Tag Archives: healthcare

THaW Comes to a Close

Posted on by
Reply

In 2013, the National Science Foundation’s Secure and Trustworthy Cyberspace program awarded a Frontier grant to a consortium of four institutions — Dartmouth College, the University of Michigan, the University of Illinois Urbana-Champaign, and Johns Hopkins University — to enable trustworthy cybersystems for health and wellness. Over the years, THaW grew to include researchers from Vanderbilt University, Morgan State University, and George Washington University.

Over 80 students and postdocs engaged in THaW research activities over the span of the project, and the project’s bibliography includes more than 130 significant publications. You can find an organized overview of these publications here. The THaW team devised systems and methods to enhance security, resulting in 11 patents. Team members were featured in various news outlets, and THaW PI Kevin Fu co-founded VirtaLabs to identify, assess, patch, and track clinical assets in health care environments.

THaW collaborated with The Archimedes Center for Medical Device Security in Michigan to offer a twice-annual training conference on how to integrate THaW security principles into the design of medical devices to clinical engineers and CISOs from hospitals and medical device manufacturers. Over 10,000 people and more than 100 industry organizations attended the events. In addition, Archimedes conducted on-site security training for more than 500 medical device engineers over the years.

If you are interested in taking advantage of any of the resources within this site, the contact us page of this website will remain active. The rest of the website will no longer be updated. Thank you to those of you who have followed this site and the THaW project over the past 11 years.

The THaW group at its annual meeting in 2017 (top) and its first annual meeting in 2013 (bottom)
The THaW group at its annual meeting in 2017 (top) and its first annual meeting in 2013 (bottom)

New THaW Patent: Secure Short-Range Wireless Communication

Posted on by
Reply

The THaW team is proud to announce the issuing of a patent for apparatuses, methods, and software for secure short-range wireless communication.

With the number and diversity of Internet of Things (IoT) devices growing, cryptography is not a blanket solution for secure message exchange. Devices may encounter dozens or hundreds of new devices each day, and many of these new IoT devices will have limited or non-existent user interfaces, making this manual secret entry even more cumbersome than configuring existing devices.

This work focuses on a secure method to wirelessly transmit data between devices that are in short-range of each other. In this setup, the sending device has two antennas and two transmitters. One transmitter sends a data signal via the first antenna, which is closer to the target device than the second antenna, and another transmits a jamming signal via the second antenna. Because of the close proximity between the target device and the first antenna, which results in a stronger signal, the receiving device can retrieve the data despite the presence of the jamming signal. This ensures a secure-communications process between the sending device and the target device.

To learn more, check out the patent. If you are interested in taking advantage of this patent, please contact us.

Timothy J. Pierson, Ronald Peterson, and David Kotz. Apparatuses, Methods, and Software for Secure Short-Range Wireless Communication. U.S. Patent 11,894,920 B2. February 06, 2024. Download from https://patents.google.com/patent/US11894920B2/en

See also: Timothy J. Pierson, Ronald Peterson, and David Kotz. Apparatuses, Methods, and Software For Secure Short-Range Wireless Communication. U.S. Patent 11,153,026, October 19, 2021. Download from https://patents.google.com/patent/US11153026B2/en

See also: Timothy J. Pierson, Travis Peters, Ronald Peterson, and David Kotz. CloseTalker: secure, short-range ad hoc wireless communication. Proceedings of the ACM International Conference on Mobile Systems, Applications, and Services (MobiSys), pages 340–352. ACM, June 2019. doi:10.1145/3307334.3326100. [Details]

New THaW Dissertation: ‘Information Provenance for Mobile Health Data’

Posted on by
1

We are proud to announce a THaW team members’ successful dissertation. Dr. Taylor Hardin’s dissertation focuses on an end-to-end solution for providing information provenance for mHealth data, which begins by securing mHealth data at its source: the mHealth device. 

The dissertation describes a memory-isolation method that combines compiler-inserted code and Memory Protection Unit (MPU) hardware to protect application code and data on ultra-low-power micro-controllers. The security of mHealth data outside of the source (e.g., data that has been uploaded to smartphone or remote-server) is then addressed with Amanuensis, a health-data system, which uses Blockchain and Trusted Execution Environment (TEE) technologies to provide confidential, yet verifiable, data storage and computation for mHealth data. The use of blockchain and TEEs introduce identity privacy and data freshness issues, which are explored. A privacy-preserving solution for blockchain transactions, and a freshness solution for data access-control lists retrieved from the blockchain are presented.

To learn more, check out Dr. Taylor Hardin’s dissertation below. 

Hardin, Taylor A., “Information Provenance for Mobile Health Data” (2022). Dartmouth College Ph.D Dissertations. 79. 
https://digitalcommons.dartmouth.edu/dissertations/79

VibeRing: An out-of-band channel for sharing secret keys

Posted on by
Reply

Health-oriented smart devices, such as a blood-glucose monitor, collect meaningful data when they are in use and in physical contact with their user. The smart device’s (“smartThing’s”) wireless connectivity allows it to transfer that data to its user’s trusted device, for example a smartphone. However, an adversary could impersonate the user and bootstrap a communication channel with the smartThing while the smartThing is being used by an oblivious legitimate user. 

To address this problem, in this paper, we investigate the use of vibration, generated by a smartRing, as an out-of-band communication channel to unobtrusively share a secret with a smartThing. This exchanged secret can be used to bootstrap a secure wireless channel over which the smartphone (or another trusted device) and the smartThing can communicate. We present the design, implementation, and evaluation of this system, which we call VibeRing. We describe the hardware and software details of the smartThing and smartRing. Through a user study we demonstrate that it is possible to share a secret with various objects quickly, accurately and securely as compared to several existing techniques.

Sougata Sen and David Kotz. VibeRing: Using vibrations from a smart ring as an out-of-band channel for sharing secret keys. Journal of Pervasive and Mobile Computing, volume 78, article 101505, 16 pages. Elsevier, December 2021. doi:10.1016/j.pmcj.2021.101505. ©Copyright Elsevier. Revision of sen:vibering.

New THaW Patent

Posted on by
Reply

The THaW team is pleased to announce one new patent derived from THaW research. For the complete list of patents, visit our Tech Transfer page.

Abstract: Apparatuses that provide for secure wireless communications between wireless devices under cover of one or more jamming signals. Each such apparatus includes at least one data antenna and at least one jamming antenna. During secure-communications operations, the apparatus transmits a data signal containing desired data via the at least one data antenna while also at least partially simultaneously transmitting a jamming signal via the at least one jamming antenna. When a target antenna of a target device is in close proximity to the data antenna and is closer to the data antenna than to the jamming antenna, the target device can successfully receive the desired data contained in the data signal because the data signal is sufficiently stronger than the jamming signal within a finite secure-communications envelope due to the Inverse Square Law of signal propagation. Various related methods and machine-executable instructions are also disclosed.

Image describes the steps to ensure secure wireless data transfer between devices.

Timothy J. Pierson, Ronald Peterson, and David Kotz. Apparatuses, Methods, and Software For Secure Short-Range Wireless Communication. U.S. Patent 11,153,026, October 19, 2021. Download from https://patents.google.com/patent/US11153026B2/en

See also: Timothy J. Pierson, Travis Peters, Ronald Peterson, and David Kotz. CloseTalker: secure, short-range ad hoc wireless communication. Proceedings of the ACM International Conference on Mobile Systems, Applications, and Services (MobiSys), pages 340–352. ACM, June 2019. doi:10.1145/3307334.3326100. [Details]

THaW’s Eric Johnson on recent health system cyberattacks

Posted on by
Reply
Eric Johnson
Eric Johnson, PhD and dean of Vanderbilt University’s Owen Graduate School of Management

Cyberattacks targeting healthcare systems have been growing in prevalence and are wreaking more havoc with the healthcare industry’s increased dependence on electronic systems. Cyberattacks such as denial-of-service attacks, can have immediate impact on patient care by leaving medical staff without important patient records. The impacts don’t end there. With healthcare systems increasing their cybersecurity protocols in the aftermath of a cyberattack, patient information can be harder to access for those who should be accessing that information. Johnson’s research with co-author S.J. Choi, PhD, shows that at hospitals where security protocols slowed computer access by just a minute or so, people who came in with a heart attack were more likely to die. “When I talk to doctors about security, a lot of times they’re very negative,” Johnson said. “So they’re pretty far behind, and at this point, incredibly vulnerable.” It’s certainly not a stretch, Johnson says, to say that delays from a ransomware attack are likely to have more serious effects.

To read more about the recent cyberattacks on healthcare systems and coverage of THaW research on those topics, check out the THaW press page.

New THaW Paper on Recurring Device Verification

Posted on by
Reply

An IoT device user with a blood-pressure monitoring device should have the assurance that the device operates how a blood-pressure monitor should operate. If the monitor is connected to a measurement app that collects, stores, and reports data, but interacts in a way that is inconsistent with typical interactions for this type of device, there may be cause for concern. The reality of ubiquitous connectivity and frequent mobility gives rise to a myriad of opportunities for devices to be compromised. Thus, we argue that one-time, single-factor, device-to-device authentication (i.e., an initial pairing) is not enough, and that there must exist some mechanism to frequently (re-)verify the authenticity of devices and their connections.

In this paper we propose a device-to-device recurring authentication scheme – Verification of Interaction Authenticity (VIA) – that is based on evaluating characteristics of the communications (interactions) between devices. We adapt techniques from wireless traffic analysis and intrusion detection systems to develop behavioral models that capture typical, authentic device interactions (behavior); these models enable recurring verification of device behavior. 

To read more, check out the paper here.

Travis Peters, Timothy J. Pierson, Sougata Sen, José Camacho, and David Kotz. Recurring Verification of Interaction Authenticity Within Bluetooth Networks. Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2021), pages 192–203. ACM, June 2021. doi:10.1145/3448300.3468287. ©

Temperature sensors may be vulnerable in safety-critical systems

Posted on by
Reply

Recent THaW research has demonstrated that temperature control systems, particularly in sensitive devices like infant incubators or industrial thermal chambers, can be affected by (and thus manipulated by) electromagnetic waves. The team included Prof. Kevin Fu and Research Investigator Sara Rampazzi from THaW, and Prof. Xiali Hei and PhD student Yazhou Tu from the University of Louisiana at Lafayette.

The vulnerability is due to the weakness of analog sensing components. In particular, the change in the measured temperature is due to an unintended rectification effect in amplifiers induced by injecting specific electromagnetic interferences though their temperature sensors.

The researchers demonstrate how it is possible remotely manipulate the temperature sensor measurements of critical devices, such as infant incubators, thermal chambers, and 3D printers. “In infant incubators for example, changing temperature sensor measurement can raise the risk of temperature-related health issues in infants, such as hyperthermia and hypothermia, which in turn can lead in extreme cases to hypoxia, and neurological complications.” Rampazzi says.

In a recent paper describing the attack method, the authors also describe a defense against the vulnerability, proposing a prototype of an analog anomaly detector to identify unintended interferences in the affected frequency range.

The paper was presented this month at the ACM Conference on Computer and Communications Security (CCS), and is available at DOI 10.1145/3319535.3354195.

Short video demos of the effect on an infant incubator are available on YouTube.

 

thermbanner.jpg

The Evolving Cyberthreat to Privacy

Posted on by
Reply

THaW’s A.J. Burns and Eric Johnson recently published a piece in IT Professional:

ABSTRACT: Cyberthreats create unique risks for organizations and individuals, especially regarding breaches of personally identifiable information (PII). However, relatively little research has examined hackings distinct impact on privacy. The authors analyze cyber breaches of PII and found that they are significantly larger compared to other breaches, showing that past breaches are useful for predicting future breaches.
Issue No. 03 – May./Jun. (2018 vol. 20)
DOI: http://doi.ieeecomputersociety.org/10.1109/MITP.2018.032501749

Interview with Scott Breece – CISO, Community Health Systems

Posted on by
Reply

Scott Breece, VP and CISO of Community Health Systems, discusses the rising security threat in healthcare with M. Eric Johnson, Dean of Vanderbilt University’s Owen Graduate School of Management. Scott highlights how health IT is transforming healthcare, improving the patient experience and outcomes. However, digitization of healthcare data also creates new risks for the healthcare system. Scott discusses how Community Health Systems is staying ahead of those threats and securing patient data. This video was partially supported by the THaW project, which is co-led by Eric Johnson.