Kevin Fu Associate Professor Security & Privacy Research Lab UMass Amherst Computer Science

Transcription

1 Communicating mhealth Security & Privacy Risks Kevin Fu Associate Professor Security & Privacy Research Lab UMass Amherst Computer Science SITH2, Dartmouth College, May 15, 2012 Supported in part by a Sloan Research Fellowship, NSF CNS , HHS 90TR0003/01. Any opinions, findings, and conclusions expressed in this material are those of the authors and do not necessarily reflect the views of the NSF. UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science

2 Correctness is easy. Security is hard. Photo by Kevin Fu 2

3 Disclosures n Support from NSF, HHS, DHS, IOM, Microsoft Research, Symantec, McAfee n Visiting scientist, FDA n Board member, NIST ISPAB n Patent pending technology: Ultra-low power flash memory Zero-power security Hat: zazzle.com n This presentation is based on both my own research and the research of others. None of the opinions, findings, or conclusions necessarily reflect the views of my past or present employers. 3

4 mhealth S&P Risks n Bacon theory of wireless mhealth risks Great benefits Great risks n Risks of complacency, unaccountability Sterile technique for mhealth? Culture change? 4

5 Networking + Wireless! Photos from: Medtronic 5

6 Benefits of Wireless, But... Photo by Kevin Medtronic museum 6

7 Wirelessly Induce Fatal Heart Rhythm MHz MICS band, nominal range several meters n Command shock sends 35 J in ~1 msec to the T-wave n Designed to induce ventricular fibrillation n No RF amplification necessary n [Halperin et al., IEEE Symposium on Security & Privacy 2008] spqr.cs.umass.edu Prof. Kevin Fu mhealth Security & Privacy 7

8 Wireless Makes Everything Better? 8 [Photos: uncyclopedia.wikia.com/wiki/bacon & Cisco & bacondujour.blogspot.com]

9 How significant are intentional, malicious malfunctions in software?

10 The Tylenol Scare of 1982 [Source: trutv crime library] 10

11 21 CFR and Security (a)general. The Food and Drug Administration has the authority under the Federal Food, Drug, and Cosmetic Act (the act) to establish a uniform national requirement for tamper-evident packaging of OTC drug products that will improve the security of OTC drug packaging 11

12 Bad People Do Exist: Vandals 12

13

14 Disease to Malware:Days to Hours Slide from Howie Shrobe and others FluTE: Chao et al., PLoS Computational Biology,

15 Privacy: Wardrobe Malfunctions 15

16 Medical Device Cybersecurity 1. Implantable medical devices should be trustworthy 2. Improved security will enable medical device innovation Physicians should their wash hands. Doctors are gentlemen and therefore their hands are always clean. Dr. Ignaz Semmelweis Dr. Charles Meigs

17 Medical Device Cybersecurity 1. Implantable medical devices should be trustworthy 2. Improved security will enable medical device innovation Physicians Medical should devices their should wash be secure. hands. Doctors are You re gentlemen so negative. and therefore There are their no security hands are always problems. clean. Dr. Ignaz Semmelweis Dr. Charles Meigs