CPS: beyond usability: applying value sensitive design based methods to investigate domain characteristics for security for implantable cardiac devices

Wireless implantable medical devices (IMDs) are cyber-physical systems that deliver life-saving treatments to cardiac patients with dangerous heart conditions. Current access control models for these systems are insufficient; more security is necessary. In response to this problem, the technical security community has investigated new directions for improving security on these resource-constrained devices. Defenses, however, must not only be technically secure; in order to be deployable, defenses must be designed to work within the needs and constraints of their relevant application spaces. Designing for an application space---particularly a specialized one---requires a deep understanding of the stakeholders, their values, and the contexts of technology usage. Grounding our work in value sensitive design (VSD), we collaborated as an interdisciplinary team to conduct three workshops with medical providers for the purpose of gathering their values and perspectives. The structure of our workshop builds on known workshop structures within the human-computer interaction (HCI) community, and the number of participants in our workshops (N=24) is compatible with current practices for inductive, exploratory studies. We present results on: what the participants find important with respect to providing care and performing their jobs; their reactions to potential security system concepts; and their views on what security system properties should be sought or avoided due to side effects within the context of their work practice. We synthesize these results, use the results to articulate design considerations for future technical security systems, and suggest directions for further research. Our research not only provides a contribution to security research for an important class of cyber-physical systems (IMDs); it also provides an example of leveraging techniques from other communities to better explore the landscape of security designs for technologies.

[1]  Batya Friedman,et al.  Cookies and Web browser design: toward realizing informed consent online , 2001, CHI.

[2]  Tadayoshi Kohno,et al.  Computer security and the modern home , 2013, CACM.

[3]  J. R. Landis,et al.  The measurement of observer agreement for categorical data. , 1977, Biometrics.

[4]  Sandeep K. S. Gupta,et al.  Criticality aware access control model for pervasive applications , 2006, Fourth Annual IEEE International Conference on Pervasive Computing and Communications (PERCOM'06).

[5]  W. Keith Edwards,et al.  Designs on dignity: perceptions of technology among the homeless , 2008, CHI.

[6]  Srdjan Capkun,et al.  Proximity-based access control for implantable medical devices , 2009, CCS.

[7]  Finn Kensing,et al.  Generating visions: future workshops and metaphorical design , 1992 .

[8]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[9]  Symposium On Usable Privacy and Security, SOUPS '12, Washington, DC, USA - July 11 - 13, 2012 , 2012, SOUPS.

[10]  Simson L. Garfinkel,et al.  Security and Usability , 2005 .

[11]  Dirk Balfanz Usable access control for the World Wide Web , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[12]  Emily Troshynski,et al.  Accountabilities of presence: reframing location-based systems , 2008, CHI.

[13]  David Kotz,et al.  Privacy in mobile technology for personal healthcare , 2012, CSUR.

[14]  Sandeep K. S. Gupta,et al.  Biosec: a biometric based approach for securing communication in wireless networks of biosensors implanted in the human body , 2003, 2003 International Conference on Parallel Processing Workshops, 2003. Proceedings..

[15]  Colleen Swanson,et al.  SoK: Security and Privacy in Implantable Medical Devices and Body Area Networks , 2014, 2014 IEEE Symposium on Security and Privacy.

[16]  Helen Nissenbaum,et al.  Users' conceptions of web security: a comparative study , 2002, CHI Extended Abstracts.

[17]  Ayan Banerjee,et al.  PSKA: Usable and Secure Key Agreement Scheme for Body Area Networks , 2010, IEEE Transactions on Information Technology in Biomedicine.

[18]  Batya Friedman,et al.  Envisioning across generations: a multi-lifespan information system for international justice in rwanda , 2013, CHI.

[19]  Tadayoshi Kohno,et al.  Security Risks, Low-tech User Interfaces, and Implantable Medical Devices: A Case Study with Insulin Pump Infusion Systems , 2012, HealthSec.

[20]  Matt Blaze,et al.  Why (Special Agent) Johnny (Still) Can't Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System , 2011, USENIX Security Symposium.

[21]  Predrag V. Klasnja,et al.  Envisioning systemic effects on persons and society throughout interactive system design , 2008, DIS '08.

[22]  Kevin Fu,et al.  Security and Privacy for Implantable Medical Devices , 2008, IEEE Pervasive Comput..

[23]  Batya Friedman,et al.  Informed consent in the Mozilla browser: implementing value-sensitive design , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[24]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[25]  Kevin Fu,et al.  Absence Makes the Heart Grow Fonder: New Directions for Implantable Medical Device Security , 2008, HotSec.

[26]  Kevin Fu,et al.  They can hear your heartbeats: non-invasive security for implantable medical devices , 2011, SIGCOMM.

[27]  Minho Shin,et al.  An amulet for trustworthy wearable mHealth , 2012, HotMobile '12.

[28]  Mani B. Srivastava,et al.  Privacy risks emerging from the adoption of innocuous wearable sensors in the mobile environment , 2011, CHI.

[29]  Jessica K. Miller,et al.  Value tensions in design: the value sensitive design, development, and appropriation of a corporation's groupware system , 2007, GROUP.

[30]  Stuart E. Schechter Security That Is Meant to Be Skin Deep: Using Ultraviolet Micropigmentation to Store Emergency-Access Keys for Implantable Medical Devices , 2010, HealthSec.

[31]  J. Fleiss Statistical methods for rates and proportions , 1974 .

[32]  Audun Jøsang,et al.  Security Usability Principles for Vulnerability Analysis and Risk Assessment , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[33]  Sebastian Günther Folk Models of Home Computer Security , 2012 .

[34]  Alan Borning,et al.  Parenting from the pocket: value tensions and technical directions for secure and private parent-teen mobile safety , 2010, SOUPS.

[35]  Fengyuan Xu,et al.  IMDGuard: Securing implantable medical devices with the external wearable guardian , 2011, 2011 Proceedings IEEE INFOCOM.

[36]  Alan Borning,et al.  Patients, pacemakers, and implantable defibrillators: human values and security for wireless implantable medical devices , 2010, CHI.

[37]  Pieter H. Hartel,et al.  Two methodologies for physical penetration testing using social engineering , 2009, ACSAC '10.

[38]  Kevin Fu,et al.  Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[39]  Alan Borning,et al.  Value Sensitive Design and Information Systems , 2020, The Ethics of Information Technologies.

[40]  Kevin Fu,et al.  They can hear your heartbeats: non-invasive security for implantable medical devices , 2011 .

[41]  Niraj K. Jha,et al.  Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system , 2011, 2011 IEEE 13th International Conference on e-Health Networking, Applications and Services.

[42]  W. Grove Statistical Methods for Rates and Proportions, 2nd ed , 1981 .