The mission of the Trustworthy Health and Wellness (THaW) project was to enable the promise of health and wellness technology by innovating mobile- and cloud-computing systems that respect the privacy of individuals and the trustworthiness of medical information.

Our long-term goal was to facilitate the creation of health and wellness systems that can be trusted by individual citizens to protect their privacy and can be trusted by health professionals to ensure data integrity and security.

Intellectual merit: THaW research spanned a wide range of topics related to security and privacy for mobile and cloud technology in health and wellness contexts, including authentication, access control, intrusion detection, privacy-preserving databases, wearable devices, genomic privacy, hardware security, and more.  The team published more than 118 papers, 10 PhD dissertations, and 19 other documents and books. Most of these publications are online, as is a collection of videos related to our research, at thaw.org. Here are some examples of the THaW project’s scientific contributions, in no particular order.

• We developed Wanda, a novel method for introducing new medical devices (or more generally, the Internet of Things) to a home or enterprise network, in a secure and usable manner.

• We developed a technique for performing queries on sensitive medical data without exposing the data in clear form outside of a trusted server by using a novel application of homomorphic encryption. 

• We surveyed techniques to protect the privacy of genomic data.

• We identified key security concerns in mHealth apps.

• We explored the relationship between data breaches and hospital advertising expenditures, and whether meaningful-use attestation policies improve information security performance.

• We identified cybersecurity vulnerabilities of cardiac implantable electronic devices.

• We demonstrated the danger of smartphone side-channels for smartphones.

• We discovered risks to voice-controlled systems, such as intelligent personal assistants and smart speakers, that may be posed by an adversary using a laser to inject sound into the device microphone.

• We discovered that mechanical components in magnetic hard disk drives behave as microphones with sufficient precision to extract and parse human speech.

• We demonstrated that adversaries can remotely manipulate the temperature sensor measurements of infant incubators and other medical devices by exploiting a vulnerability of electrical components, and how to effectively mitigate the effect to ensure security and safety of these systems.

• We developed CSAW, a novel way to verify the actual user of a desktop computer or smartphone, by comparing the person’s wrist movements with the keystrokes, mouse movements, or phone movements.

• We discovered a new ‘vocal resonance’ method for using a person’s internal body voice (the sound of their voice as measured on the surface of their body) to enable their wearable devices to automatically recognize them – for example, to verify that the correct patient is wearing a medical sensor.

• We developed Sentinel, a tool for protecting connected medical devices by monitoring their internal communication lines for anomalous behavior.

• We built the first systematization of knowledge about analog attacks against sensor circuitry and defenses. The model allows a quantification of risk for designing and evaluating sensors, predicting new attack vectors, and establishing defensive design patterns that make sensors more resistant to analog attacks.

Broader impacts: THaW involved dozens of undergraduate and graduate students in research, engaged high-school classes with mobile-health devices, hosted weekend gatherings for diverse college students interested in pursuing graduate study in computing, hosted international workshops to bring computer-science and health-care communities together around the topic of cybersecurity, established workshops to train medical-device engineers in cybersecurity, provided expertise to government leaders and national societies, convened CISOs from across the industry to engage in information sharing and brainstorming future approaches to securing healthcare platforms, patented several of its innovations, and spun off a start-up company to commercialize THaW technology. Specific examples:

• We conducted several outreach programs involving high-school students in Maryland and New Hampshire, in which the students wore Fitbit activity trackers and learned about the technology inside, as well as the privacy issues that arise from such technology.

• Over 80 students and postdocs engaged in THaW research activities, mentored by the THaW faculty, including at least 10 undergraduate students, 29 graduate students, and 8 postdoctoral scholars.  Many of these mentees are from groups traditionally under-represented in computing, including women and underrepresented minorities.

• We submitted more than 11 patent applications, several of which have already been granted, to encourage and enable eventual commercialization of THaW technology.

• The Archimedes Center for Medical Device Security in Michigan offered a twice-annual training conference on how to integrate THaW security principles into the design of medical devices to clinical engineers and CISOs from hospitals and medical device manufacturers. Over 10,000 people and more than 100 industry organizations attended the events. In addition, we conducted on-site security training for more than 500 medical device engineers over the years.

For more information about the THaW project, please see thaw.org.

Last Modified: 12/18/2020
Modified by: David F Kotz