THaW researchers are showing off some cool research at this week’s MobiSys conference in Niagara Falls, with three papers at MobiSys workshops and a poster in the poster session.
- Aarathi Prasad and David Kotz. ENACT: Encounter-based Architecture for Contact Tracing. In ACM Workshop on Physical Analytics (WPA), pages 37-42, June 2017. ACM Press. DOI 10.1145/3092305.3092310.
- Rui Liu, Reza Rawassizadeh, and David Kotz. Toward Accurate and Efficient Feature Selection for Speaker Recognition on Wearables. InProceedings of the ACM Workshop on Wearable Systems and Applications (WearSys), pages 41-46, 2017. ACM Press. DOI 10.1145/3089351.3089352.
- Rui Liu, Cory Cornelius, Reza Rawassizadeh, Ron Peterson, and David Kotz. Poster: Vocal Resonance as a Passive Biometric. In Proceedings of the ACM International Conference on Mobile Systems, Applications, and Services (MobiSys), pages 160, 2017. ACM Press. DOI 10.1145/3081333.3089304.
- Xiaohui Liang and David Kotz. AuthoRing: Wearable User-presence Authentication. In Proceedings of the ACM Workshop on Wearable Systems and Applications (WearSys), pages 5-10, 2017. ACM Press. DOI 10.1145/3089351.3089357.
THaW Researchers Xiaohui Liang, Tianlong Yun, Ronald Peterson, and David Kotz have been researching new methods for connecting wearables to external screens. Their paper, LightTouch: Securely Connecting Wearables to Ambient Displays with User Intent, has been accepted to INFOCOM 2017. In it, they explore a security system that uses a screen’s brightness level to ensure secure connection between screen and device. Moreover, they also address additional screen-based counter measures that can be taken to further secure the protocol. For more information and to read the paper, click the link below.
THaW researcher Kevin Fu’s work on acoustic device hacking has recently been featured in the New York Times. The article discusses the team’s work on using acoustic signals to fool sensors in mobile device, and create the potential for security violations. For more information beyond the article, click here for a quick video, or read the complete paper below.
WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks
THaW researchers Haiming Jin and Klara Nahrstedt of UIUIC, in collaboration with Lu Su of SUNY Buffalo, recently had a paper accepted to IEEE INFOCOM 2017. Entitled CENTURION, the research explores the incentivization of participants in crowd sourced data collection. Notably, CENTURION rethinks the existing model of crowd sourced data collection (one consumer, one set of incentives), and instead takes the novel approach of applying a double auction model with multiple consumers and multiple incentives. The result is a system that can guarantee non-negative social welfare impact, among other benefits. To explore CENTURION further, click below.
THaW PhD student, Tim Pierson, along with the Wanda team have built a ‘magic wand’ that simplifies the integration of new medical devices into existing wireless networks. A detailed description of their work is found below in the abstract to their recently accepted IEEE INFOCOM paper.
Abstract: Nearly every setting is increasingly populated with wireless and mobile devices – whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. We present a novel approach we call Wanda – a `magic wand’ that accomplishes all three of the above goals – and evaluate a prototype implementation.
A prepublication version is available here.
Enormous numbers of mobile health applications (mHealth apps) developed recently on mobile devices (e.g. smart-phones, tablets, etc.) have enabled health status (e.g. sleep quality, heart rate, etc.) monitoring that is readily accessible to average mobile device users. Typically, such mHealth apps involve active usage of mobile device resources, such as on-board sensors, network bandwidth, etc. The rapid increase of these applications prompted the US FDA agency to put in place regulations on mHealth app risk assessment. But these existing and upcoming regulations have not yet been accompanied by a mobile auditing framework, which provides real-time monitoring of mHealth apps’ resource usage and triggers alerts to users if abnormal resource usage patterns are detected.
In this project, we develop a mobile auditing framework shown in the figure to the left (mAuditor Framework). The mAuditor runs as a separate process along with mHealth apps and other general purpose apps (e.g. Facebook, Gmail, etc.). The mAuditor consists of the profiler and the analyzer. The profiler collects the system trace and parse the trace if needed. The parsed trace is utilized by the analyzer, which analyzes the resource usage patterns and compare them with predefined configurations. mAuditor with its low-overhead and non-obtrusive design, monitors mHealth apps’ resource usage patterns in real-time and triggers alerts to users if abnormal resource usage patterns are detected.
This work is being spearheaded by Haiming Jin and supported by his colleagues at UIUC, Ting-yu Wang and Klara Nahrstedt.
In an article in the most recent issue of the Communications of the ACM, the authors (Kotz, Fu, Gunter and Rubin) state:
The benefits of healthcare IT will be elusive if its security challenges are not adequately addressed. Security remains one of the most important concerns in a recent survey of the health and mHealth sectors, and research has illustrated the risks incurred by cyber-attacks on medical devices such as pace-makers. More than two-thirds (69%) of respondents say their organization’s IT security does not meet expectations for FDA-approved medical devices.
Privacy protection is also critical for healthcare IT; although this column focuses on security, it should be noted that many security breaches lead to disclosure of personal information and thus an impact on patient privacy.
The authors identify three critical research challenges:
- Usable authentication tools
- Trustworthy control of medical devices
- Trust through accountability
For more information on the challenges facing securing healthcare IT please see Communications of the ACM.
Bring Your Own Device (BYOD) Practices in Healthcare– A.J. Burns and M. Eric Johnson, Vanderbilt University
Despite the many impressive technology-enabled advances in modern medicine over the past several decades, concerns over costs, reliability, and security have hindered the adoption of IT in the health sector. However, as in other industries, healthcare has seen dramatic increases in the use of personally-owned devices. In fact, 88.6 percent of those working in healthcare report using their smartphone for work. All the while, 54 percent of US organizations report that they’re unable to determine if off-site employees are using technology and informational resources in a way that addresses corporate and regulatory requirements. This lack of oversight is especially problematic for the health sector where research reveals that healthcare workers often fail to maintain basic security hygiene on their devices (e.g., 41 percent report having no password protection).
The trend toward mobile computing is radically transforming how individuals interact with IT. For example, in 2014, comScore reported that for the first time, more than half of all digital media in the US was consumed in a mobile app. In the health sector, enabled by low entry barriers and lax (often non-existent) regulation, the number of mobile health (mHealth) apps available to consumers now exceeds 100,000, with millions of total yearly downloads. Yet when it comes to these available apps, the industry provides little transparency about either the mHealth data’s security and privacy or the usage patterns among physicians and patients that have downloaded these apps. In a recent special issue on IT security in IEEE IT Professional, THaW researchers highlight emerging issues related to mobility and security in healthcare: BYOD and the mHealth application ecosystem.
Link to IEEE IT Professional publication (see pages 23-29).
THaW professor Eric Johnson (Vanderbilt) recently presented a new paper at the Conference on Information Systems and Technology (CIST), a division of INFORMS.
See the video abstract. A full version of the paper is under review at a journal.
Meaningful healthcare security: Does “Meaningful-use” attestation improve information security performance?
Juhee Kwon and M. Eric Johnson
Certification mechanisms are often employed to signal performance of difficult-to-observe management practices. In the healthcare sector, financial incentives linked to “meaningful-use” attestation have been a key policy initiative of the Obama administration to accelerate electronic health record (EHR) adoption while also focusing healthcare providers on protecting sensitive healthcare data. Given the rapid push for safe digitization of patient data, this study examines how hospital attestation influences the occurrence of subsequent data breaches and also how breach performance is associated with penalties from prior breaches. Using a propensity score matching technique combined with a difference-in-differences approach, we analyze a matched sample of 869 U.S. hospitals. We find that hospitals that attest to having reached Stage-1 meaningful-use standards observe reduced external breaches in the short term, but do not see continued improvement in the following year. On the other hand, attesting hospitals observe short-term increases in accidental internal breaches, but eventually see longer-term reductions. We do not find any link between malicious internal breaches and attestation. Further, we find that the interaction between meaningful-use attestation (carrot) and prior failure resulting in penalties (stick) enhances short-term reductions of accidental internal and external breaches. Our findings offer both theoretical and practical insights into the effective design of certification mechanisms and breach regulations.