Kevin Fu Discusses The Challenges of Ransomware

THaW researcher Kevin Fu recently joined his colleague Harold Thimbleby to discuss the challenges and obstacles created by ransomware. Read their comprehensive assessment of the problem, as well as possible solutions, at the link below.

HealthcareITNews — Ransomware:
 How we can climb out of this mess

Eric Johnson Talks with Charles Lebo: Healthcare Data Security


THaW contributor Eric Johnson’s conversations from the CISO conference continued with VP and CISO of Kindred Healthcare, Charles Lebo. The two had a conversation to discuss some of the emerging challenges of healthcare security. The topics ranged from the scope of large healthcare datasets, to the emergence of ransomware and maintaining data security.

Click here, or play the embedded video above, to hear the discussion in full.

Interactive Map Of US Healthcare Breaches

interactive map
The Health Information Technology for Economic and Clinical Health (HITECH) Act requires health care providers and health plans that experienced a data breach of unsecured protected health information affecting more than 500 persons to notify the U.S. Department of Health and Human Services (HHS). HHS maintains a public database of the reported breaches submitted from October 2009 to the present. THaW researchers recently constructed an interactive map to visualize the HHS database of health data breaches.

When it Comes to Medical Device Security, the Dos Outweigh the Don’ts

THaW researchers A.J. Burns, Eric Johnson and Peter Honeyman, have compiled a compelling chronology of medical device security in their recently published article in Communications of the ACM, “A Brief Chronology of Medical Device Security” (see the THaW blog’s publication page for complete reference information and a link to the article).

The authors identify three key points relating to medical devices:

  1. Frightening language and misinformation often characterize discussions of cybersecurity and medical devices.
  2. There are always security trade-offs when designing, deploying, and maintaining medical devices.
  3. Medical devices are often not that different than other network-enabled digital devices, in terms of their vulnerability to network-based cyberattack.

The authors further identify four major periods that span the evolution of medical devices:

  1. Complex systems and accidental disasters
  2. Implantable medical devices
  3. The threat of unauthorized access
  4. Cyber threats to medical device security

The article offers a comprehensive examination of the legislative timeline and the evolving threats to information security in healthcare. They argue that “the steps we take today will largely define the future of medical device security,” and while there is a temptation to publicly wring our hands in despair over medical-device insecurity, “we must resist the temptation to sensationalize the issues…and instead apply sober, rational, systematic approaches to understanding and mitigating security risks.”

The authors conclude by challenging the medical-device community to better secure these devices:

“…it is safe to say that patients’ reluctance to accept medically indicated devices due to concerns about security poses a greater threat to their health than any threat stemming from medical device security…it is incumbent on our field to continue to prioritize the security of medical devices as a part of our fiduciary responsibility to act in the interests of those who rely on these life-saving devices.”

For complete reference information and a link to the article, please visit the THaW publication page.

THaW researcher, Kevin Fu, Questions Recent MedSec Findings

“For decades, there’s been an unofficial truce between cybersecurity researchers and companies: When good guy hackers find a problem, they give companies a chance to fix it before going public.

But a cybersecurity firm called MedSec just upended that truce.

(https://www.washingtonpost.com/news/the-switch/wp/2016/09/01/a-new-hacker-money-making-strategy-betting-against-insecure-companies-on-wall-street/)

“While medical device manufacturers must improve the security of their products, claiming the sky is falling is counterproductive.” – ThaW researcher, Kevin Fu

(http://www.engin.umich.edu/college/about/news/stories/2016/august/holes-found-in-report)

MedSec, a medical security firm, has formed an unusual partnership with investment firm Muddy Waters to generate revenue based on MedSec infosec research. When MedSec recently found alleged faults in St. Jude’s implantable heart equipment, it alerted Muddy Waters rather than St. Jude’s as tradition normally dictates. Muddy Waters promptly issued a research report highlighting the alleged faults and shorted St. Jude’s stock, giving MedSec a portion of the proceeds from the short sale.

However, ThaW researcher, Kevin Fu, and University of Michigan colleagues attempted to replicate the MedSec research and determined that MedSec’s findings were “inconclusive”. For more information on the Michigan investigtion see –

(http://www.engin.umich.edu/college/about/news/stories/2016/august/holes-found-in-report)

This saga is far from complete, as Fu’s team continues to look into the MedSec findings.

For more information:

http://engin.umich.edu/college/about/news/stories/2016/august/holes-found-in-report

https://www.washingtonpost.com/news/the-switch/wp/2016/09/01/a-new-hacker-money-making-strategy-betting-against-insecure-companies-on-wall-street/

http://www.startribune.com/so-far-st-jude-medical-weathering-cybersecurity-scrutiny/392212661/

 

mHealth security and privacy – a research agenda

While mHealth has the potential to increase healthcare quality, expand access to services, reduce costs, and improve personal wellness and public health, such benefits may not be fully realized unless greater privacy and security measures are implemented, according to a new paper published in the June issue of Computer.

Professors David Kotz (Dartmouth), Carl A. Gunter (University of Illinois), Santosh Kumar (University of Memphis), and Jonathan P. Weiner (Johns Hopkins), in their paper  (Privacy and Security in Mobile Health: A Research Agenda) challenge the research community to tackle several critical challenges related to security and privacy in mHealth: data sharing and consent management; access control and authentication; confidentiality and anonymity; mHealth smartphone apps; policies and compliance; accuracy and data provenance; and security technology.

With 45 percent of Americans facing chronic disease, which accounts for 75 percent of the annual $2.6+ trillion spent on healthcare, and many developed countries facing aging populations, mobile technology can serve as a great resource to help address these problems – provided mHealth companies and other stakeholders are able to meet the privacy and security challenges associated with these technologies.

For additional information contact Professor David Kotz, the Champion International Professor in the Department of Computer Science at Dartmouth College.

The article can be found in the June issue of Computer.

Ransomware – The Latest Scourge Affecting Medical Institutions

With recent, well-publicized ransomware attacks on major medical institutions, THaW researchers have been tasked with explaining this uptick in nefarious activity. Within the last fortnight, both Kevin Fu and Avi Rubin have been interviewed concerning securing medical IT systems and ransomware specifically. Here are links to their interviews: Fu (MIT Technology Review) and Rubin (C-SPAN Washington Journal).

Dr. Lehmann joins THaW team

Please welcome Dr. Chris Lehman from Vanderbilt University to the THaW team.  Chris is Professor for Pediatrics and Biomedical Informatics at Vanderbilt University where he directs the Clinical Informatics Fellowship Program. He conceived and launched the journal Applied Medical Informatics, devoted to original research and commentary on the use of computer automation in the day-to-day practice of medicine and he served as the Editor-in-Chief since its inception. In 2009, he co-edited Pediatric Informatics, the first textbook on this subject. Dr. Lehmann served on the board of the American Medical Informatics Association from 2008 to 2013 and served two terms as the organization’s secretary. In 2010, he was inducted as a fellow into the American College of Medical Informatics, in 2014 he was elected to the American Pediatric Society, and in 2012 he became a Vice Presidents of the International Medical Informatics Association in charge of the IMIA Yearbook. In 2015, he became President-Elect of the International Medical Informatics Association. In 2010, Dr. Lehmann was appointed Medical Director of the Child Health Informatics Center for the American Academy of Pediatrics, where he was involved in developing the Model Pediatric EHR Format. Dr. Lehmann serves on the federal Health IT Policy Committee and as the chair of the Examination Committee of the American Board of Preventive Medicine, Subcommittee for Clinical Informatics.