220 likes | 380 Views
Security and Privacy Issues in Wireless Medical Devices . Hossen Mustafa CSCE 824 04/17/13. Wireless Medical Devices. Wireless Medical Devices. Wireless Medical Infrastructure. Research Areas. Wireless security and privacy Medical database security Secure medical systems.
E N D
Security and Privacy Issues in Wireless Medical Devices Hossen Mustafa CSCE 824 04/17/13
Research Areas • Wireless security and privacy • Medical database security • Secure medical systems
Wireless Security and Privacy • Implantable medical device, e.g., pacemaker • No security in transmission between pacemaker and programmer. • As a result, vulnerable to • eavesdropping attack • spoofing attack • battery drain attack
Wireless Security and Privacy • Proposed solution: • The shield acts as a jammer to protect IMD wireless transmissions, known as “Friendly Jamming” • An upcoming publication shows that “Friendly Jamming” cannot provide full protection…
Wireless Security and Privacy • Insulin pumps can be remotely • programmed to inject lethal dose • shut down • Nike+iPod sports kit is vulnerable to • Eavesdropping attack which can hamper location privacy of the user • Spoofing attack which can lead to invalid and inconsistent health data • Onyx fingertip pulse oximeter is vulnerable to • Man-in-the-Middle attack • Jamming Attack
Wireless Security and Privacy • Researchers have proposed • Cryptographic solutions • Friendly jamming to protect legacy devices • RSS-based jamming detection • Detecting spoofed packet using correlation
Research Areas • Wireless security and privacy • Medical database security • Secure medical systems
Medical Database Security • Medical database has different requirements compared to traditional database • Health Insurance Portability and Accountability Act (HIPAA) includes strict privacy and security requirements: • Privacy and Data Confidentiality • Security • Disposal • Media re-use • Accountability • Backup and Storage
Hippocratic Database (HDB) • ‘Most’ compliant with HIPPA • It includes • Active Enforcement • Compliance Auditing • Optimal k-anonymization • Sovereign Information Integration • Privacy-Preserving Data Mining
Privacy Protocol for Linking Distributed Medical Data • Such queries are called private fuzzy queries • The protocol ensures authorized data exchange • Disadvantage: • High overhead • Does not work in case of unique attributes 1. E(attribute <sex, hair color, eyecolor>) 2. For each match, encrypt with public key and add to response 4. Decrypt record with patient private key 3. R = E(records)
Privacy Management in Dynamic Groups • Sensitive health data are often co-managed by different groups of medical employees • Three forms of group dynamics are challenging to privacy • Dynamic Group Members • Diverse Life Span of Teams • Different Levels of Information Sensitivity
Research Areas • Wireless security and privacy • Medical database security • Secure medical systems
Secure Medical Systems • PKI that Rings • Public Key Infrastructure (PKI)-based authentication mechanism using cellular networks • Workflow • The patient calls authentication service (AS) • A challenge is sent to the patient’s cell phone, encrypted with the patient’s public key • The patient decrypts the challenge • The patient prepares response which includes hospitals ID and sends it to AS • AS sends records to the hospital
Secure Medical Systems • A Home Healthcare System in the Cloud • Empowers depressed patients over their treatment process • Works in three steps • Personal monitoring devices monitor and collect patients data • Data are uploaded and stored in the cloud • Data is shared with patient’s health record provider on demand • Uses cryptographic technique to ensure security and privacy
Smartphone! • Smartphone poses a new set of potential problems: • Apps are available for health monitoring using phone sensors, e.g., accelerometer • Apps are being integrated with health monitoring sensors • Apps are being used to keep track of medical records, e.g., blood pressure • Most apps use local storage in the Smartphone for data with NO encryption • Many apps provides server space for keeping health records but does not follow HIPPA guidelines
Requirements for Medical Data • Confidentiality • Fine-grained Access Control • Integrity • Availability • Performance • Logging, Audit Trails, and Provenance • Support for Long Retention and Secure Migration • Backup • Cost
More Requirements… • Secure transmission protocol, specially for wireless transmission • Enforcement of security requirements for upcoming medical devices • Find solutions for legacy (vulnerable) medical device • Bring smartphones under the guidelines of HIPPA