Q&A: Dartmouth's mHealth security ace
'At the time at least, smartphones were (a) very novel thing and very relatively incapable.'
Mobile health wearables and sensors present myriad opportunities for improving patient care and increasing patient engagement. They also offer the chance to better manage chronically ill patients remotely. The only problem? It's not that these wearables are scarce. They're not. It's that many just aren't secure.
One Dartmouth computer science professor and researcher is working to change that. David Kotz, champion international professor in Dartmouth's computer science department, who never had intentions to work on mHealth security, is now doing exactly that – working on a research project to address an area often considered to be grossly lacking security.
We caught up with Kotz, who will be speaking at the Healthcare IT News Privacy & Security Symposium, taking place at HIMSS' mHealth Summit Dec. 7 in Washington, D.C., to hear more about his research and what he hopes to see with mHealth network and data security.
Q: Your most recent research focuses on security for wearables and sensors. Could you tell us what you'll be talking about at the Privacy & Security Symposium this December?
A: I'm going to talk about one of my projects in particular called, 'Amulet,' which is a research-orientated effort to look at wrist wearable devices that are meant for body area mobile health sensing – so applications that might run on our platform would likely communicate with sensors or other devices that are worn on the body or are used near the body and aimed at various kinds of health-related monitoring or management activities, like a diabetic monitoring their glucose levels or their diet, or a cardiac heart failure patient monitoring their blood pressure and weight, and maybe some intake. Things like that. Or maybe an athlete who is monitoring their various fitness levels.
And sometimes a person has multiple applications that they need or want to perform, and so our platform, which we envision as sort of a bracelet, will run these applications, communicate with other body area sensing devices and provide the user some data either directly or indirectly through some back-end system, and our focus is on the security and privacy aspect, so how do you make it possible for multiple applications to run on a single platform like that without interfering with each other, without being hampered by some wireless attacker or exposing personal information to wireless eavesdroppers, and although it has some properties of a smartwatch – some of the newer ones can run multiple applications – ours is intended to be completely open for research purposes – and also security-focused, health-focused, not just, you know, showing you your text messages. And also the other big difference is it will be distinct or, let's put is this way: It would be able to be operated or to operate, do its business, without a smartphone present.
[See also: Developers want mHealth security talks.]
Q: There really are a plethora of these wearables and sensors available to consumers now and, increasingly, to patients, so it's not really a question of availability and capability, but rather security. How would you describe the current state of security for these devices? Is it fairly lacking at this point?
A: That's my impression. Obviously, I haven't studied all of them in detail, but my impression is that for the most part security and privacy are low on their priority list for many of these. They're more focused on function or cost or time to market, and making sure that the data is secure and the applications function – whatever that might be – is secure, the network communications are secure, that's really our focus.
Q: You didn't start out in mHealth security. When did mobile device security really pique your interest? How did you come into this area?
A: It's been an evolutionary path, I suppose. For a long time I was working on wireless networks, Wi-Fi networks in particular, and that got me interested in mobile computing applications that use the wireless networks, and also I was involved in a security research center, so I became interested in wireless network security, mature network protocols and the privacy issues that come up when people are mobile and using wireless networks, and you're collecting data about their location or their wireless network activity. And I had a term of sabbatical leave at Dartmouth and started getting interested in what the implications might all of these be for health-related applications, and this was in 2008, and the term 'mHealth' was just beginning to emerge in this interactive debate at the time about whether – or what – it should be called. And so I got really interested in the potential of mHealth, and also – given my background – started focusing on the security, privacy and wireless networks aspects of mHealth. And I suppose the rest is history.
We got interested in wearables in particular because at the time at least, smartphones were (a) very novel thing and very relatively incapable, and if you really wanted to measure health, I thought, you would need to wear something that would measure it, so I've always focused on a multi-device body area network.
[See also: mHealth enters consumer Golden Age.]
Q: Do you and your team have any plans to market this Amulet platform in the near future?
A: At this point it's just a research project funded by the National Science Foundation. It's a collaboration with Clemson University, so researchers there. We do have a patent filed for some of the underlying technology, but for the most part, it's just a research project. We do hope at some point to release the hardware and software in an open way for the researchers to play with, and that doesn't mean we couldn't consider commercializing it as well.