Klara Nahrstedt honored

nahrstedt_thawACM SIGMOBILE’s group N2Women announced today its inaugural list of “10 women in networking/ communications that you should know”, including THaW co-PI Klara Nahrstedt from UIUC.  She is in impressive company – details on these ten amazing women, as well as quotes from the many people who nominated these women, are available at the link below.

http://sites.ieee.org/com-n2women/files/2015/12/Top10-20151.pdf

Congratulations to Professor Klara Nahrstedt!

Future Computer Science & Engineering Grad Students

It made it seem a lot more fun and engaging of a pursuit. The consensus in the student panel seemed to be that it was very difficult but well worth it.

 Student participant, Explore Graduate Studies in CSE Workshop

 

Launched by Prof. Kevin Fu in November, 2014 and co-led by Profs. Jenna Wiens and David Kotz in 2015, THaW professors and students led two workshops in October 2015 on “Exploring Graduate Study in CS and Engineering”. These workshops targeted undergraduate students, primarily juniors and seniors, majoring in Computer Science or related fields. The workshops aimed to educate students about the potential for an exciting career in CS&E research, either in academia and industry, and to coach them in effective ways to prepare their graduate school application.

UM Future Grad Student MeetingBoth the University of Michigan and Dartmouth College hosted one-day workshops that were open to students from around the country.  A diverse set of more than 60 students enjoyed

  • an overview of the exciting research underway at the two schools,
  • Q&A panels of faculty and current graduate students,
  • a writing clinic with tips and tricks for preparing their academic statement of purpose, and
  • one-on-one advising by professors.

Survey results show that students overwhelmingly found the workshops to be helpful in thinking about their career options. Several students mentioned that the workshops increased their overall interest in pursuing graduate studies in CSE. The workshops were funded by the NSF through the THaW grant, by Dartmouth, and by the University of Michigan.

Evaluation of ECG-Based Protocols in the Real World (on-going research)

Researchers: Professor Avi Rubin, Michael Rushanan – Johns Hopkins University

After some researchers proposed the use of electrocardiograms (ECG) as a source of biometric information for secure authentication and identification of individuals, THaW Professor Rubin and graduate student Michael Rushanan set out to test this assumption by extending work done at MIT on the post-processing of ECG data.

Their research grew out of concern with the proliferation of implantable medical devices and how to secure these devices against external network-based attacks.

Commercial companies have built their businesses upon the unique nature of ECG data. Most of the current applications have been focused on the supposed uniqueness of ECG as a biometric identifier for use in commercial transactions. Rubin and Rushanan set out to determine whether a person’s ECG really is a secure and reliable means of identification and authentication.

The ECG example below uses three different electrode placements and IPI peak identification. The purpose of this experiment was to validate if the authentication scheme under test works with slightly, but expected, noisy experiments that require physical contact.

Rushanan identified temporal granularity as their biggest research challenge and expects his first research results should be available in the coming months.

Rushanan ECG Graph

THaW researchers help secure the Precision Medicine Initiative

Earlier this year, President Obama presented a plan to launch the Precision Medicine Initiative (PMI), an ambitious research effort to recruit over one million participants in a long-term effort to understand the individual characteristics of health and disease. The research effort will aggregate clinical data as well as behavioral and environmental data – including, potentially, sensor data from smartphones and wearables – which will, needless to say, require careful security precautions and wise privacy policies.

The PMI advisory board invited THaW researcher David Kotz to a summer workshop on the potential for mobile technology in collecting data for PMI, and specifically to comment on mechanisms to support privacy.  The PMI’s proposed Privacy and Trust Principles are an interesting read! [pdf]

White HouseToday, the White House Office of Science and Technology Policy (OSTP) gathered a dozen thought leaders – including THaW team members Darren Lacey and David Kotz – to advise them as they begin developing a security framework for the Precision Medicine Initiative.  This fascinating discussion was led by Chief Data Scientist DJ Patil, and is just the first step in developing a comprehensive security framework for this important national research initiative.

THaW webinar – September 8 at NSF

Security and Privacy: Mobile Medical Applications
David Kotz, PhD – Dartmouth College

September 8, 2015      12pm-1pm ET

NSF CISE: Smart and Connected Health Presentation and Webcast
4201 Wilson Boulevard, Arlington VA, Room 110

Mobile medical applications offer tremendous opportunities to improve quality and access to care, reduce cost, and improve individual wellness and public health. These new technologies, whether in the form of software for smartphones as specialized devices to be worn, carried, or applied as needed, may also pose risks if they are not designed or configured with security and privacy in mind. For example, a patient’s insulin pump may accept dosage instructions from unauthorized smartphones running a spoofed application; another patient’s fertility-tracking app may be probing the Bluetooth network for its associated device, exposing her use of this app to nearby strangers. In this webinar, Dr. David Kotz presents an overview of the security and privacy challenges posed by mobile medical applications, including important open issues that require further research.

 Webcast Access:  https://nsf.webex.com/nsf/onstage/g.php?d=744297685&t=a

THaW Educational Outreach at Baltimore Polytechnic Institute

According to Professor Avi Rubin of Johns Hopkins University, the educational outreach program held in conjunction with the Baltimore Polytechnic Institute was successful. Despite some logistical snags, the discussions with the students were lively, and they seemed genuinely interested in the privacy implications of data aggregation. Professor Rubin and Joe Carrigan also covered some basic statistics, and spoke with the students about career paths in technology.

THaW goes to India

image of historic vidhana-soudha building in BangaloreTHaW PI David Kotz presented a keynote talk at the Workshop on Networked Healthcare Technologies (NetHealth) today in Bangalore, India. This talk provided an overview of the economic and technical trends leading to the THaW project, a summary of a few THaW projects underway, and a research agenda for security and privacy in healthcare IT. The talk was well received and was a wonderful opportunity for interchange of ideas in both the US and India contexts.

A ‘building code’ for building secure code in medical devices

Carl Landwehr portrait

Carl Landwehr

Last month, a broad mix of experts convened by THaW researcher Carl Landwehr convened in New Orleans to begin drafting a “building code” for medical-device software.  They’ve just released their report, and there is already talk about taking some of these ideas into the various standards bodies. Check out their report and feel free to leave comments on their site.  — dave

THaW at the mHealth Privacy & Security Symposium

Perhaps the largest annual event related to mHealth is the mHealth Summit, held near Washington DC.  Today, the summit kicked off with a Privacy & Security Symposium, including a panel on Medical Device Security anchored by both Kevin Fu and Darren Lacey from the THaW team.  Kevin, Darren and the other panelists spoke about some of the security concerns that medical devices pose for patients, clinicians, and hospitals.  The audience brought together a broad mix of medical practitioners, device and software vendors, security professionals, and computer scientists.

photo of the panelists

Kevin Fu and Darren Lacey at the center of a panel session at the mHealth Summit.

Constructing a ‘building code’ for medical device software security

The following summary of the recent ‘building code’ workshop sponsored in part by THaW held on November 19-21, 2014 is provided by Dr. Carl Landwehr —

Forty people with diverse backgrounds in medical device software development, standards, regulation, security, and software engineering met in New Orleans November 19-21 with the goal of constructing a “building code” for medical device software security and a related research agenda. The workshop was sponsored by National Science Foundation through both the Trustworthy Health and Wellness (THaW) center and a separate workshop grant to George Washington University’s Cyber Security Policy and Research Institute (CSPRI) as well as the IEEE Computer Society’s Cybersecurity initiative.

The idea of exploiting building code metaphor originated with THaW’s Carl Landwehr, who organized the meeting with the help of a Steering Group that included THaW leadership as well as several others from the worlds of medical devices, software engineering, and security. Tom Haigh, recently retired from Adventium, served as Vice-Chair.

Building codes for physical structures grow out of industry and professional society groups – suppliers, builders and architects – rather than from government, although adoption of codes by government provides the legal basis for enforcement.  Building codes generally apply to designs, building processes, and the finished product. Code enforcement relies on inspections of structures during construction and of the finished product and also on certification of the skills of the participants in the design, construction, and inspection processes. Inspectors must be knowledgeable and skilled, but the training requirement is not burdensome, and decisions as to whether a building meets the code or not are typically straightforward. Codes also take account of different domains of use of structures: code requirements for single-family dwellings differ from those for public buildings, for example. Although building codes arose largely from safety considerations (e.g. reducing the risk of widespread damage to cities from fires, hurricanes, or earthquakes), security from malicious attack has also motivated some aspects of building codes.

The workshop aimed to develop an analog to building codes focused on the security properties of software rather than the structure and characteristics of physical building.  The objective of this code for software security is to increase assurance that software developed for the domain of medical devices will be free of many of the security vulnerabilities that plague software generally.  Evidence to date is that a large fraction of exploitable security flaws are not design flaws but rather implementation flaws. An initial building code for medical device software security could focus on assuring that the final software that operates the device is free of these kinds of flaws, although it could address aspects of the development process as well.  For example, the code might specify that modules written in a language that permits buffer overflows be subject to particular inspection or testing requirements, while modules written in type-safe languages might require a lesser degree of testing but a stronger inspection of components that translate the source language to executable form.

About 35 separate items were proposed for inclusion in an initial draft building code. Although the final report is still in development, only about half of these elements are likely to be included in the consensus version of the code.

Several participants in the workshop who are active in related standards bodies and professional societies have indicated an interest in moving the code forward in those groups.