An IoT device user with a blood-pressure monitoring device should have the assurance that the device operates how a blood-pressure monitor should operate. If the monitor is connected to a measurement app that collects, stores, and reports data, but interacts in a way that is inconsistent with typical interactions for this type of device, there may be cause for concern. The reality of ubiquitous connectivity and frequent mobility gives rise to a myriad of opportunities for devices to be compromised. Thus, we argue that one-time, single-factor, device-to-device authentication (i.e., an initial pairing) is not enough, and that there must exist some mechanism to frequently (re-)verify the authenticity of devices and their connections.
In this paper we propose a device-to-device recurring authentication scheme – Verification of Interaction Authenticity (VIA) – that is based on evaluating characteristics of the communications (interactions) between devices. We adapt techniques from wireless traffic analysis and intrusion detection systems to develop behavioral models that capture typical, authentic device interactions (behavior); these models enable recurring verification of device behavior.
Seven years ago, the National Science Foundation’s Secure and Trustworthy Cyberspace program awarded a grant creating the Trustworthy Health and Wellness (THaW) project. Most project activities have now wound down, after publishing more than a hundred journal papers, conference papers, workshop contributions, dissertations, theses, patents, and more. We just released an annotated bibliography, with all the references organized in a Zotero library that provides ready access to citation materials and abstracts. In the annotated bibliography we organize papers by cluster (category), identify content tags, and give a brief annotation summarizing the work’s contribution. Thanks to Carl Landwehr for leading this important summary of THaW work!
The workshop was attended by CISOs from twelve interested healthcare organizations, as well as members of the THaW project. It provided for a day of conversation about cybersecurity best practices and challenges. Over the course of the workshop, with moderation by Eric Johnson and Hans Brechbuhl, the group touched upon a wide array of subjects; we are now happy to present some key insights and a summary of the day’s proceedings. Highlights include insights regarding phishing attacks, medical device security, and the emerging Internet of things.
Click through below to review the document, and feel free to share with your colleagues!
THaW professor Eric Johnson (Vanderbilt) recently presented a new paper at the Conference on Information Systems and Technology (CIST), a division of INFORMS.
See the video abstract. A full version of the paper is under review at a journal.
Meaningful healthcare security: Does “Meaningful-use” attestation improve information security performance?
Juhee Kwon and M. Eric Johnson Abstract:
Certification mechanisms are often employed to signal performance of difficult-to-observe management practices. In the healthcare sector, financial incentives linked to “meaningful-use” attestation have been a key policy initiative of the Obama administration to accelerate electronic health record (EHR) adoption while also focusing healthcare providers on protecting sensitive healthcare data. Given the rapid push for safe digitization of patient data, this study examines how hospital attestation influences the occurrence of subsequent data breaches and also how breach performance is associated with penalties from prior breaches. Using a propensity score matching technique combined with a difference-in-differences approach, we analyze a matched sample of 869 U.S. hospitals. We find that hospitals that attest to having reached Stage-1 meaningful-use standards observe reduced external breaches in the short term, but do not see continued improvement in the following year. On the other hand, attesting hospitals observe short-term increases in accidental internal breaches, but eventually see longer-term reductions. We do not find any link between malicious internal breaches and attestation. Further, we find that the interaction between meaningful-use attestation (carrot) and prior failure resulting in penalties (stick) enhances short-term reductions of accidental internal and external breaches. Our findings offer both theoretical and practical insights into the effective design of certification mechanisms and breach regulations.
Juhee Kwon and M. Eric Johnson. Meaningful Healthcare Security: Does “Meaningful-Use” Attestation Improve Information Security Performance?
Abstract: Voluntary mechanisms are often employed to signal performance of difficult-to-observe management practices. In the healthcare sector, financial incentives linked to “meaningful-use” attestation have been a key policy initiative of the Obama administration to accelerate electronic health record (EHR) system adoption while also focusing providers on protecting sensitive healthcare data. As one of the core requirements, meaningful-use attestation requires healthcare providers to attest to having implemented security mechanisms for assessing the potential risks and vulnerabilities to their data. In this paper, we examine whether meaningful-use attestation is achieving its security objective. Using a propensity score matching technique, we analyze a matched sample of 925 U.S. hospitals. We find that external breaches motivate hospitals to pursue meaningful use and that achieving meaningful use does indeed reduce such breaches. We also find that hospitals that achieve meaningful use observe short-term increases in accidental breaches, but see longer-term reductions. These results have implications for managers and policy makers as well as researchers interested in organizational theory and quality management.
We are pleased to share an upcoming THaW paper to appear next month at IEEE Workshop on Data Usage Management, a workshop colocated with the IEEE Symposium on Security & Privacy in May 2014.
Abstract: Our genome determines our appearance, gender, diseases, reaction to drugs, and much more. It not only contains information about us but also about our relatives, past generations, and future generations. This creates many policy and technology challenges to protect privacy and manage usage of genomic data. In this paper, we identify various features of genomic data that make its usage management very challenging and different from other types of data. We also describe some ideas about potential solutions and propose some recommendations for the usage of genomic data. [pdf]
ZEBRA: Zero-Effort Bilateral Recurring Authentication
Shrirang Mare, Andrés Molina-Markham, Cory Cornelius, Ronald Peterson, and David Kotz
Abstract: Common authentication methods based on passwords, tokens, or fingerprints perform one-time authentication and rely on users to log out from the computer terminal when they leave. Users often do not log out, however, which is a security risk. The most common solution, inactivity timeouts, inevitably fail security (too long a timeout) or usability (too short a timeout) goals. One solution is to authenticate users continuously while they are using the terminal and automatically log them out when they leave. Several solutions are based on user proximity, but these are not sufficient: they only confirm whether the user is nearby but not whether the user is actually using the terminal. Proposed solutions based on behavioral biometric authentication (e.g., keystroke dynamics) may not be reliable, as a recent study suggests.
To address this problem we propose ZEBRA. In ZEBRA, a user wears a bracelet (with a built-in accelerometer, gyroscope, and radio) on her dominant wrist. When the user interacts with a computer terminal, the bracelet records the wrist movement, processes it, and sends it to the terminal. The terminal compares the wrist movement with the inputs it receives from the user (via keyboard and mouse), and confirms the continued presence of the user only if they correlate. Because the bracelet is on the same hand that provides inputs to the terminal, the accelerometer and gyroscope data and input events received by the terminal should correlate because their source is the same – the user’s hand movement. In our experiments ZEBRA performed continuous authentication with 85% accuracy in verifying the correct user and identified all adversaries within 11 s. For a different threshold that trades security for usability, ZEBRA correctly verified 90% of users and identified all adversaries within 50 s.
Note: since the time this paper was published we have learned of a relevant trademark on the name “Zebra”. Thus, we have renamed our approach “BRACE” and will use that name in future publications.
Dynamic Searchable Encryption via Blind Storage
Muhammad Naveed, Manoj Prabhakaran, Carl A. Gunter
Abstract: Dynamic Searchable Symmetric Encryption allows a client to store a dynamic collection of encrypted documents with a server, and later quickly carry out keyword searches on these encrypted documents, while revealing minimal information to the server. In this paper we present a new dynamic SSE scheme that is simpler and more efficient than existing schemes while revealing less information to the server than prior schemes, achieving fully adaptive security against honest-but-curious servers.
We implemented a prototype of our scheme and demonstrated its efficiency on datasets from prior work. Apart from its concrete efficiency, our scheme is also simpler: in particular, it does not require the server to support any operation other than upload and download of data. Thus the server in our scheme can be based solely on a cloud storage service, rather than a cloud computation service as well, as in prior work.
In building our dynamic SSE scheme, we introduce a new primitive called Blind Storage, which allows a client to store a set of files on a remote server in such a way that the server does not learn how many files are stored, or the lengths of the individual files; as each file is retrieved, the server learns about its existence(and can notice the same file being downloaded subsequently), but the file’s name and contents are not revealed. This is a primitive with several applications other than SSE, and is of independent interest.
SoK: Security and Privacy in Implantable Medical Devices and Body Area Networks
Michael Rushanan, Aviel D. Rubin, Denis Foo Kune, Colleen M. Swanson
Abstract: Balancing security, privacy, safety, and utility is a necessity in the health care domain, in which implantable medical devices (IMDs) and body area networks (BANs) have made it possible to continuously and automatically manage and treat a number of health conditions, ranging from cardiac arrhythmia to Parkinson’s disease. In this work, we provide a clear definition and overview of the problem space, categorizing relevant research results in academia with respect to threats and identifying trends and directions for future research. We identify three broad research categories aimed at ensuring the security and privacy of the telemetry interface, software, and physiological sensing interface layers. We find that while the security of the telemetry interface has received much attention in academia, both the threat of software exploitation and the sensor interface layer deserve further attention.