper.

Abstract: Nearly every setting is increasingly populated with wireless and mobile devices – whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. We present a novel approach we call Wanda – a `magic wand’ that accomplishes all three of the above goals – and evaluate a prototype implementation.

A prepublication version is available here.

Kotz Articulates the Security Challenges of Health and Wellness

Professor Kotz, at the request of the Center for the Clinical Trials Network, presented a webinar on the 26th of January 2016. His presentation was an overview of the THaW research agenda as it relates to the security challenges faced by health care professionals.

Here is a brief synopsis of Professor Kotz’s presentation:

The Mobile medical applications offer tremendous opportunities to improve quality and access to care, reduce cost, and improve individual wellness and public health. These new technologies, whether in the form of software for smartphones as specialized devices to be worn, carried, or applied as needed, may also pose risks if they are not designed or configured with security and privacy in mind. For example, a patient’s insulin pump may accept dosage instructions from unauthorized smartphones running a spoofed application; another patient’s fertility-tracking app may be probing the Bluetooth network for its associated device, exposing her use of this app to nearby strangers. In this webinar, Dr. David Kotz presents an overview of the security and privacy challenges posed by mobile medical applications, including important open issues that require further research.

To view the entire presentation click here.

A ‘Crisis’ in Healthcare Security

Recently Professor Avi Rubin was invited to speak at Enigma — a new security conference geared towards those working in both industry and research, recently launched by the USENIX Association.

According to Professor Rubin, health care information security is in crisis. In this presentation, Professor Rubin emphasizes the numerous vulnerabilities of our health care system. These vulnerabilities range from overt circumventing of security protocols to blissful ignorance of network security concerns.

Professor Rubin goes on to identify what makes cybersecurity in health care different from other fields, such as financial services. Finally, Professor Rubin offers a ‘Top Ten’ list of actions the health care community can take right now to improve the cybersecurity of health care.

Watch Rubin’s talk on YouTube.

Virtual Fitness Coach from Under Armour

“It’s fascinating, what’s happening, and very exciting,” – Avi Rubin

At the 2016 Consumer Electronic Show (CES) last week, Under Armour announced a suite of products and services relevant to THaW research topics.  Journalists sought out THaW researcher (and PI at Johns Hopkins) Avi Rubin for comment.

First the athletic wear maker unveiled its first-ever collection of fitness devices, a suite of products dubbed UA HealthBox that included a wristband, a heart-rate monitor and a Wi-Fi-enabled scale — plus a separate “smart shoe” and Bluetooth headphones. It also upgraded the UA Record application that powers those devices. … “It’s fascinating, what’s happening, and very exciting,” said Avi Rubin, a Johns Hopkins computer science professor…. (Lorraine Marbella, Baltimore Sun, January 9, 2016 [http://www.baltimoresun.com/business/under-armour-blog/bs-bz-under-armour-ibm-watson-20160109-story.html])

This is the first of many such announcements we anticipate throughout 2016. The challenge facing the THaW community is how to ensure that privacy is protected and the collected data is secure.

NSF website highlights THaW

NSF highlighted the THaW project on its website last week, gaining notice in blogs like Politico morning eHealth, the HealthITSecurity, and FierceMobileHealthcare.  NSF’s article describes THaW research on mobile-app security and on the authentication of clinical staff to clinical information systems, among other things.