Monthly Archives: March 2015

Will Health Tech Ever Be Hack Proof?

Posted on by
Reply

Professor Kevin Fu participated recently on a panel entitled, “Will Health Tech Ever Be Hack Proof?” at the New America symposium on Our Data, Our Health: The Future of Mobile Health Technology (26 March 2015). Joining Kevin to explore the personal, economic and regulatory implications of securing health related technology were Lucia Savage, Chief Privacy Officer, National Coordinator for Health IT, Alvaro Bedoya, Executive Director, Center on Privacy and Technology, Georgetown, and the panel’s moderator was Peter Singer, Strategist and Senior Fellow, New America. The video of this panel discussion can be found here.

A summary of the panel discussion described above can be found in this issue of CIO. [CIO]

THaW Researchers Highlight Emerging Issues Related to Mobility and Security in Healthcare

Posted on by
Reply

Bring Your Own Device (BYOD) Practices in Healthcare– A.J. Burns and M. Eric Johnson, Vanderbilt University

Despite the many impressive technology-enabled advances in modern medicine over the past several decades, concerns over costs, reliability, and security have hindered the adoption of IT in the health sector. However, as in other industries, healthcare has seen dramatic increases in the use of personally-owned devices. In fact, 88.6 percent of those working in healthcare report using their smartphone for work. All the while, 54 percent of US organizations report that they’re unable to determine if off-site employees are using technology and informational resources in a way that addresses corporate and regulatory requirements. This lack of oversight is especially problematic for the health sector where research reveals that healthcare workers often fail to maintain basic security hygiene on their devices (e.g., 41 percent report having no password protection).

The trend toward mobile computing is radically transforming how individuals interact with IT. For example, in 2014, comScore reported that for the first time, more than half of all digital media in the US was consumed in a mobile app. In the health sector, enabled by low entry barriers and lax (often non-existent) regulation, the number of mobile health (mHealth) apps available to consumers now exceeds 100,000, with millions of total yearly downloads. Yet when it comes to these available apps, the industry provides little transparency about either the mHealth data’s security and privacy or the usage patterns among physicians and patients that have downloaded these apps. In a recent special issue on IT security in IEEE IT Professional, THaW researchers highlight emerging issues related to mobility and security in healthcare: BYOD and the mHealth application ecosystem.

Link to IEEE IT Professional publication (see pages 23-29).

What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protection of Android External Resources

Posted on by
Reply

Soteris Demetriou, Xiaoyong Zhou, Muhammad Naveed, Yeonjoon Lee, Kan Yuan, XiaoFeng Wang, and Carl A Gunter

The pervasiveness of security-critical external re- sources (e.g accessories, online services) poses new challenges to Android security. In prior research we revealed that given the BLUETOOTH and BLUETOOTH_ADMIN permissions, a malicious app on an authorized phone gains unfettered access to any Bluetooth device (e.g., Blood Glucose meter, etc.). Here we further show that sensitive text messages from online banking services and social networks (account balance, password reset links, etc.) are completely exposed to any app with either the RECEIVE_SMS or the READ_SMS permission. Similar security risks are present in other channels (Internet, Audio and NFC) extensively used to connect the phone to assorted external devices or services. Fun- damentally, the current permission-based Discretionary Access Control (DAC) and SEAndroid-based Mandatory Access Control (MAC) are too coarse-grained to protect those resources: whoever gets the permission to use a channel is automatically allowed to access all resources attached to it.

To address this challenge, we present in this paper SEACAT, a new security system for fine-grained, flexible protection on external resources. SEACAT supports both MAC and DAC, and integrates their enforcement mechanisms across the Android middleware and the Linux kernel. It extends SEAndroid for specifying policies on external resources, and also hosts a DAC policy base. Both sets of policies are managed under the same policy engine and Access Vector Cache that support policy checks within the security hooks distributed across the framework and the Linux kernel layers, over different channels. This integrated security model was carefully designed to ensure that misconfig- ured DAC policies will not affect the enforcement of MAC policies, which manufacturers and system administrators can leverage to define their security rules. In the meantime, a policy management service is offered to the ordinary Android users for setting policies that protect the resources provided by the third party. This service translates simple user selections into SELinux-compatible policies in the background. Our implementation is capable of thwarting all known attacks on external resources at a negligible performance cost.

Link to NDSS paper