Carleton Researchers Protect Our E-Health

The rise of e-health has been rapid. At any given moment, millions of medical devices are keeping patients in constant contact with their health care providers.

These devices and the data they generate can provide a 24/7 record of a patient’s symptoms and vital signs. They make health care more efficient by letting patients know when they need to get to a hospital — and when they don’t.

But no connected device is ever fully secure, and medical devices are no exception. When hackers infiltrate e-health systems, lives literally hang in the balance.

Carleton cybersecurity researchers are working to ensure that these devices and this data are more secure. Systems and Computer Engineering Prof. Mohamed Ibnkahla, the NSERC/Cisco Senior Industrial Research Chair in Sensor Networks for the Internet of Things (IoT), is leading a three-year research project that seeks to identify vulnerabilities in the systems we use to deliver e-health and recommend ways that cyber threats can be mitigated.

“System-level Security for IoT-enabled e-Health Systems” is a $2-million project funded through Defence Research and Development Canada’s Canadian Safety and Security Program. The project has brought Carleton researchers together with partners from the Children’s Hospital of Eastern Ontario (CHEO), Macadamian, CANImmunize, Twelvedot and the National Research Council of Canada.

“Cybersecurity is part of national security,” says Ibnkahla. “E-health is more efficient, but more vulnerable. The threat can be anything. An individual person can be attacked, or the whole system can be attacked. To model the threats, we need to track what’s going on below the surface.”

An Integrated Approach to E-Health Security

To keep pace with the constant evolution of threats, the research project is seeking to establish ways to continuously monitor the entire system.

“Security has been always been modular or scattered,” says Ibnkahla. “Network security, physical devices security, data security and user access to the system: all of these areas have been addressed separately. In this project, we’re assessing gaps in the system, including humans and interactions. Security is not just one fix — it’s a whole process and procedure.”

Even if a medical device manufacturer has followed every security standard when designing and manufacturing a device, those standards can’t anticipate every possible threat.

“When the device goes to the external world — to real life — it’s a jungle,” Ibnkahla says. “You put a medical device in a hospital or with a patient and it becomes vulnerable to all types of attacks. A company would not have thought of these particular threats. They designed it according to the standards in a test lab environment, but no one knows what’s going on in this jungle of the IoT. It’s completely unpredictable.”

A Multidisciplinary Search for Solutions

The complexity of the problem demands a multidisciplinary approach. Ibnkahla brings expertise in IoT infrastructure, networking and security to the project, and he has teamed up with fellow Systems and Computer Engineering Prof. Jason Jaskolka, who specializes in security assessment, and Information Technology Prof. Ashraf Matrawy, who specializes in network security.

In order to secure medical devices, it’s critical to know how health care providers are actually using them. Ibnkahla’s team is working with medical and IT teams from CHEO, e-health software developer Macadamian, medical device app builder CANimmunize and security threat modeling and assessment company Twelvedot.

They’ve been developing ways to monitor the “threat surface” on a continuous basis, and providing a best-practices guide to help hospitals, clinicians and patients to ensure they’re being cyber safe.

Some of the biggest threats to system security can be relatively easily solved, according to Ibnkahla.

“Ninety per cent of problems can be avoided by simple procedures,” he says. “For example, don’t leave your device unattended or don’t connect to public WiFi. Many problems can be eliminated by educating people. That can eliminate 90 per cent of the problem.

“The other 10 per cent is probably out of the control of patients. You can improve security without a large budget. It’s not nothing or everything. Through this project, we’ll try to educate people that you cannot compromise on security and that many security threats can be addressed, even with a small budget.”

Thursday, July 18, 2019 in Faculty of Engineering and Design, Research
Share: Twitter, Facebook