[Interview] Razvan Bocu, Lecturer & Researcher: A Stringent Challenge – To Securely Collect, Transport, Store & Process Medical Data

Razvan Bocu defcamp 2018

Razvan Bocu, Lecturer and Researcher in the Department of Mathematics and Computer Science of the Transilvania University of Brasov, is one of those multidisciplinary professionals we deeply admire.

His background spans across multiple specializations, with experience and insights to match. Razvan has a Ph.D. in Computer Science (National University of Ireland, Cork, 2010), an MSc in Computer Science (Transilvania University of Brasov, 2006), a BSc in Computer Science (Transilvania University of Brasov, 2005), and a BSc in Sociology (Transilvania University of Brasov, 2007).

Razvan also speaks articulately, with great clarity about infosec research, especially when it comes to medical IoT devices. His presentation – Secure and privacy-preserving data transmission and processing using homomorphic encryption – will give you the chance to learn the inner workings of “an integrated personal health information system that allows secure storage and processing of medical data in the cloud by using a comprehensive homomorphic encryption model to preserve data privacy.”

We’re thrilled to have Razvan with us on stage this year and, in anticipation of the big event next week (we’re so close!), we’re excited to share a bit more about his experience and knowledge through the interview below.
There’s nothing like a specialist’s perspective to clarify perceptions. When it comes to the growth in wearable, connected medical devices and the security risks associated with using them, Razvan has a few key points to make.

I should say that the “huge growth” mostly refers to the numbers of these specialized devices which are produced at the moment. Their generalized adoption in the context of large-scale clinical trials is still not a reality.

Nevertheless, this reality progressively changes towards a wider adoption considering prevention and in-hospital medical procedures.
Although versatile and genuinely useful, these devices pose security risks both for their users and the systems that receive the collected data.

Relative to their users, the risks may be grouped into two categories.
First, they refer to the secure collection, transmission, storage, and processing of the collected personal medical data. An attacker may intercept the radio communication, which some devices generate, or they could simply tamper with the internal storage media of the items that possess this type of architecture. In both cases, invaluable information about personal medical data may be fetched for illegal purposes.

The second category of risks pertain to the discomfort or even more serious physical problems that some wearable devices may induce in some contexts. Thus, some materials may produce chemical reactions, which are likely to provoke skin irritations, allergic responses, or even bacteria buildup in the case of long-term uninterrupted usage. Moreover, electrical shocks or burns represent a possible occurrence, while acoustic sound pressure may irrecoverably affect the patient’s hearing.

Methodical, as you’d expect any respected researcher to be, Razvan not only outlines the challenges but also provides solutions.

The first category of risks can be approached by properly enforcing the required data management measures, such as password-protected access, encryption, or the processing of data in a fully encrypted form, which is called homomorphic encryption.

The second category of potential risks may be tackled with by enforcing the disciplined usage of certified products, which are featured by precautionary design features.

When digging deeper into the vulnerabilities associated with medical IoT devices, we discover that the underlying causes are still tied to human nature. Razvan also provides some specific examples that might trigger your interest to learn more about infosec challenges in this niche.

In the case of medical devices that store their collected data locally, the most obvious type of attack would be the possibility for a malicious third party to physically steal the device or the storage medium. Nevertheless, this represents a smaller part of the landscape, as most of the medical wearable devices are fully connected and send their data to their respective storage and processing systems.

In this case, the danger may come from improperly designed and/or implemented software systems. Nevertheless, more than 70% of the attack surface is created by the improper handling of the devices by their users.

Thus, it is not so uncommon, for example, for the wearable devices’ embedded Internet browsers to be used by unsuspecting users in order to visit websites packed with malware.

Although infusion pumps are the most frequently used type of connected IoT medical device, they account for only two percent of the successfully attacked medical items. The most vulnerable are the imaging devices, and the nurse calling systems.

Furthermore, ransomware attacks that exploit the sub-optimal implementation of resource-sharing protocols, such as Windows’ SMB, is worth to be mentioned.

The failure to properly consider these risk factors may lead to serious incidents.

As an illustration of this, it is relevant to mention SamSam, a ransomware attack that took down the entire municipality of Farmington, New Mexico, and two hospitals – Hancock Health and Adams Memorial – this spring.

With so much data flowing from and through IoT devices and the healthcare industry, a few key challenges emerge as priorities for infosec specialists and other decision-makers. Razvan focuses our view on what matters.

The world of medical data is naturally tied to the concept of big data, in other words, the large amounts of data that is generated by the various user-side medical devices.

I believe that the most stringent challenge is represented by the secure collection, transportation, storage and processing of this data.

This requires the design of software systems that are able to efficiently and securely process the large amounts of collected data. This is not a trivial task, and I may say that homomorphic encryption is one of the few approaches that ensure a complete level of medical data security, with the expense of significant computation, data communication, and storage resources.

Therefore, research efforts should be allocated to the optimization of this category of completely secure models. This is especially important considering that the traditional methods that are involved in the medical data privacy assurance only ensure partial data privacy and are affected by various attack pathways. This assertion is particularly valid in the cloud environments that increasingly become the infrastructure of choice for the storage and processing of the collected medical data.

Medical institutions are prime targets for cyber criminals because of their importance and because of their immediate and severe impact on their vulnerable patients.

If you’re not involved in cybersecurity, you might be wondering: how could anyone target a hospital? The issue is that malicious actors don’t think like the defenders. So learning to contribute to securing medical IoT could be one of the most meaningful missions you can join.

Taking things closer to home brings us to some key recommendations that Razvan has for wisely choosing wearable, connected medical devices.
In his view:

It is not so difficult to ensure a private and pleasant use of such a device.
First, the available options on the market should be analyzed. This may involve the allocation of a research time, but the long-term benefits certainly outweigh the spending of this precious resource.

Thus, it is important to know whether the device stores the collected data locally, or it sends it to a third party for storage and processing. If the data is sent and processed elsewhere, the reputation of this third party, and the security features of their data infrastructure, should be assessed.

It is important to properly analyze and filter smartphone applications before installing and using them through the application stores. This is particularly applicable to the Android’s Play Store, as it imposes less strict acceptance criteria for the available applications. Otherwise, deceivingly useful applications may be installed, which would send the collected data to their malicious owner, without the user even having the slightest clue.

The usual common sense proactive behavior is also recommended. The users should never lend their smart IoT medical devices to untrusted persons, or allow for the stock firmware to be changed if the purpose of this endeavor is not clear and legitimate.

Challenges never lack in the infosec industry – this we know well. We also know that there are not enough defenders yet. As someone who’s been a University teacher for many years, we asked Razvan to give us a bird’s eye view of how interested students really are in pursuing a cyber security career, especially when it comes to research.

The Computer Science students are generally interested in keeping themselves up to date with the developments in the wider field of cybersecurity. Nevertheless, fewer students are interested in dedicating their daily job efforts to this field of study, because it is perceived as a more sophisticated and meticulous activity, which requires a greater degree of design activity.

This does not suggest that they don’t have the required intellectual abilities or skills but rather ascertains that they are more inclined towards jumping into the implementation phase faster.

I would also suggest that the Romanian IT jobs market mostly offers positions that do not seriously value the design and research work, but rather strive for an as quick as possible delivery of the software systems. I appreciate that this is more a problem of perspective, which can be modified if the deciding factors in the Romanian IT industry will start to encourage this kind of efforts, and will accordingly reward them on the salaries scale.

It is encouraging and certain that Romania is capable to easily provide talents for this kind of job, whenever a visionary company would like to consider it for inclusion in their portfolio.

Razvan is definitely the kind of professional we’d enjoy spending countless hours discussing the ins and outs of information security, but we’ll just have to save our questions for DefCamp!

With a few short days left until the event kick-off, we can’t wait to hear more of what you’re expecting the DefCamp experience to be, so don’t be shy and share your thoughts on our social media channels!

See you soon and remember: only 2 days left to get your standard ticket! Prices increase on November 4.

This interview was made by Andra Zaharia. You can get in touch with her on LinkedIn or say hi on Twitter.

DefCamp is powered by Orange Romania and it’s organized by the Association “Research Center for Information Security in Romania” (CCSIR).
DefCamp 2018 is sponsored by Ixia, Keysight Business, SecureWorks and Intralinks as Platinum Partners and it’s supported by IPSX, Bit Sentinel, TAD Group, Enevo, Crowdstrike, CryptoCoin.pro, Siemens, Alef, UiPath, Atos and Kaspersky Lab.

    Related articles​

    Securing the cloud: insights on threats, ..

    BY Adina Harabagiu
    There is no mystery that everything nowadays has a digital component. A growing number of companies are ..

    Striking a balance between security updates, ..

    BY Adina Harabagiu
    The world of cybersecurity is fast paced, there’s no denying it. Innovation is constant and threats are ..

    Pentesting: a tool for empowering – not ..

    BY Adina Harabagiu
    You’ve likely caught wind of this rising tide – offensive security, pentesting, and #RedTeams are not ..