cps:%beyond%usabilitytdenning/files/slides/denning... · 2014-12-18 ·...

48
CPS: Beyond Usability: Applying Value Sensi8ve Design Based Methods to Inves8gate Domain Characteris8cs for Security for Implantable Cardiac Devices Tamara Denning 1 , Batya Friedman 2 , Brian Gill 3 , Daniel B. Kramer 4 , MaLhew R. Reynolds 5 , Tadayoshi Kohno 2 1 University of Utah 2 University of Washington 3 SeaLle Pacific University 4 Beth Israel Deaconess Medical Center 5 Harvard Clinical Research Ins8tute 1

Upload: others

Post on 04-Jun-2020

2 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

CPS:  Beyond  Usability:  Applying  Value  Sensi8ve  Design  Based  Methods  to  Inves8gate  Domain  Characteris8cs  for  Security  for  

Implantable  Cardiac  Devices  

Tamara  Denning1,  Batya  Friedman2,  Brian  Gill3,                                      Daniel  B.  Kramer4,  MaLhew  R.  Reynolds5,  Tadayoshi  Kohno2  

 1University  of  Utah  

2University  of  Washington  3SeaLle  Pacific  University  

4Beth  Israel  Deaconess  Medical  Center  5Harvard  Clinical  Research  Ins8tute  

 

1  

Page 2: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Implantable  Cardiac  Devices  

•  Pacemakers  –  Correct  for  slow  heart  rhythms  –  Correct  for  no  heart  rhythm  

•  Implantable  Cardioverter-­‐Defibrillators  –  “Reset”  poten8ally  fatal  heart  rhythms  

2  

Page 3: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Wireless  ICD  Security  &  Impacts  

3  

•  Private  informa8on  – Obtain  serial  number,  pa8ent  name,  diagnosis  

•  Health  impacts    – Turn  off  therapies  (defibrilla8on)  

–  Induce  cardiac  fibrilla8on  

[Halperin  2008]  [Gollakota  2011]  

Page 4: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Wireless  ICD  Security  

4  

•  Need  more  security  1.   No  individualized  security  2.   Demonstrated  security  vulnerabili:es  

Page 5: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Securing  Implantable  Cardiac  Devices  

More  security  is  needed  

5  

Page 6: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Securing  Implantable  Cardiac  Devices  

More  security  is  needed  

•  Proposal:  Password  on  file  

6  

Page 7: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Securing  Implantable  Cardiac  Devices  

More  security  is  needed  

•  Proposal:  Password  on  file  

7  

Cost:  Inaccessibility  –  In  emergencies  –  Travel  –  Switching  providers  

Page 8: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Cost:  Inaccessibility  –  In  emergencies  –  Travel  –  Switching  providers  

Securing  Implantable  Cardiac  Devices  

More  security  is  needed  

•  Proposal:  Password  on  file  

8  

Page 9: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Security:    The  Science  and  Art  of  Tradeoffs  

9  

Page 10: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Security:    The  Science  and  Art  of  Tradeoffs  

10  

Security    Solu:on  “Costs”  

Value  of  Human  “Assets”  

Page 11: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Security:    The  Science  and  Art  of  Tradeoffs  

11  

Security    Solu:on  “Costs”  

Value  of  Human  “Assets”  

Page 12: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Implantable  Cardiac  Devices:    Broader  Context  

•  Defense  designs  require  interac8on  with  domain  experts  

•  Exploratory  studies  surface  issues  

12  

Page 13: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Quan8ta8ve  Research  

How  much?  

13  

Page 14: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Qualita8ve  Research  

How  much  of  what?    

14  

Page 15: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Qualita8ve  Research  

How  much  of  what?    

Why?  

15  

Page 16: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Human-­‐Centric  Inves8ga8on:  Implantable  Cardiac  Devices  

 •  Ques:on:  What  are  relevant  costs  (to  avoid)  with  respect  to  security  systems  for  implantable  cardiac  devices?  

16  

?  Security  Costs  

Page 17: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Pa8ent  Study  

•  Semi-­‐structured  interviews  with  pa8ents  with  IMDs  

•  Inves8gated  pa8ent  values  and  concerns    

•  Elicited  reac8ons  to  security  system  concepts  

17  

!

!

!

!

!

[Denning  2010]  

Page 18: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

The  Medical  Ecosystem:  Many  Roles,  Complex  Interac8ons  

18  

Medical  Technicians  

Primary  Care  Physician  

Cardiologist  

Electrophysiologist  

Implan8ng  Surgeon  Anesthesiologist  

Device  Manufacturer  Representa8ve  

Nurse  Nurse  Prac88oner  

Emergency  Room  Staff  

Hospital  Billing   FDA  

Insurance  Companies  

Page 19: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Informing  Security  Research  via  Studying  the  Applica8on  Domain  

•  Richness  of  underlying  issues  

19  

Page 20: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Informing  Security  Research  via  Studying  the  Applica8on  Domain  

•  Richness  of  underlying  issues  –  Stakeholder  priori8es  

20  

Page 21: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Informing  Security  Research  via  Studying  the  Applica8on  Domain  

•  Richness  of  underlying  issues  –  Stakeholder  priori8es  –  Terminology  

21  

Page 22: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Informing  Security  Research  via  Studying  the  Applica8on  Domain  

•  Richness  of  underlying  issues  –  Stakeholder  priori8es  –  Terminology  –  Concerns  

22  

Page 23: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Informing  Security  Research  via  Studying  the  Applica8on  Domain  

•  Richness  of  underlying  issues  –  Stakeholder  priori8es  –  Terminology  –  Concerns  –  Constraints  

23  

Page 24: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Informing  Security  Research  via  Studying  the  Applica8on  Domain  

•  Richness  of  underlying  issues  –  Stakeholder  priori8es  –  Terminology  –  Concerns  –  Constraints  –  Security  system  proper8es  

24  

Page 25: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Informing  Security  Research  via  Studying  the  Applica8on  Domain  

•  Richness  of  underlying  issues  –  Stakeholder  priori8es  –  Terminology  –  Concerns  –  Constraints  –  Security  system  proper8es  –  Pa8ent  insights  

25  

Page 26: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Informing  Security  Research  via  Studying  the  Applica8on  Domain  

•  Richness  of  underlying  issues  –  Stakeholder  priori8es  –  Terminology  –  Concerns  –  Constraints  –  Security  system  proper8es  –  Pa8ent  insights  

26  

Design  beLer  security  solu8ons  

Page 27: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Framework:  Value  Sensi8ve  Design  

27  

[Friedman  2006]  

Account  for  people’s  values        

Page 28: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Framework:  Value  Sensi8ve  Design  

28  

[Friedman  2006]  

Account  for  people’s  values    

Account  for  direct  and  indirect  stakeholders  

     

Page 29: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Framework:  Value  Sensi8ve  Design  

29  

[Friedman  2006]  

Technical  Inves8ga8ons  

Empirical  Inves8ga8ons  

Conceptual  Inves8ga8ons  

Page 30: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Qualita8ve  Study  Design  

•  3  Workshops:  –  24  providers  –  Cardiologists,  nurses,  anesthesiologists,  etc.  

 •  Workshop  format  facilitates:  –  Interac8ve  discourse  –  Surfacing  consensus,  tensions  

 •  Group  Ac8vi8es  &  Paper  Instruments  

30  

Page 31: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Workshop  Format  

•  Stakeholder  Perspec8ves  •  Metaphor  Genera8on  •  Cri8ques  and  Concerns  •  Evalua8on  of  Security  System  Concepts  •  Open-­‐ended  Discussion  

31  

[Kensing  1991]    [Yoo  2013]  

Page 32: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Workshop  Format  

•  Stakeholder  Perspec:ves  •  Metaphor  Genera8on  •  Cri8ques  and  Concerns  •  Evalua8on  of  Security  System  Concepts  •  Open-­‐ended  Discussion  

32  

[Kensing  1991]    [Yoo  2013]  

Page 33: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Stakeholder  Perspec8ve  Data  Analysis  

•  Open-­‐ended  answers  used  to  develop  topic  categories  

•  Independent  researcher  used  categories  to  code  par8cipant  responses  

•  Kappa  =  0.745  –  >0.75  is  excellent  agreement  –  0.40-­‐0.75  is  intermediate  to  good  [Fleiss  2003]  –  0.61-­‐0.80  is  substan8al  agreement  [Landis  1977]  

33  

Page 34: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Stakeholder  Perspec8ve  Results  Inform  Security  Design  

•  Access  &  Sharing  •  Compa:bility  •  Correct  Usage  •  Device  BaYery  Life  •  Device  Compactness  /  Inertness  

•  Device  Ecosystem  

•  Device  Func8onality  •  Pa8ent  /  Pa8ent  Health  •  Programming  •  Quality  of  Data  •  Remote  Monitoring  •  Security  &  Privacy  •  Surgery  &  Healing  

34  

Page 35: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Stakeholder  Perspec8ve  Results  Inform  Security  Design  

•  Access  &  Sharing  •  Compa:bility  •  Correct  Usage  •  Device  BaYery  Life  •  Device  Compactness  /  Inertness  

•  Device  Ecosystem  

•  Device  Func8onality  •  Pa8ent  /  Pa8ent  Health  •  Programming  •  Quality  of  Data  •  Remote  Monitoring  •  Security  &  Privacy  •  Surgery  &  Healing  

35  

1.  Assets  we  want  to                              protect  from  aLacks  

2.  Costs  we  want  to                                        avoid  

?  Human  Assets  

?  Security  Costs  

Page 36: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Workshop  Format  

•  Stakeholder  Perspec8ves  •  Metaphor  Genera8on  •  Cri8ques  and  Concerns  •  Evalua:on  of  Security  System  Concepts  •  Open-­‐ended  Discussion  

36  

[Kensing  1991]    [Yoo  2013]  

Page 37: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Security  System  Concepts  

•  Surveyed  literature  for  proposed  security  solu8ons  

•  Chose  representa8ve  concepts  with  varied  proper8es  

•  Par8cipants:  –  Provided  overall  evalua8ons  –  Commented  on  proper8es  

37  

!

!

!

!!

!

Page 38: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Disliked  System  Concepts:    Uncovering  Security  System  Costs  Medical  Alert  Bracelet  

with  Password  

38  

!

?  Security  Costs  

Page 39: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Medical  Alert  Bracelet  with  Password  

39  

! !

UV-­‐Visible  TaLoo  

Disliked  System  Concepts:    Uncovering  Security  System  Costs  

?  Security  Costs  

[Denning  2010]  [Schechter  2010]    

Page 40: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Medical  Alert  Bracelet  with  Password  

40  

! ! !

Cri8cality-­‐Aware  IMD  UV-­‐Visible  TaLoo  

Disliked  System  Concepts:    Uncovering  Security  System  Costs  

?  Security  Costs  

[Denning  2010]  [Schechter  2010]    

[Gupta  2006]  

Page 41: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

41  

!

↑  Facilitates  emergency  access  ↑  Reassures  pa8ent  ↑  Not  visible  

↑  Cheap  ↑  No  pa8ent  effort  ↑  Always  present    

! !

Posi:ve  Proper:es  (of  Disliked  Systems)  

Disliked  System  Concepts:    Uncovering  Security  System  Costs  

?  Security  Costs  

Page 42: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

42  

!

Nega:ve  Proper:es  ↓  Access  is  not  guaranteed  ↓  Cultural,  social,  or  personal  objec8ons  ↓  Broadcasts  pa8ent  condi8on  to  others  ↓  Poten8al  impact  on  baLery  life  

! !

Disliked  System  Concepts:    Uncovering  Security  System  Costs  

?  Security  Costs  

Page 43: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

!

Fail-­‐Open  Wristband  with  Safety  Features  

43  

Liked  System  Concept:    Uncovering  Security  System  Costs  

[Denning  2008]  [Gollakota  2011]  

[Xu  2011]    

•  Presence  blocks  unauthorized  access  

•  In  its  absence,  system  fails  into  an  open  state—accepts  all  communica8ons  

Page 44: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

!

Fail-­‐Open  Wristband  with  Safety  Features  

44  

↓  Security  ↓  Maintenance  ↓  911  false  posi8ves  ↓  Visual  indicator  ↓  Training  ↓  Expense  

↑  Fail-­‐open  ↑  Safety  features  ↑  Security  ↑  Empowers  pa8ent  ↑  Visual  cue  

Liked  System  Concept:    Uncovering  Security  System  Costs  

[Denning  2008]  [Gollakota  2011]  

[Xu  2011]    

Page 45: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Human-­‐Centric  Inves8ga8on  Indicates  Security  Costs  to  Avoid  

45  

Security    Solu:on  Costs  

 

Inaccessibility  

Money  (à  denied  claims)   Pa8ent  privacy  

Implant  size   Incompa8bility  

Infec8on  Pa8ent  comfort  +  mental  health  

BaLery  life  

Page 46: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Human-­‐Centric  Inves8ga8on:  Implantable  Cardiac  Devices  

•  Study  indicates  security  costs  to  avoid  when  designing  security  solu8ons  

•  Addi8onal  features  (e.g.,  safety)  may  en8ce  buy-­‐in  

•  Tensions  exist  (e.g.,  visual  indicators)  

46  

!

!

Page 47: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Beyond  Implantable  Cardiac  Devices  

47  

Sensors    

 

Connec:vity    

 

Actuators    

 

Usage  Scenario    

 

Page 48: CPS:%Beyond%Usabilitytdenning/files/slides/denning... · 2014-12-18 · Implantable%Cardiac%Devices% • Pacemakers% – Correctfor%slow%heartrhythms% – Correctfor% no%heartrhythm%

Human-­‐Centric  Inves8ga8on:  Implantable  Cardiac  Devices  

•  Study  indicates  security  costs  to  avoid  when  designing  security  solu8ons  

•  Addi8onal  features  (e.g.,  safety)  may  en8ce  buy-­‐in  

•  Tensions  exist  (e.g.,  visual  indicators)  

•  Defense  designs  require  interac:on  with  domain  experts  

•  Exploratory  studies  surface  issues  

48  

!

!