THaW’s Eric Johnson on recent health system cyberattacks

Eric Johnson
Eric Johnson, PhD and dean of Vanderbilt University’s Owen Graduate School of Management

Cyberattacks targeting healthcare systems have been growing in prevalence and are wreaking more havoc with the healthcare industry’s increased dependence on electronic systems. Cyberattacks such as denial-of-service attacks, can have immediate impact on patient care by leaving medical staff without important patient records. The impacts don’t end there. With healthcare systems increasing their cybersecurity protocols in the aftermath of a cyberattack, patient information can be harder to access for those who should be accessing that information. Johnson’s research with co-author S.J. Choi, PhD, shows that at hospitals where security protocols slowed computer access by just a minute or so, people who came in with a heart attack were more likely to die. “When I talk to doctors about security, a lot of times they’re very negative,” Johnson said. “So they’re pretty far behind, and at this point, incredibly vulnerable.” It’s certainly not a stretch, Johnson says, to say that delays from a ransomware attack are likely to have more serious effects.

To read more about the recent cyberattacks on healthcare systems and coverage of THaW research on those topics, check out the THaW press page.

New THaW Paper on Recurring Device Verification

An IoT device user with a blood-pressure monitoring device should have the assurance that the device operates how a blood-pressure monitor should operate. If the monitor is connected to a measurement app that collects, stores, and reports data, but interacts in a way that is inconsistent with typical interactions for this type of device, there may be cause for concern. The reality of ubiquitous connectivity and frequent mobility gives rise to a myriad of opportunities for devices to be compromised. Thus, we argue that one-time, single-factor, device-to-device authentication (i.e., an initial pairing) is not enough, and that there must exist some mechanism to frequently (re-)verify the authenticity of devices and their connections.

In this paper we propose a device-to-device recurring authentication scheme – Verification of Interaction Authenticity (VIA) – that is based on evaluating characteristics of the communications (interactions) between devices. We adapt techniques from wireless traffic analysis and intrusion detection systems to develop behavioral models that capture typical, authentic device interactions (behavior); these models enable recurring verification of device behavior. 

To read more, check out the paper here.

Travis Peters, Timothy J. Pierson, Sougata Sen, José Camacho, and David Kotz. Recurring Verification of Interaction Authenticity Within Bluetooth Networks. Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2021), pages 192–203. ACM, June 2021. doi:10.1145/3448300.3468287. ©

Cybersecurity and Privacy Implications of Contact Tracing

Two THaW researchers participated as panelists in a recent online panel discussion about contact tracing, with an emphasis on the security and privacy aspects. The video is now available.

“The coronavirus pandemic has highlighted the need for contact tracing, an effort to retroactively discover and inform all the persons who had recent contact with an infected person. Traditional methods are labor-intensive and inherently limited by human memory. Smartphone apps have been proposed to proactively record contacts, for retrospective notifications to those who may have been proximate to someone later discovered to be infected. There are, however, inherent privacy and cybersecurity risks posed by such technologies, and the same technologies could be abused for purposes other than public health. It is thus essential for contact tracing technologies to be designed and deployed with the utmost care and transparency.”

The Evolving Cyberthreat to Privacy

THaW’s A.J. Burns and Eric Johnson recently published a piece in IT Professional:

ABSTRACT: Cyberthreats create unique risks for organizations and individuals, especially regarding breaches of personally identifiable information (PII). However, relatively little research has examined hackings distinct impact on privacy. The authors analyze cyber breaches of PII and found that they are significantly larger compared to other breaches, showing that past breaches are useful for predicting future breaches.
Issue No. 03 – May./Jun. (2018 vol. 20)

Interview with Scott Breece – CISO, Community Health Systems

Scott Breece, VP and CISO of Community Health Systems, discusses the rising security threat in healthcare with M. Eric Johnson, Dean of Vanderbilt University’s Owen Graduate School of Management. Scott highlights how health IT is transforming healthcare, improving the patient experience and outcomes. However, digitization of healthcare data also creates new risks for the healthcare system. Scott discusses how Community Health Systems is staying ahead of those threats and securing patient data. This video was partially supported by the THaW project, which is co-led by Eric Johnson.

Our mission

Welcome to the Trustworthy Health and Wellness (THaW) project. Our mission is to enable the promise of health and wellness technology by innovating mobile- and cloud-computing systems that respect the privacy of individuals and the trustworthiness of medical information.

With this mission in mind, our team is launching a comprehensive, multi-disciplinary research agenda to address many of the fundamental technical problems that arise in securing healthcare infrastructure that, given recent trends, will increasingly be delivered using mobile devices and cloud-based services. The pervasive reach and (often) health-critical nature of these new technologies demand scientific solutions that provide trustworthy cybersystems for health and wellness. Our five-year research agenda is driven by the needs of the changing health & wellness ecosystem and addresses fundamental scientific problems that arise in other domains in transition to an infrastructure built on mobile devices and cloud services, such as transportation, m-commerce and education.

Specifically, our research agenda will contribute to authenticating mobile users in a continuous and unobtrusive way, segmenting access to medical records from mobile devices to limit information exposure, allowing individuals a usable way to control the information collected about them, handling genomic data in the cloud while enabling patient control over information, managing security on remote health devices while reducing the burden on the user, verifying medical directives issued to remote devices, detecting malware through power analysis, providing provenance information to those who use health data, and auditing behavior of this complex ecosystem of devices and systems.

Our research will have long-term impact by enabling the creation of health & wellness systems that can be trusted by individual citizens to protect their privacy and can be trusted by health professionals to ensure data integrity and security. Our healthcare partners will aid us to evaluate and demonstrate the value of our security solutions. We will also impact the next generation of scientists by creating new course modules, sponsoring summer programs for underrepresented minorities and women to broaden undergraduate and K-12 participation in computing; and creating an exchange program for our postdocs and research students to rotate among sites to broaden perspectives and receive mentoring on trustworthy computing.