THaW’s Eric Johnson on recent health system cyberattacks

Eric Johnson
Eric Johnson, PhD and dean of Vanderbilt University’s Owen Graduate School of Management

Cyberattacks targeting healthcare systems have been growing in prevalence and are wreaking more havoc with the healthcare industry’s increased dependence on electronic systems. Cyberattacks such as denial-of-service attacks, can have immediate impact on patient care by leaving medical staff without important patient records. The impacts don’t end there. With healthcare systems increasing their cybersecurity protocols in the aftermath of a cyberattack, patient information can be harder to access for those who should be accessing that information. Johnson’s research with co-author S.J. Choi, PhD, shows that at hospitals where security protocols slowed computer access by just a minute or so, people who came in with a heart attack were more likely to die. “When I talk to doctors about security, a lot of times they’re very negative,” Johnson said. “So they’re pretty far behind, and at this point, incredibly vulnerable.” It’s certainly not a stretch, Johnson says, to say that delays from a ransomware attack are likely to have more serious effects.

To read more about the recent cyberattacks on healthcare systems and coverage of THaW research on those topics, check out the THaW press page.

New THaW Paper on Recurring Device Verification

An IoT device user with a blood-pressure monitoring device should have the assurance that the device operates how a blood-pressure monitor should operate. If the monitor is connected to a measurement app that collects, stores, and reports data, but interacts in a way that is inconsistent with typical interactions for this type of device, there may be cause for concern. The reality of ubiquitous connectivity and frequent mobility gives rise to a myriad of opportunities for devices to be compromised. Thus, we argue that one-time, single-factor, device-to-device authentication (i.e., an initial pairing) is not enough, and that there must exist some mechanism to frequently (re-)verify the authenticity of devices and their connections.

In this paper we propose a device-to-device recurring authentication scheme – Verification of Interaction Authenticity (VIA) – that is based on evaluating characteristics of the communications (interactions) between devices. We adapt techniques from wireless traffic analysis and intrusion detection systems to develop behavioral models that capture typical, authentic device interactions (behavior); these models enable recurring verification of device behavior. 

To read more, check out the paper here.

Travis Peters, Timothy J. Pierson, Sougata Sen, José Camacho, and David Kotz. Recurring Verification of Interaction Authenticity Within Bluetooth Networks. Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2021), pages 192–203. ACM, June 2021. doi:10.1145/3448300.3468287. ©

Temperature sensors may be vulnerable in safety-critical systems

Recent THaW research has demonstrated that temperature control systems, particularly in sensitive devices like infant incubators or industrial thermal chambers, can be affected by (and thus manipulated by) electromagnetic waves. The team included Prof. Kevin Fu and Research Investigator Sara Rampazzi from THaW, and Prof. Xiali Hei and PhD student Yazhou Tu from the University of Louisiana at Lafayette.

The vulnerability is due to the weakness of analog sensing components. In particular, the change in the measured temperature is due to an unintended rectification effect in amplifiers induced by injecting specific electromagnetic interferences though their temperature sensors.

The researchers demonstrate how it is possible remotely manipulate the temperature sensor measurements of critical devices, such as infant incubators, thermal chambers, and 3D printers. “In infant incubators for example, changing temperature sensor measurement can raise the risk of temperature-related health issues in infants, such as hyperthermia and hypothermia, which in turn can lead in extreme cases to hypoxia, and neurological complications.” Rampazzi says.

In a recent paper describing the attack method, the authors also describe a defense against the vulnerability, proposing a prototype of an analog anomaly detector to identify unintended interferences in the affected frequency range.

The paper was presented this month at the ACM Conference on Computer and Communications Security (CCS), and is available at DOI 10.1145/3319535.3354195.

Short video demos of the effect on an infant incubator are available on YouTube.

 

thermbanner.jpg

IEEE recognizes THaW researcher for establishing field of medical device security

Professor Kevin Fu’s 2008 paper called “Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses” has received the inaugural IEEE Security and Privacy “Test of Time” Award:  http://eecs.umich.edu/eecs/about/articles/2019/fu-test-of-time.html 

The paper was been recognized from a pool of submissions spanning 40 years with the inaugural IEEE Security and Privacy Test of Time Award, and its impact can be felt in every corner of the medical devices industry.

In the 11 years since the paper’s publication, Fu and others in his field have worked on solutions. Many of these have been technical, but most of the larger impact the paper has had has been in leadership.

“A lot of it is about community building and standards development,” Fu says, “which is sometimes a foreign concept in academia. But it’s really important to industry.”

A ‘building code’ for building secure code in medical devices

Carl Landwehr portrait

Carl Landwehr

Last month, a broad mix of experts convened by THaW researcher Carl Landwehr convened in New Orleans to begin drafting a “building code” for medical-device software.  They’ve just released their report, and there is already talk about taking some of these ideas into the various standards bodies. Check out their report and feel free to leave comments on their site.  — dave

DHS to investigate medical device security

The Department of Homeland Security (specifically the agency’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT) is starting to investigate cyber-security vulnerabilities in medical devices, according to recent news reports.

THaW co-PI Kevin Fu commented on the story: “It’s very easy to sort of sensationalize these problems,” said Kevin Fu, who runs the Archimedes Research Center for Medical Device Security at the University of Michigan.

THaW’s Kevin Fu and Darren Lacey were both key players in this week’s FDA workshop “Collaborative Approaches for Medical Device and Healthcare Cybersecurity”.

Hacking Medical Devices: Fact and Fiction (NY Times)

THaW PI Kevin Fu was quoted in an article published this weekend in the New York Times. Describing a scene from an episode of the Showtime Network’s series Homeland, the Times story questions how realistic it is that a person’s computerized defibrillator could be hacked. In a recent 60 Minutes episode, former Vice President Dick Cheney and his cardiologist thought the threat was credible enough to shut off the wireless programming functionality of his own defibrillator.

In the article, Kevin describes some of his research on the topic, including a 2008 paper that he co-authored warning of just such a scenario. According to Kevin “security was not on the radar yet for the medical device community…But there was a rapid trend toward wireless communication and Internet connectivity. We definitely raised awareness.”

Read the full New York Times article published on 10/27/13.