Recent press coverage of the THaW project’s research, education, and outreach initiatives.

Scripps Cyberattack Highlights Patient Safety Risks during breaches

“What we’re seeing now is what I would say, version 2.0, which is to hold an organization hostage, either because of a disruption, or because of fear of release of private data, and to extort money out of the organization,” said Eric Johnson, dean of Vanderbilt University’s Owen Graduate School of Management. […] “When I talk to doctors about security, a lot of times they’re very negative,” Johnson said. “So they’re pretty far behind, and at this point, incredibly vulnerable.”

To read more from THaW’s Eric Johnson on this topic, see the article here or here.

How Hackers Hold Hospitals, and Your Health, for Ransom

Ransomware is software code designed to cut off user access to computer systems. Once deployed, the effects are almost immediate. Doctors and nurses may lose access to patients’ appointments, medical histories, lab tests, MRI and X-ray images, and medication information. Recordkeeping may go back to pen and paper, a process that’s slower and more prone to errors. Hospitals can even lose access to certain software-based medical equipment. […] The loss of these kinds of “clinical systems” — computer hardware and software that controls records, medical devices, medication delivery, scans, and more — can have real effects on patient health, says M. Eric Johnson, PhD, an expert on health care cybersecurity and dean of Vanderbilt University’s Owen Graduate School of Management. […] The government helps by setting up information sharing and analysis centers (ISACs) for different industries, including for health care. But, Johnson says, ISACs are only as good as their members. “Hospitals just aren’t nearly as sophisticated, both in terms of their security protocols and in terms of sharing information,” Johnson says.

To read more from THaW’s Eric Johnson, check out the WebMD article here.

CIOs reveal their security philosophies

Today, organizational security is almost entirely synonymous with technological security. CIOs act not only as technological champions — but, in their own ways, as quaestor, subprefect, and constable. “For many organizations, CIOs represent the key leader in the battle to protect valuable data,” says M. Eric Johnson, Dean of the Owen Graduate School of Management at Vanderbilt University. “While not universal in all organizations, the bulk of the security investment is in the CIO’s organization.”

For more of the chat with THaW’s Eric Johnson, see CIO’s article here.

New cybersecurity guidelines for medical devices tackle evolving threats

Today, the US Food and Drug Administration released its recommendations for how medical device manufacturers should maintain the security of internet-connected devices, even after they’ve entered hospitals, patient homes, or patient bodies. Unsecured devices can allow hackers to tamper with how much medication is delivered by the device — with potentially deadly results.

For insight from THaW’s Eric Johnson, and more information see The Verge’s article here.

It’s Possible to Hack a Phone With Sound Waves, Researchers Show

A security loophole that would allow someone to add extra steps to the counter on your Fitbit monitor might seem harmless. But researchers say it points to the broader risks that come with technology’s embedding into the nooks of our lives.

On Tuesday, a group of computer security researchers at the University of Michigan and the University of South Carolina will demonstrate that they have found a vulnerability that allows them to take control of or surreptitiously influence devices through the tiny accelerometers that are standard components in consumer products like smartphones, fitness monitors and even automobiles.

For more information about WALNUT and Professor Fu’s research, see The New York Times article here.

The Company That Wants to Fight Your Medical Bills

… Remedy, a new start-up that aims to help people fight their medical bills. Though estimates of billing errors vary widely, at least 10 to 30 percent of medical bills contain a mistake.

…several cybersecurity experts warn that it can be risky to entrust a private company with personal medical data.

(Professor Avi) Rubin (THaW researcher and director of the Johns Hopkins Information Security Institute) added that while it sounds like Remedy could be a valuable service for those who are slammed by unaffordable medical bills, he personally wouldn’t find the savings worth the risk of a medical-data leak.

For more information about Remedy and Professor Rubin’s concerns see The Atlantic article here.

Coming to a doctor’s office near you: Live-streaming your exam with Google Glass

The entrepreneurs behind the technology (Google Glass augmented medical scribing) — which could one day morph into something as tiny as a contact lens — say it is more than a transcription tool: It’s the first step to supercharging doctors with instantaneous information that transforms how medical decisions are made.

Yet, like much new digital technology in health care, Google Glass has the potential to create more problems than it solves.

You’re taking something that was in the doctor’s office and now you’re streaming it across the world,” (Professor Avi) Rubin (THaW researcher and director of the Johns Hopkins Information Security Institute) said. “The whole health-care industry has lax security, and if you combine that with how private the information is and how it needs to be immediately available, that’s where I have concerns.

To read more of Professor Rubin’s reservations in the Washington Post, click here.

FierceHealthcare – Study: mHealth privacy, security issues need collaboration to solve

Better privacy and security is needed for the true benefits of smartphone-based health technology to be realized, especially in light of increasing consumer interest and tool advancements.

A Dartmouth College study outlines a slew of challenges facing mHealth innovation, from data sharing and authentication to policy and compliance, according to an announcement.

To see the entire FierceHealthCare article featuring comments made by THaW researcher, Champion International Professor David Kotz, click here.

Morning Edition, Michigan Public Radio – Malware Attacks Putting Patients’ Medical Records at Risk

You may have seen recent news stories describing some U.S. hospitals being hit by malware attacks. This “ransomware” works by locking up computers until an amount of money, usually in the form of bitcoins, is paid to the hacker.

When hospitals are hit, patient records can be in danger.

Listen to THaW’s Professor Kevin Fu provide some additional insights into this growing problem – [Michigan Public Radio]

All Tech ConsideredResearchers Hope This Invention Could Wave Away Medical Data Hacks

NPR reporter Jordan Gass-Poore notes that, “Doctors’ scrawls on prescription pads and medical folders are so analog. These days, they’re prescribing and keeping track of patients’ records using digital devices connected to wireless networks, sometimes remotely.”

Gass-Poore goes on to highlight the security risks of connected devices and focuses on work done by Tim Pierson, David Kotz, and their team at Dartmouth College.  The Dartmouth team has developed a prototype device to make connecting wireless devices easy and secure. Dubbed Wanda, this dual antenna device sends configuration information to wireless devices, allowing these devices to securely connect to one another and facilitate trusted data flow.

Funded as part of the THaW project, Wanda is still in the prototype stage. Tim and his team feel that the promise for Wanda is enormous. Stay tuned…[NHNPR}

Health Data Management – How Providers Can Better Prepare for Ransom Attacks

Ransomware continues to be one of the most pressing issues facing hospitals today. Recently it has been estimated that 50% of US hospitals have borne the brunt of at least one ransomware attack.

The recent MedStar attack epitomizes the seriousness of cyberattacks on the health care delivery system. According to ThaW researcher, Avi Rubin, “This is a big wake-up call for the healthcare industry. In the past, there was the danger of people stealing medical records and organizations getting a black eye as a result. But ransomware threatens their day-to-day operations as well as patient care.” (Health Data Management)

Rubin goes on to say, “Overall, healthcare has been lagging behind other industries in addressing security. However, they’re not going to be able to do that anymore.” Rubin estimates that 3.5 million medical records have been compromised in just the first three months of 2016.

C-SPAN Washington Journal – Health Records Security

When the C-SPAN reporter asked THaW researcher, Avi Rubin about the significance of IT security in hospitals and medical facilities, Avi replied, “I see it as critical. I think systems are moving toward automation. I visited an ICU unit at Johns Hopkins and was told that the systems are so automated that they have eliminated a lot of the manual things: when they talk about the nurses’ schedule, how medication gets to the patient.”

To listen to the interview and see a complete transcript visit (C-SPAN Washington Journal)

MIT Technology Review – With Hospital Ransomware Infections, the Patients Are at Risk

“Police departments, government offices, corporations, and countless individuals have been victims of malicious software that encrypts data and demands payment for its return.“

But according to THaW researcher Kevin Fu, “The big difference with health care is that the consequences are greater.”

Ransomware is today’s most notorious cybersecurity scourge. It is designed to be destructive with the damage being reversible – for a price.  According to Professor Fu, “It wasn’t really until ransomware came around that we saw malware trying to cause direct harm and deliberately makes these systems unavailable.” (MIT Technology Review)

CIO: What happens with data from mobile health apps? – Kevin Fu on Cybersecurity Hygiene in Health Apps

“Medical professionals are not too different from every other person in the country when it comes to cybersecurity hygiene. So they’re taught to wash their hands in between patient encounters, but they’re not taught as well as to the cybersecurity hygiene. I’d say we have a very long way to go,” Fu says. “The bar is very low right now.” [CIO]

KQED: David Kotz on the Security Breach at Anthem

“They can have explicit questions about what steps the organization takes to ensure its security of the records and the privacy of their customers, patients in particular,” says Principal Investigator David Kotz in a KQED California Report story about the security breach at Anthem and what states can do to protect consumers.


THaW’s article about Zero-Effort Bilateral Recurring Authentication (ZEBRA) triggered a lot of press coverage: such as Communications of the ACM (CACM)VICE MotherboardGizmagThe Register UKPlanet Biometrics*, Computer Business Review*,  Fierce Health ITDaily Science NewsSenior Tech InsiderMotherboard, Homeland Security Newswire, Dartmouth’s Graduate Forum, and NFC World. They’re all intrigued by ZEBRA’s ability to continuously authenticate the user of a desktop terminal and to log them out if they leave or if someone else steps in to use the keyboard. Some(*) mistakenly believe our ZEBRA method uses biometrics; quite the contrary, ZEBRA is designed to be user-agnostic and thus requires no per-user training period.

Note: since the time this paper was published we have learned of a relevant trademark on the name “Zebra”. Thus, we have renamed our approach “BRACE” and will use that name in future publications.

Health Affairs

Jonathan Weiner, Susan Yeh and David Blumenthal wrote The Impact Of Health Information Technology And e-Health On The Future Demand For Physician Services for the November 2013 issues of Health Affairs. According to the authors, “…few factors will change the future face of the American health care workforce as widely and dramatically as health information technology (IT) and electronic health (e-health) applications.”

The authors further state, “We estimate that if health IT were fully implemented in 30 percent of community-based physician’ offices, the demand for physicians would be reduced by about 4-9 percent.”

To augment this impressive study, the authors have provided a set of appendices that can be found here — The Impact Of Health Information Technology And e-Health On The Future Demand For Physician Services – Appendices and Supplemental Information.

A press release describing this study can be found here  —

Additional media coverage is located here —

Attack surfaces are prevalent in mobile health applications according to an article at, Health Android app security review: Attack Surfaces. This article is based on research conducted by Dongjing He at the University of Illinois Urbana-Champaign for her MS degree.

dongjing he

According to the article,

He studied Android mHealth apps to help determine the prevalence of various threats these applications within the healthcare sector. In doing so, she looked at potential Android attack surfaces, including whether security flaws would be a result of innate Android security design or unsecured Internet communications and third party servers.


We study a newly discovered threat, side-channel information leaks on Android devices, in detail. Particularly, we discover an unexpected channel of information leaks from per-app data usage statistics and demonstrate that a malicious app can infer users’ identity or investment information with zero-permission by monitoring the channel. To mitigate these threats, we propose defense strategies for both widespread threats on mHealth apps and the side-channel information leaks on Android devices.

A recent article in reports on the lax concern with security in mobile health apps based on research conducted by Dongjing He for her MS degree.

According to the article,Student study of Android health apps’ most prevalent security issues,

dongjing heA number of digital health apps in the Google Play store send unencrypted information over the internet and use third party services, according to a graduate thesis from University of Illinois at Urbana-Champaign student Dongjing He.

…He chose to analyze 27 apps at random from a list of the top 1,080 free apps in the health and fitness and medical categories in the Google Play store. After an analysis He pinpointed three “attack surfaces” that were common in these apps — sending unencrypted information through the internet via unsecure protocols, storing information on third party servers, and logging information on the app.

He’s research indicates that serious security issues are prevalent in mobile health apps.


ThaW Researcher “Avi Rubin on what it takes to move healthcare IT security forward” June, 2014rubin_thaw

Professor Rubin discusses why health care security is different than other areas of IT security. He also delves into the challenges facing securing healthcare IT and why health care professionals are resistant to cybersecurity.

He also provides insight in to the goals and objectives of the Thaw Project.

THaW PI Kevin Fu is one of “Five MedTech Influencers You Should Know
February 24, 2014

A profile of Professor Kevin Fu’s lab at University of Michigan, including his THaW projects on medical device security.

Hackers Outsmart Pacemakers, Fitbits: Worried Yet?
December 12, 2013

InformationWeek_logo“Mobile health devices aren’t as secure as you might think. Look at how researchers plan to strengthen security for consumer devices and regulated medical devices…

Some of the most sensational findings in medical device security revolve around devices that keep the heart beating: pacemakers and implantable cardiac defibrillators.”
Helping Clinics, Patients with Security
November 13, 2013

healthcareinfosec“When it comes to safeguarding the privacy and security of healthcare information, smaller clinics, as well as patients who use telehealth technologies, face considerable challenges because of a lack of expertise, says researcher David Kotz.

“A big hospital can set up electronic health record systems, and they have a professional staff on hand who can hopefully do that well, in terms of security. I’m more concerned with the smaller private practices and satellite clinics who don’t have professional staffs on hand, usually, to set these up, or individuals in their homes who have home-based [health] monitoring technologies for their chronic diseases, for example,” says Kotz, a professor of computer science at Dartmouth University in Hanover, N.H., where he researches data privacy and security issues in the mobile healthcare arena.”

New York Times
Of Fact, Fiction and Cheney’s Defibrillator
October 27, 2013

nytimes_logo“In a chilling episode of “Homeland” last year, a terrorist killed the vice president with a fiendishly clever weapon: a remote-control device that attacked the computerized defibrillator implanted in his chest…

…In fact, a precedent for the “Homeland” episode was a 2008 paper by Dr. Fu and others, who reported they had managed to change the settings on an implantable defibrillator so it would release deadly electric shocks. Of course, Dr. Fu noted, the experiment required almost a dozen people in a lab full of Ph.D.s. And investigators had to be as close as two inches from the defibrillator.”
GAO Appointments to Health IT Policy Committee
October 24, 2013

gao_logo“Gene L. Dodaro, Comptroller General of the United States and head of the U.S. Government Accountability Office (GAO), today announced three appointments to the Health Information Technology (HIT) Policy Committee: David Kotz, PhD, who will fill the position of an expert in privacy and security; Devin Mann, MD, who will fill the position of a researcher; and Troy Seagondollar, RN, who will fill the position of a member of a labor organization representing health care workers.

“In developing policy for health information technology, it’s important to take into account expertise related to privacy and security and to health care research as well as the views of health care workers who are the users of HIT,” Dodaro said.”

Sacramento Bee
U-Michigan engineers study malware in hospitals
August 26, 2013

sacramento-bee“Two University of Michigan engineers are part of a national team that is using a $10 million federal grant to protect medical devices and hospital computer systems from viruses and other malware.

The university says associate professors Kevin Fu and Michael Bailey are participating in a 5-year Trustworthy Health and Wellness project, financed by the National Science Foundation.”

Vermont Public Radio
Dartmouth Researchers Looking For Ways To Safeguard Medical Information In Cyberspace
August 23, 2013

vpr“As more and more medical information is shared on mobile devices and cloud-based services, a research team from Dartmouth is researching ways to safeguard that personal data.

A decade ago, medical records were just beginning to be stored electronically instead of filed in cabinets.  Nowadays, doctors and patients routinely exchange emails with photos or lab results. It’s even possible for a smart phone to monitor your heart rate and send that information directly to your doctor’s phone. But how private is all this new cyber-information? Not very, worries Dartmouth computer scientist David Kotz.”

Federal Drive
Interview with NSF Secure and Trustworthy Cyberspace Program Managers Jeremy Epstein and Nina Amla
August 22, 2013

fnr-logo-hor“The great battle against cybersecurity threats has become an all-of-government effort. While individual agencies deal with the tactics and strategies, the National Science Foundation is taking the long term view. It’s awarding research grants to further our fundamental understanding of cybersecurity. Two program managers from the NSF’s Frontier project, Nina Amla and Jeremy Epstein, discussed the grand challenges.”

Naked Security
US science fund pumps $20 million into cybersecurity research
August 21, 2013

nakedsecurity logo“America’s National Science Foundation (NSF) last week announced an investment of $20 million into three academic cybersecurity research projects…

…The largest award of this round, of $10 million, went to a project called Trustworthy Health and Wellness (THaW), a five-year collaboration between researchers from Dartmouth College, Johns Hopkins University, the University of Illinois and the University of Michigan at Ann Arbor, which hosts the Archimedes Center for Medical Device Security.”

NSF awards grants totaling $20 million for cybersecurity research
August 21, 2013

fiercegovtit_logo“The National Science Foundation has made three large “Frontier” awards worth almost $20 million to support collaborative, multi-university research and education activities in the area of cybersecurity, according to an agency announcement

…One of the Frontier projects will leverage the trustworthy health and wellness, or THaW, project that will be part of a research initiative on information systems and health care at Dartmouth College’s Institute for Security, Technology, and Society. The project will address challenges to providing trustworthy information systems for health and wellness as the result of sensitive information and health-related tasks being increasingly pushed into mobile devices and cloud-based services. The THaW team will work to develop usable authentication and privacy tools, trustworthy control of medical devices and effective methods to detect malware, compute trust metrics and audit medical information systems and networks.”

Union Leader (New Hampshire)
Dartmouth awarded grant to strengthen cybersecurity of medical records
August 19, 2013

David KotzDartmouth and three other universities were awarded a $10 million grant Thursday from the National Science Foundation to strengthen cybersecurity for health care information.

The Foundation’s Secure and Trustworthy Cyberspace Frontier Award is to support a five-year project called Trustworthy Health and Wellness, known as THaW, said David Kotz, Dartmouth’s associate dean of the faculty for the sciences and a professor of computer science.

R&D Magazine
Reducing computer viruses in health networks
August 19, 2013

r&d_logoThe hospital information technology (IT) networks and medical devices that doctors rely on to treat patients are susceptible to their own maladies: computer viruses and other malware. Whether a bug accidentally finds its way into a system, or an attacker intentionally injects one, researchers believe such breaches are happening more often with the growth of technology such as cloud computing.

Two engineering researchers from the Univ. of Michigan are part of a national team that will work to improve the cybersecurity of the nation’s health systems.

Associated Press
Dartmouth to lead cyber research project
August 17, 2013

ap_logo“Dartmouth College is getting a $4 million federal grant to research better ways to protect medical records sent by cell phones, tablets and other mobile devices.

The grant from the National Science Foundation is part of a nearly $10 million grant for cyber security research at four universities. Dartmouth is leading the project, which also includes Johns Hopkins University, the University of Illinois and the University of Michigan.” (This story was picked up by multiple media outlets, including: the Valley News, San Francisco Chronicle, Seattle Post-Intelligencer, WCAX (Burlington, VT), the Boston Globe (as linked to above), and more).

Michigan Public Affairs
Reducing computer viruses in health networks
August 16, 2013

health-computer_virus-um“Whether a bug accidentally finds its way into a system, or an attacker intentionally injects one, researchers believe such breaches are happening more often with the growth of technology such as cloud computing. Two engineering researchers from the University of Michigan are part of a national team that will work to improve the cybersecurity of the nation’s health systems.” (This press release was picked up by R&D Magazine.)

Office of Congresswoman Ann Kuster (D-NH)
Shaheen, Kuster Announce $4 Million Federal Grant for Dartmouth College Cyber Security Research
August 15, 2013

congress_seal“Today, Senator Jeanne Shaheen (D-NH) and Congresswoman Annie Kuster (NH-02) announced that Dartmouth College will receive $4 million in federal grant funding to support research on cyber security and the protection of electronic medical records. The grant, administered by the National Science Foundation (NSF), will go toward researchers at Dartmouth’s Department of Computer Science, who are looking to better protect medical records sent by cell phones, tablets, and other mobile devices.”

The National Science Foundation
NSF invests $20 million in large projects to keep the nation’s cyberspace secure and trustworthy
August 15, 2013

kotz_thawpr“The five-year Trustworthy Health and Wellness (THaW) will be part of the research initiative on information systems and health care at Dartmouth College’s Institute for Security, Technology, and Society. The interdisciplinary team includes experts from computer science, business, behavioral health, health policy and healthcare information technology. The project will tackle challenges to providing trustworthy information systems for health and wellness as the result of sensitive information and health-related tasks being increasingly pushed into mobile devices and cloud-based services.”

Dartmouth Public Affairs
Dartmouth-Led Team Receives NSF Health Care Cybersecurity Grant
August 15, 2013

security“Dartmouth has been awarded a $10-million, five-year grant from the Secure and Trustworthy Cyberspace program of the National Science Foundation (NSF) to support research into ways of safeguarding  the confidentiality of personal health and medical information as these records make the transition from paper files to electronic systems.”