Professor Kevin Fu appointed Acting Director of Medical Device Cybersecurity at the U.S. FDA Center for Devices and Radiological Health (CDRH)

Kevin Fu, THaW PI from the University of Michigan, is heading to Washington D.C. for a one-year term as Acting Director of Medical Device Cybersecurity at the U.S. FDA Center for Devices and Radiological Health (CDRH). This role includes an appointment with the Digital Health Center of Excellence (DHCoE).The DHCoE fosters responsible and high-quality digital health innovation.

To learn more about the role, Professor Fu’s numerous achievements in the cross-section of health technologies and cybersecurity, as well as his other notable contributions, check out the University of Michigan’s official press release here.

Congratulations, Professor Fu!

Cybersecurity and Privacy Implications of Contact Tracing

Two THaW researchers participated as panelists in a recent online panel discussion about contact tracing, with an emphasis on the security and privacy aspects. The video is now available.

“The coronavirus pandemic has highlighted the need for contact tracing, an effort to retroactively discover and inform all the persons who had recent contact with an infected person. Traditional methods are labor-intensive and inherently limited by human memory. Smartphone apps have been proposed to proactively record contacts, for retrospective notifications to those who may have been proximate to someone later discovered to be infected. There are, however, inherent privacy and cybersecurity risks posed by such technologies, and the same technologies could be abused for purposes other than public health. It is thus essential for contact tracing technologies to be designed and deployed with the utmost care and transparency.”

THaW work on contact tracing

Early THaW research on contact tracing is finding new relevance as groups across the US and around the world scramble to develop privacy-preserving contact-tracing apps.  Notable app efforts include DP-3TPEPP-PT, and SafePaths.  All of those efforts focus on privacy-preserving apps for retrospective notification of persons who may have had “contact” with a person later determined to be ill with an infectious disease, where “contact” occurs when spending time in close proximity to the infected person.  THaW student Aarathi Prasad went further, devising a system that could also detect “close encounters”, e.g., for those who may have visited a place soon after the infected person left.  Some diseases, including perhaps the coronavirus, can linger in the air or on surfaces for hours.

The lead author on THaW’s work, Aarathi Prasad, is now a professor at Skidmore College, which just posted an extended story about her work. Her work was originally published in the paper below.

Aarathi Prasad and David Kotz. ENACT: Encounter-based Architecture for Contact Tracing. Proceedings of the ACM Workshop on Physical Analytics (WPA), pages 37–42. ACM Press, June 2017. doi:10.1145/3092305.3092310. ©Copyright ACM.

Abstract: Location-based sharing services allow people to connect with others who are near them, or with whom they shared a past encounter. Suppose it were also possible to connect with people who were at the same location but at a different time – we define this scenario as a close encounter, i.e., an incident of spatial and temporal proximity. By detecting close encounters, a person infected with a contagious disease could alert others to whom they may have spread the virus. We designed a smartphone-based system that allows people infected with a contagious virus to send alerts to other users who may have been exposed to the same virus due to a close encounter. We address three challenges: finding devices in close encounters with minimal changes to existing infrastructure, ensuring authenticity of alerts, and protecting privacy of all users. Finally, we also consider the challenges of a real-world deployment.

IEEE recognizes THaW researcher for establishing field of medical device security

Professor Kevin Fu’s 2008 paper called “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses” has received the inaugural IEEE Security and Privacy “Test of Time” Award:  http://eecs.umich.edu/eecs/about/articles/2019/fu-test-of-time.html 

The paper was been recognized from a pool of submissions spanning 40 years with the inaugural IEEE Security and Privacy Test of Time Award, and its impact can be felt in every corner of the medical devices industry.

In the 11 years since the paper’s publication, Fu and others in his field have worked on solutions. Many of these have been technical, but most of the larger impact the paper has had has been in leadership.

“A lot of it is about community building and standards development,” Fu says, “which is sometimes a foreign concept in academia. But it’s really important to industry.”

Kevin Fu Named As IEEE Fellow

Wei LuTHaW leader Kevin Fu was recently named a fellow by the Institute of Electrical and Electronics Engineers (IEEE) for his contributions to embedded and medical device security. The honor comes as part of the 2018 class, and  is “a distinction reserved for select IEEE members whose extraordinary accomplishments in any of the IEEE fields of interest are deemed fitting of this prestigious grade elevation”. To read more about Kevin’s award and accomplishments, click through below.

Kevin Fu Elected IEEE Fellow for Contributions to Embedded and Medical Device Security

A ‘Crisis’ in Healthcare Security

Recently Professor Avi Rubin was invited to speak at Enigma — a new security conference geared towards those working in both industry and research, recently launched by the USENIX Association.

According to Professor Rubin, health care information security is in crisis. In this presentation, Professor Rubin emphasizes the numerous vulnerabilities of our health care system. These vulnerabilities range from overt circumventing of security protocols to blissful ignorance of network security concerns.

Professor Rubin goes on to identify what makes cybersecurity in health care different from other fields, such as financial services. Finally, Professor Rubin offers a ‘Top Ten’ list of actions the health care community can take right now to improve the cybersecurity of health care.

Watch Rubin’s talk on YouTube.

Virtual Fitness Coach from Under Armour

“It’s fascinating, what’s happening, and very exciting,” – Avi Rubin

At the 2016 Consumer Electronic Show (CES) last week, Under Armour announced a suite of products and services relevant to THaW research topics.  Journalists sought out THaW researcher (and PI at Johns Hopkins) Avi Rubin for comment.

First the athletic wear maker unveiled its first-ever collection of fitness devices, a suite of products dubbed UA HealthBox that included a wristband, a heart-rate monitor and a Wi-Fi-enabled scale — plus a separate “smart shoe” and Bluetooth headphones. It also upgraded the UA Record application that powers those devices. … “It’s fascinating, what’s happening, and very exciting,” said Avi Rubin, a Johns Hopkins computer science professor…. (Lorraine Marbella, Baltimore Sun, January 9, 2016 [http://www.baltimoresun.com/business/under-armour-blog/bs-bz-under-armour-ibm-watson-20160109-story.html])

This is the first of many such announcements we anticipate throughout 2016. The challenge facing the THaW community is how to ensure that privacy is protected and the collected data is secure.

Securing Healthcare IT Needs To Step Up Its Game…

Professor Avi Rubin (Johns Hopkins University) decries the lack of cybersecurity awareness and activity in the healthcare IT sector. “Of all the industries I’ve seen, healthcare seems to be the most behind in terms of securing their IT.” To read the rest of the Professor Rubin’s interview click here.

Former THaW Postdoc Denis Foo Kune Has a New Company to Protect Medical Devices from Malware

“PhDs Benjamin Ransford and Denis Foo Kune developed the platform which uses the “traditionally undesirable” power consumption side channel to detect malware with the accuracy of desktop anti-virus at run-time without the need to modify the hardware or software of systems.”

To read more about Kune’s WattsUpDoc platform click here.

Will Health Tech Ever Be Hack Proof?

Professor Kevin Fu participated recently on a panel entitled, “Will Health Tech Ever Be Hack Proof?” at the New America symposium on Our Data, Our Health: The Future of Mobile Health Technology (26 March 2015). Joining Kevin to explore the personal, economic and regulatory implications of securing health related technology were Lucia Savage, Chief Privacy Officer, National Coordinator for Health IT, Alvaro Bedoya, Executive Director, Center on Privacy and Technology, Georgetown, and the panel’s moderator was Peter Singer, Strategist and Senior Fellow, New America. The video of this panel discussion can be found here.

A summary of the panel discussion described above can be found in this issue of CIO. [CIO]