View
1
Download
0
Category
Preview:
Citation preview
CPS:BeyondUsability:ApplyingValueSensi8veDesignBasedMethodstoInves8gateDomainCharacteris8csforSecurityfor
ImplantableCardiacDevices(ACSAC‘14)
1
TamaraDenning,BatyaFriedman,BrianGill,DanielB.Kramer,MaMhewR.Reynolds,TadayoshiKohno
PresentedBy:SaadHussain
• Privateinforma8on– Obtainserialnumber,pa8entname,diagnosis
• Healthimpacts– Turnofftherapies(defibrilla8on)
– Inducecardiacfibrilla8on
WirelessICDSecurity&Impacts[Halperin2008][Gollakota2011]
2
WirelessICDSecurity
3
• Needmoresecurity1. Noindividualizedsecurity2. Demonstratedsecurityvulnerabili9es
SecuringImplantableCardiacDevices
4
Moresecurityisneeded
SecuringImplantableCardiacDevices
5
Moresecurityisneeded
• Proposal:Passwordonfile
SecuringImplantableCardiacDevices
6
Moresecurityisneeded
• E.g.Proposal:Passwordonfile
Cost:Inaccessibility– Inemergencies– Travel– Switchingproviders
SecuringImplantableCardiacDevices
Moresecurityisneeded
• E.g.Proposal:Passwordonfile
Cost:Inaccessibility– Inemergencies– Travel– Switchingproviders
7
Security:TheScienceandArtofTradeoffs
8
Security:TheScienceandArtofTradeoffs
SecuritySolu9on“Costs”
ValueofHuman“Assets”
10
Security:TheScienceandArtofTradeoffs
SecuritySolu9on“Costs”
ValueofHuman“Assets”
10
ImplantableCardiacDevices:BroaderContext
11
• Defensedesignsrequireinterac8onwithdomainexperts
• Exploratorystudiessurfaceissues
Addi8onalElementstoconsiderduringDesign
12
• Stakeholders
• StakeholderGoalsandValues
• Implica8onsforValues
• Communica8ngTechnicalConceptsinComprehensibleWays
Pa8entStudy
• Semi---structuredinterviewswithpa8entswithIMDs
• Inves8gatedpa8entvaluesandconcerns
• Elicitedreac8onstosecuritysystemconcepts
[Denning2010]
13
TheMedicalEcosystem:ManyRoles,ComplexInterac8ons
MedicalTechnicians
PrimaryCarePhysician
Electrophysiologist
AnesthesiologistImplan8ngSurgeon
DeviceManufacturerRepresenta8ve
NurseNursePrac88oner
CardiologistEmergencyRoomStaff
HospitalBilling FDA
InsuranceCompanies
14
Qualita8veStudyDesign
30
• 3Workshops:– 24providers– Cardiologists,nurses,anesthesiologists,etc.
• Workshopformatfacilitates:– Interac8vediscourse– Surfacingconsensus,tensions
• GroupAc8vi8es&PaperInstruments
Framework:ValueSensi8veDesign[Friedman2006]
16
AccountfordirectandindirectStakeholders
ValueDamsandFlows
WorkshopFormat
MetaphorGenera8onCri8quesandConcerns
• StakeholderPerspec8ves• • • • Evalua8onofSecuritySystemConceptsOpen---endedDiscussion
[Kensing1991][Yoo2013]
17
WorkshopFormat
MetaphorGenera8onCri8quesandConcerns
• StakeholderPerspec9ves• • • • Evalua8onofSecuritySystemConceptsOpen---endedDiscussion
[Kensing1991][Yoo2013]
18
StakeholderPerspec8veDataAnalysis
19
• Open---endedanswersusedtodeveloptopiccategories
• Independentresearcherusedcategoriestocodepar8cipantresponses
• Kappa=0.745– >0.75isexcellentagreement– 0.40---0.75isintermediatetogood[Fleiss2003]– 0.61---0.80issubstan8alagreement[Landis1977]
StakeholderPerspec8veResultsInformSecurityDesign
20
• Access&Sharing• Compa9bility• CorrectUsage• DeviceBaVeryLife• DeviceCompactness/Inertness
• DeviceEcosystem
• DeviceFunc8onality• Pa8ent/Pa8entHealth• Programming• QualityofData• RemoteMonitoring• Security&Privacy• Surgery&Healing
StakeholderPerspec8veResultsInformSecurityDesign
21
• Access&Sharing• Compa9bility• CorrectUsage• DeviceBaVeryLife• DeviceCompactness/Inertness
• DeviceEcosystem
• DeviceFunc8onality• Pa8ent/Pa8entHealth• Programming• QualityofData• RemoteMonitoring• Security&Privacy• Surgery&Healing
?HumanAssets
?SecurityCosts
1.AssetswewanttoprotectfromaMack.
2.Costswewanttoavoid.
WorkshopFormat
MetaphorGenera8onCri8quesandConcerns
• StakeholderPerspec8ves• • • • Evalua9onofSecuritySystemConceptsOpen---endedDiscussion
[Kensing1991][Yoo2013]
22
SecuritySystemConcepts
• Surveyedliteratureforproposedsecuritysolu8ons
• Choserepresenta8veconceptswith variedproper8es
• Par8cipants:– Providedoverallevalua8ons– Commentedonproper8es
23
SecuritySystemConcepts
DislikedSystemConcepts:UncoveringSecuritySystemCostsMedicalAlertBracelet
withPassword
?SecurityCosts
27
MedicalAlertBracelet UV---VisibleTaMoowithPassword
DislikedSystemConcepts:UncoveringSecuritySystemCosts
?SecurityCosts
28
[Denning2010][Schechter2010]
Cri8cality---AwareIMDMedicalAlertBracelet UV---VisibleTaMoowithPassword
DislikedSystemConcepts:UncoveringSecuritySystemCosts
?SecurityCosts
40
[Denning2010][Schechter2010]
[Gupta2006]
↑ Facilitatesemergencyaccess↑ Reassurespa8ent↑ Notvisible
↑ Cheap↑ Nopa8enteffort↑ Alwayspresent
Posi9veProper9es(ofDislikedSystems)
DislikedSystemConcepts:UncoveringSecuritySystemCosts
?SecurityCosts
30
Nega9veProper9es↓ Accessisnotguaranteed↓ Cultural,social,orpersonalobjec8ons↓ Broadcastspa8entcondi8ontoothers↓ Poten8alimpactonbaMerylife
DislikedSystemConcepts:UncoveringSecuritySystemCosts
?SecurityCosts
31
LikedSystemConcept:UncoveringSecuritySystemCosts
32
[Denning2008][Gollakota2011]
[Xu2011]
Fail---OpenWristbandwithSafetyFeatures
• Presenceblocksunauthorizedaccess
• Initsabsence,systemfailsintoanopenstate—acceptsallcommunica8ons
Fail---OpenWristbandwithSafetyFeatures
33
↓ Security↓ Maintenance↓ 911falseposi8ves↓ Visualindicator↓ Training↓ Expense
↑ Fail---open↑ Safetyfeatures↑ Security↑ Empowerspa8ent↑ Visualcue
LikedSystemConcept:UncoveringSecuritySystemCosts
[Denning2008][Gollakota2011]
[Xu2011]
Human---CentricInves8ga8onIndicatesSecurityCoststoAvoid
SecuritySolu9onCosts
Inaccessibility
34
Money(àà deniedclaims)
Pa8entcomfort+mentalhealth
Implantsize
BaMerylife Pa8entprivacy
Infec8on
Incompa8bility
DiscussionQues8ons
35
• Whatarethekeycontribu8onsofthispaper?
• Shouldasecuritydesignhingeuponpa8entsbeingabletochoosewhetherornottheywishtocomply?
• Whataretherepercussionsifacompany’sIMDisaMacked,andsecuritywasop8onal?
Recommended