THaW’s Eric Johnson on recent health system cyberattacks

Eric Johnson
Eric Johnson, PhD and dean of Vanderbilt University’s Owen Graduate School of Management

Cyberattacks targeting healthcare systems have been growing in prevalence and are wreaking more havoc with the healthcare industry’s increased dependence on electronic systems. Cyberattacks such as denial-of-service attacks, can have immediate impact on patient care by leaving medical staff without important patient records. The impacts don’t end there. With healthcare systems increasing their cybersecurity protocols in the aftermath of a cyberattack, patient information can be harder to access for those who should be accessing that information. Johnson’s research with co-author S.J. Choi, PhD, shows that at hospitals where security protocols slowed computer access by just a minute or so, people who came in with a heart attack were more likely to die. “When I talk to doctors about security, a lot of times they’re very negative,” Johnson said. “So they’re pretty far behind, and at this point, incredibly vulnerable.” It’s certainly not a stretch, Johnson says, to say that delays from a ransomware attack are likely to have more serious effects.

To read more about the recent cyberattacks on healthcare systems and coverage of THaW research on those topics, check out the THaW press page.

New THaW Paper on Recurring Device Verification

An IoT device user with a blood-pressure monitoring device should have the assurance that the device operates how a blood-pressure monitor should operate. If the monitor is connected to a measurement app that collects, stores, and reports data, but interacts in a way that is inconsistent with typical interactions for this type of device, there may be cause for concern. The reality of ubiquitous connectivity and frequent mobility gives rise to a myriad of opportunities for devices to be compromised. Thus, we argue that one-time, single-factor, device-to-device authentication (i.e., an initial pairing) is not enough, and that there must exist some mechanism to frequently (re-)verify the authenticity of devices and their connections.

In this paper we propose a device-to-device recurring authentication scheme – Verification of Interaction Authenticity (VIA) – that is based on evaluating characteristics of the communications (interactions) between devices. We adapt techniques from wireless traffic analysis and intrusion detection systems to develop behavioral models that capture typical, authentic device interactions (behavior); these models enable recurring verification of device behavior. 

To read more, check out the paper here.

Travis Peters, Timothy J. Pierson, Sougata Sen, José Camacho, and David Kotz. Recurring Verification of Interaction Authenticity Within Bluetooth Networks. Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2021), pages 192–203. ACM, June 2021. doi:10.1145/3448300.3468287. ©

Temperature sensors may be vulnerable in safety-critical systems

Recent THaW research has demonstrated that temperature control systems, particularly in sensitive devices like infant incubators or industrial thermal chambers, can be affected by (and thus manipulated by) electromagnetic waves. The team included Prof. Kevin Fu and Research Investigator Sara Rampazzi from THaW, and Prof. Xiali Hei and PhD student Yazhou Tu from the University of Louisiana at Lafayette.

The vulnerability is due to the weakness of analog sensing components. In particular, the change in the measured temperature is due to an unintended rectification effect in amplifiers induced by injecting specific electromagnetic interferences though their temperature sensors.

The researchers demonstrate how it is possible remotely manipulate the temperature sensor measurements of critical devices, such as infant incubators, thermal chambers, and 3D printers. “In infant incubators for example, changing temperature sensor measurement can raise the risk of temperature-related health issues in infants, such as hyperthermia and hypothermia, which in turn can lead in extreme cases to hypoxia, and neurological complications.” Rampazzi says.

In a recent paper describing the attack method, the authors also describe a defense against the vulnerability, proposing a prototype of an analog anomaly detector to identify unintended interferences in the affected frequency range.

The paper was presented this month at the ACM Conference on Computer and Communications Security (CCS), and is available at DOI 10.1145/3319535.3354195.

Short video demos of the effect on an infant incubator are available on YouTube.

 

thermbanner.jpg

The Evolving Cyberthreat to Privacy

THaW’s A.J. Burns and Eric Johnson recently published a piece in IT Professional:

ABSTRACT: Cyberthreats create unique risks for organizations and individuals, especially regarding breaches of personally identifiable information (PII). However, relatively little research has examined hackings distinct impact on privacy. The authors analyze cyber breaches of PII and found that they are significantly larger compared to other breaches, showing that past breaches are useful for predicting future breaches.
Issue No. 03 – May./Jun. (2018 vol. 20)

Interview with Scott Breece – CISO, Community Health Systems

Scott Breece, VP and CISO of Community Health Systems, discusses the rising security threat in healthcare with M. Eric Johnson, Dean of Vanderbilt University’s Owen Graduate School of Management. Scott highlights how health IT is transforming healthcare, improving the patient experience and outcomes. However, digitization of healthcare data also creates new risks for the healthcare system. Scott discusses how Community Health Systems is staying ahead of those threats and securing patient data. This video was partially supported by the THaW project, which is co-led by Eric Johnson.

THaW’s Eric Johnson Meets With Talvis Love

As part of THaW’s efforts to discuss the state of security in the health care industry, Eric Johnson continues to meet with prominent Information Security Officers to discuss the current challenges in the industry. This time, Eric met with Cardinal Health’s Talvis Love to discuss a variety of topics, including the intricacies of a the migration to the cloud for data storage and retrieval. Click above to watch the discussion in full.

Eric Johnson Talks with Charles Lebo: Healthcare Data Security


THaW contributor Eric Johnson’s conversations from the CISO conference continued with VP and CISO of Kindred Healthcare, Charles Lebo. The two had a conversation to discuss some of the emerging challenges of healthcare security. The topics ranged from the scope of large healthcare datasets, to the emergence of ransomware and maintaining data security.

Click here, or play the embedded video above, to hear the discussion in full.

Eric Johnson talks with Paul Connelly: Healthcare Analytics and Information Security

THaW contributor Eric Johnson recently sat down with VP and CISO of Hospital Corporation of America Paul Connelly to discuss advancements in healthcare analytics and information security. Over the course of the discussion the two touch on the sheer volume of data created by HCA, and how analytics can be used to give that data value in contributing to informed decision making, while at the same time protecting patient security.

Click here, or play the embedded video above, to hear the discussion in full.

Five trends in healthcare IT – and their implications for security

In the previous post we described the current landscape for healthcare information technology. In this post, we note how healthcare information systems increasingly face daunting security challenges due to five economic and technological trends. First, the locus of care is shifting, as the healthcare system seeks more efficient and less-expensive ways to care for patients, particularly outpatients with chronic conditions. Second, strong economic incentives are pushing health providers to innovate by rewarding providers for keeping their patient population healthy, rather than paying only to fix patients when they are ill. Third, the treatment of chronic conditions and the implementation of prevention plans entail more continuous patient monitoring, outside of the clinical setting. Fourth, mobile consumer devices (smartphones and tablets) are quickly being adopted for health & wellness applications, both by caregivers and patients, in addition to their many other uses – making it difficult to protect sensitive health-related data and functions from the risks posed by a general-purpose Internet device. Finally, significant emerging threats are targeting healthcare information systems, while new regulations strive to protect medical integrity and patient privacy. Let’s look at each of these five trends in more detail.

Continue reading

The healthcare IT landscape

The United States spends over $2.6 trillion annually on healthcare. This amount represents approximately 18% of the gross domestic product (GDP), a percentage that has doubled in the last 30 years and is the highest of any country in the world [11]. Over 75% of these costs are due to the management of chronic diseases, which currently affects 45% of the U.S. population. By 2023, it is expected that costs to manage chronic diseases alone will rise to $4.2 trillion [3]. Many look to information technology to help reduce costs, increase efficiency, broaden access to healthcare, and improve the health of the population.

Meanwhile, recent years have seen a dramatic shift in the nature of computing with the advent of smartphones and tablet computers; the latest surveys estimate that over 50% of Americans have smartphones [10]. This wide-spread availability of a powerful mobile computing platform, with a rich interface and a variety of built-in sensors, has created a boom in mobile health (mHealth) applications like RunKeeper and Fooducate [9]; mHealth application downloads increased from 124 million in 2011 to 247 million in 2012 [8]. These mHealth apps and devices are becoming more prevalent due in part to the rising cost of healthcare and their suitability for managing chronic diseases, particularly in the aging population [5, 6], and in prevention and wellness programs [1].

Smartphones and tablets are rapidly moving into the clinical workplace as well. A recent estimate indicates that as many as 62% of doctors use mobile tablets [4]. Although some hospitals embrace smartphones and tablets by distributing them to their staff [7], a 2012 survey found that 85% of hospitals allow their clinicians to bring their own device to work [2].

Furthermore, universal connectivity (cellular, wireless, and home broadband) has enabled a tremendous variety of services to move to the “cloud.” Services like Dropbox and Google Drive make it easy for individuals to store, manipulate, and share content on cloud servers located in distant data centers. Services like Amazon S3 and Google App Engine make it easy for developers to build scalable computational backends without installing or managing their own infrastructure. These trends are pushing more individuals and enterprises to push an increasing fraction of their computing into Internet-connected servers run by other organizations – raising important questions about security and privacy.

Finally, recent years have seen rapid developments in smart, miniaturized, low-power, adaptive and self-calibrating instrumentation, enabling the emergence of mobile devices for monitoring and managing individual health conditions; examples range from wearable devices that measure physical activity (such as the BodyMedia armband) to Wi-Fi enabled bathroom scales (such as those from Withings or Fitbit) to stick-on ECG patches to monitor heart conditions (such as those from Corventis) to implanted insulin pumps (such as one from Medtronic). Most are wireless, able to upload data to a smartphone or to a cloud server for analysis and access by both the individual and caregivers.

The dynamic healthcare ecosystem and rapid technology evolution lead to new challenges in securing tomorrow’s healthcare information infrastructure. More on that in the next post!

Continue reading