Securing Medical Devices and Protecting Patient Privacy in the Technological Age of Healthcare

Paul Martin, Johns Hopkins University

The healthcare industry has been adopting technology at an astonishing rate. This technology has served to increase the efficiency and decrease the cost of healthcare around the country. While technological adoption has undoubtedly improved the quality of healthcare, it also has brought new security and privacy challenges to the industry that healthcare IT manufacturers are not necessarily fully prepared to address.

This dissertation explores some of these challenges in detail and proposes solutions that will make medical devices more secure and medical data more private. Compared to other industries the medical space has some unique challenges that add significant constraints on possible solutions to problems. For example, medical devices must operate reliably even in the face of attack. Similarly, due to the need to access patient records in an emergency, strict enforcement of access controls cannot be used to prevent unauthorized access to patient data. Throughout this work we will explore particular problems in depth and introduce novel technologies to address them.

Each chapter in this dissertation explores some aspect of security or privacy in the medical space. We present tools to automatically audit accesses in electronic medical record systems in order to proactively detect privacy violations; to automatically fingerprint network-facing protocols in order to non-invasively determine if particular devices are vulnerable to known attacks; and to authenticate healthcare providers to medical devices without a need for a password in a way that protects against all known attacks present in radio-based authentication technologies. We also present an extension to the widely-used beacon protocol in order to add security in the face of active attackers; and we demonstrate an overhead-free solution to protect embedded medical devices against previously unpreventable attacks that evade existing control-flow integrity enforcement techniques by leveraging insecure built-in features in order to maliciously exploit configuration vulnerabilities in devices.

Speaker Biography

Paul D.\ Martin developed an interest in technology when he received his first computer at the age of ten. Since then, he has spent much of his time exploring this field. Initially a hobby, computer science quickly became a passion and central part of his life.

Paul received his B.\ S.\ and M.\ S.\ E.\ degrees in Computer Science from Johns Hopkins University in 2011 and 2013, respectively. He enrolled in the Computer Science Ph.D.\ program at Johns Hopkins University in 2011. He was inducted into the Upsilon Pi Epsilon International Computer Science Honor Society in 2013. His research interests include embedded systems security, operating system security, vulnerability analysis, reverse engineering, network protocol analysis, anomaly detection and big-data security analytics.