Safeguarding Data in a Technology-Based World

Technology advancements, while useful, can follow people everywhere, from medical devices that constantly monitor blood sugar to cardiac pacemakers that measure heart activity. This technology has allowed for large strides in identifying health concerns and measuring the effectiveness of treatment—but with more medical data comes increased cybersecurity threats. 

Daniel Votipka, Lin Family Assistant Professor of the Department of Computer Science and co-director of the Tufts Security and Privacy Lab, has recently led multiple research efforts to better understand and prevent cybersecurity risks in clinical settings and medical devices, while also evaluating the effectiveness of current methods to fix problems that affect data privacy and security. Based on surveys and experiments involving healthcare workers, medical device users, system administrators, and vulnerability analysis, Votipka and his collaborators have made recommendations to improve cybersecurity in an increasingly data-driven world.  

Building on the strength of current cybersecurity research at Tufts, the School of Engineering recently launched a new master’s in cybersecurity program. The offering pulls expertise from Votipka and other faculty members who have been involved in cybersecurity research and policy advocacy for many years. 

“Understanding how people perceive and prevent cybersecurity threats is a crucial step in protecting data and preventing harm in our rapidly interconnected age when more and more systems bridge the cyber-physical boundary,” said Votipka. “Even with the best security technology, if it is not well understood and usable, it’s not going to get set up correctly–and might not even be used. We work to identify these factors as they apply to different unique settings to produce appropriate and actionable insights to improve current cybersecurity systems and protocols.”

Advancing clinical and medical cybersecurity

Confidentiality, integrity, and availability of information and data in a hospital setting are crucial to providing effective care. However, in a realistic and typically stressful clinical setting, following proper cybersecurity protocols is often not a priority.  

Votipka recently led a study that interviewed practitioners, nurses, and physicians in the U.S. to investigate how clinical staff approach and perceive threats to patient security. Votipka will present the study, titled "Your imaging may be stone-cold normal, but if they look sick, they’re going to get admitted": An Investigation of Clinicians’ Perceptions of Impact & Likelihood of Security Failures,” at the 2026 USENIX Security Symposium. 

The team’s results showed that participants identified system downtime or system failures as the most likely threats, and also as the most dangerous. For example, when systems are down, hospital staff might resort to collecting information and data by hand on paper or using personal devices for treatment. 

Based on the study, the researchers recommend healthcare security be designed for clinical reality, as current protocols often leave clinical professionals with a “false choice” to follow security protocol or deliver immediate care. For example, in an emergency, nonessential security controls could be temporarily relaxed, with actions reviewed after the event, or the digital equivalent of the “crash cart” clinicians use in medical emergencies could be created, which provides quick access to medications that would otherwise require additional authorization. 

Internet-connected medical devices introduce their own complex cybersecurity risks, specifically with informed consent. Healthcare providers are typically responsible for communicating risks to patients, despite lacking specialized cybersecurity training. In a separate study, titled “Beyond Clinical Risk: An Experimental Study of Cybersecurity Informed Consent and Patient Choice for Connected Medical Devices,” Votipka and his collaborators surveyed medical device users from Prolific to understand how they weigh cybersecurity risk information. He will present the findings at the 2026 Association of Computing Machinery (ACM) conference on Human Factors in Computing Systems. 

The survey showed that participants’ trust in their physician and whether the cybersecurity risk was framed as a threat to physical safety were the most important factors in deciding to continue using or deactivating a medical device. The researchers recommend that providing risk information tailored towards educating providers, as opposed to patients, is more helpful for patient decision making, and that regulators and manufactures of medical devices embrace transparency, as their study showed that highlighting security disclosures did not reduce participants’ clinical trust.  

Identifying and resolving security issues

When it comes to software, researchers have developed methods to identify vulnerabilities–one being a graphical user interface (GUI), which vulnerability analysts use to interact with software elements by selecting parts of the program to focus on and adjusting settings through controls on-screen. However, the effectiveness of GUI has not been well-studied. 

Through a study with 24 experienced vulnerability analysts, Votipka and his collaborators aimed to understand how GUI affected human performance compared to other methods that require more time and computational energy. They found that GUI-based features meaningfully improved the participants performance by reducing mental and operational effort, making it easier to intervene to guide path development. This led to better vulnerability discovery with more accuracy in less time, compared to those using a software engineering-based method.

The study, titled, “I Can SE Clearly Now: Investigating the Effectiveness of GUI-based Symbolic Execution for Software Vulnerability Discovery,” will also be presented at the ACM Human Factors in Computing Systems conference. 

Cybersecurity in a data-driven world

To better protect data in a world that is increasingly more technology-based, investigating the current barriers, risks, and approaches to cybersecurity can provide insight as to where to start. These surveys and studies provide foundational knowledge that can be used to inform improvements and policies in clinical settings, medical devices, and other systems and software.  

The Tufts Security and Privacy Lab (TSP) focuses on how people build, operate, use, and defend systems. Learn more about TSP and Votipka’s work.