THaW Project LightTouch Selected For INFOCOM

THaW Researchers Xiaohui Liang, Tianlong Yun, Ronald Peterson, and David Kotz have been researching new methods for connecting wearables to external screens. Their paper, LightTouch: Securely Connecting Wearables to Ambient Displays with User Intent, has been accepted to INFOCOM 2017. In it, they explore a security system that uses a screen’s brightness level to ensure secure connection between screen and device. Moreover, they also address additional screen-based counter measures that can be taken to further secure the protocol. For more information and to read the paper, click the link below.

liang-lighttouch

Eric Johnson Talks with Charles Lebo: Healthcare Data Security


THaW contributor Eric Johnson’s conversations from the CISO conference continued with VP and CISO of Kindred Healthcare, Charles Lebo. The two had a conversation to discuss some of the emerging challenges of healthcare security. The topics ranged from the scope of large healthcare datasets, to the emergence of ransomware and maintaining data security.

Click here, or play the embedded video above, to hear the discussion in full.

New York Times Features THaW Research Into Acoustic Device Hacking

14SOUNDWAVE1-master768

THaW researcher Kevin Fu’s work on acoustic device hacking has recently been featured in the New York Times. The article discusses the team’s work on using acoustic signals to fool sensors in mobile device, and create the potential for security violations. For more information beyond the article, click here for a quick video, or read the complete paper below.

WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks

Interactive Map Of US Healthcare Breaches

interactive map
The Health Information Technology for Economic and Clinical Health (HITECH) Act requires health care providers and health plans that experienced a data breach of unsecured protected health information affecting more than 500 persons to notify the U.S. Department of Health and Human Services (HHS). HHS maintains a public database of the reported breaches submitted from October 2009 to the present. THaW researchers recently constructed an interactive map to visualize the HHS database of health data breaches.

CENTURION Explores New Methods In Crowd-Sourced Data Collection

THaW researchers Haiming Jin and Klara Nahrstedt of UIUIC, in collaboration with Lu Su of SUNY Buffalo, recently had a paper accepted to IEEE INFOCOM 2017. Entitled CENTURION, the research explores the incentivization of participants in crowd sourced data collection. Notably, CENTURION rethinks the existing model of crowd sourced data collection (one consumer, one set of incentives), and instead takes the novel approach of applying a double auction model with multiple consumers and multiple incentives. The result is a system that can guarantee non-negative social welfare impact, among other benefits. To explore CENTURION further, click below.

jin-centurion

THaW Co-Hosts Workshop For Building Secure Connected Healthcare Organizations

pano_20161118_113707

In mid-November THaW was excited to co-host, along with the Center For Digital Strategies at the Tuck School of Business and the Owen School of Management, a workshop on building secure connected healthcare organizations.

The workshop was attended by CISOs from twelve interested healthcare organizations, as well as members of the THaW project. It provided for a day of conversation about cybersecurity best practices and challenges. Over the course of the workshop, with moderation by Eric Johnson and Hans Brechbuhl, the group touched upon a wide array of subjects; we are now happy to present some key insights and a summary of the day’s proceedings. Highlights include insights regarding phishing attacks, medical device security, and the emerging Internet of things.

Click through below to review the document, and feel free to share with your colleagues!

Overview: Building Secure Connected Healthcare Organizations

Eric Johnson talks with Paul Connelly: Healthcare Analytics and Information Security

THaW contributor Eric Johnson recently sat down with VP and CISO of Hospital Corporation of America Paul Connelly to discuss advancements in healthcare analytics and information security. Over the course of the discussion the two touch on the sheer volume of data created by HCA, and how analytics can be used to give that data value in contributing to informed decision making, while at the same time protecting patient security.

Click here, or play the embedded video above, to hear the discussion in full.

Wanda – Securely introducing mobile devices

A few months ago we announced the results of our Wanda project, as published in INFOCOM 2016.  Today we’re excited to share this new video description of the project! Thanks to Abby Starr and Shiyao Peng of Dartmouth’s DALI lab, and Tim Pierson of the THaW team, for this fun and informative production.

Nearly every setting is increasingly populated with wireless and mobile devices – whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. We call our approach Wanda – a `magic wand’ that accomplishes all three of the above goals – and evaluate a prototype implementation.

When it Comes to Medical Device Security, the Dos Outweigh the Don’ts

THaW researchers A.J. Burns, Eric Johnson and Peter Honeyman, have compiled a compelling chronology of medical device security in their recently published article in Communications of the ACM, “A Brief Chronology of Medical Device Security” (see the THaW blog’s publication page for complete reference information and a link to the article).

The authors identify three key points relating to medical devices:

  1. Frightening language and misinformation often characterize discussions of cybersecurity and medical devices.
  2. There are always security trade-offs when designing, deploying, and maintaining medical devices.
  3. Medical devices are often not that different than other network-enabled digital devices, in terms of their vulnerability to network-based cyberattack.

The authors further identify four major periods that span the evolution of medical devices:

  1. Complex systems and accidental disasters
  2. Implantable medical devices
  3. The threat of unauthorized access
  4. Cyber threats to medical device security

The article offers a comprehensive examination of the legislative timeline and the evolving threats to information security in healthcare. They argue that “the steps we take today will largely define the future of medical device security,” and while there is a temptation to publicly wring our hands in despair over medical-device insecurity, “we must resist the temptation to sensationalize the issues…and instead apply sober, rational, systematic approaches to understanding and mitigating security risks.”

The authors conclude by challenging the medical-device community to better secure these devices:

“…it is safe to say that patients’ reluctance to accept medically indicated devices due to concerns about security poses a greater threat to their health than any threat stemming from medical device security…it is incumbent on our field to continue to prioritize the security of medical devices as a part of our fiduciary responsibility to act in the interests of those who rely on these life-saving devices.”

For complete reference information and a link to the article, please visit the THaW publication page.

THaW researcher, Kevin Fu, Questions Recent MedSec Findings

“For decades, there’s been an unofficial truce between cybersecurity researchers and companies: When good guy hackers find a problem, they give companies a chance to fix it before going public.

But a cybersecurity firm called MedSec just upended that truce.

(https://www.washingtonpost.com/news/the-switch/wp/2016/09/01/a-new-hacker-money-making-strategy-betting-against-insecure-companies-on-wall-street/)

“While medical device manufacturers must improve the security of their products, claiming the sky is falling is counterproductive.” – ThaW researcher, Kevin Fu

(http://www.engin.umich.edu/college/about/news/stories/2016/august/holes-found-in-report)

MedSec, a medical security firm, has formed an unusual partnership with investment firm Muddy Waters to generate revenue based on MedSec infosec research. When MedSec recently found alleged faults in St. Jude’s implantable heart equipment, it alerted Muddy Waters rather than St. Jude’s as tradition normally dictates. Muddy Waters promptly issued a research report highlighting the alleged faults and shorted St. Jude’s stock, giving MedSec a portion of the proceeds from the short sale.

However, ThaW researcher, Kevin Fu, and University of Michigan colleagues attempted to replicate the MedSec research and determined that MedSec’s findings were “inconclusive”. For more information on the Michigan investigtion see –

(http://www.engin.umich.edu/college/about/news/stories/2016/august/holes-found-in-report)

This saga is far from complete, as Fu’s team continues to look into the MedSec findings.

For more information:

http://engin.umich.edu/college/about/news/stories/2016/august/holes-found-in-report

https://www.washingtonpost.com/news/the-switch/wp/2016/09/01/a-new-hacker-money-making-strategy-betting-against-insecure-companies-on-wall-street/

http://www.startribune.com/so-far-st-jude-medical-weathering-cybersecurity-scrutiny/392212661/