Medical Cyber-Physical Systems Development: A Forensics-Driven Approach

The synthesis of technology and the medical industry has partly contributed to the increasing interest in Medical Cyber-Physical Systems (MCPS). While these systems provide benefits to patients and professionals, they also introduce new attack vectors for malicious actors (e.g. financially-and/or criminally-motivated actors). A successful breach involving a MCPS can impact patient data and system availability. The complexity and operating requirements of a MCPS complicates digital investigations. Coupling this information with the potentially vast amounts of information that a MCPS produces and/or has access to is generating discussions on, not only, how to compromise these systems but, more importantly, how to investigate these systems. The paper proposes the integration of forensics principles and concepts into the design and development of a MCPS to strengthen an organization's investigative posture. The framework sets the foundation for future research in the refinement of specific solutions for MCPS investigations.Comment: This is the pre-print version of a paper presented at the 2nd International Workshop on Security, Privacy, and Trustworthiness in Medical Cyber-Physical Systems (MedSPT 2017

Turned On / Turned Off: Speculating on the Microchip-based Contraceptive Implant

For over 50 years, hormone-based contraceptives have allowed women to control their fertility, thus reconfiguring society and how women relate to their body. On the horizon are long-life microchip-based implanted contraceptives that can be turned on and off, which may further the societal disruptions of "the pill". Framed as interactive technology, we speculate on the design space of controllable implanted contraceptives. We explored existing implanted contraceptives through a performance ethnography of their implantation. Inspiration from this process informed a speculative video of living with controllable implants and a guide for healthcare professionals. These materials, along with expert presentations, backgrounded a design workshop in which participants unpacked issues around controllable contraceptive implants. Participants created and roleplayed physical mock-ups of controllers, manifesting discussions around security, relationships and hormones. Drawing from the outcomes of the workshop, we produce a speculative design in the form of a film and physical mock-ups

Attack-Graph Threat Modeling Assessment of Ambulatory Medical Devices

The continued integration of technology into all aspects of society stresses the need to identify and understand the risk associated with assimilating new technologies. This necessity is heightened when technology is used for medical purposes like ambulatory devices that monitor a patient’s vital signs. This integration creates environments that are conducive to malicious activities. The potential impact presents new challenges for the medical community. \ \ Hence, this research presents attack graph modeling as a viable solution to identifying vulnerabilities, assessing risk, and forming mitigation strategies to defend ambulatory medical devices from attackers. Common and frequent vulnerabilities and attack strategies related to the various aspects of ambulatory devices, including Bluetooth enabled sensors and Android applications are identified in the literature. Based on this analysis, this research presents an attack graph modeling example on a theoretical device that highlights vulnerabilities and mitigation strategies to consider when designing ambulatory devices with similar components.

A Lightweight Cryptographic System for Implantable Biosensors

This paper presents a lightweight cryptographic system integrated onto a multi-function implantable biosensor prototype. The resulting heterogeneous system provides a unique and fundamental capability by immediately encrypting and signing the sensor data upon its creation within the body. By providing these security services directly on the implantable sensor, a number of low-level attacks can be prevented. This design uses the recently standardized SHA-3 Keccak secure hash function implemented in an authenticated encryption mode. The security module consists of the DuplexSponge security core and the interface wrapper. The security core occupies only 1550 gate- equivalents, which is the smallest authenticated encryption core reported to date. The circuit is fabricated using 0.18 μm CMOS technology and uses a supply voltage of 1.8 V. The simulated power consumption of the complete cryptosystem with a 500 KHz clock is below 7 μW

A Lightweight Cryptographic System for Implantable Biosensors

This paper presents a lightweight cryptographic system integrated onto a multi-function implantable biosensor prototype. The resulting heterogeneous system provides a unique and fundamental capability by immediately encrypting and signing the sensor data upon its creation within the body. By providing these security services directly on the implantable sensor, a number of low-level attacks can be prevented. This design uses the recently standardized SHA-3 Keccak secure hash function implemented in an authenticated encryption mode. The security module consists of the DuplexSponge security core and the interface wrapper. The security core occupies only 1550 gate- equivalents, which is the smallest authenticated encryption core reported to date. The circuit is fabricated using 0.18 μm CMOS technology and uses a supply voltage of 1.8 V. The simulated power consumption of the complete cryptosystem with a 500 KHz clock is below 7 μW

Digital Investigation of Security Attacks on Cardiac Implantable Medical Devices

A Cardiac Implantable Medical device (IMD) is a device, which is surgically implanted into a patient's body, and wirelessly configured using an external programmer by prescribing physicians and doctors. A set of lethal attacks targeting these devices can be conducted due to the use of vulnerable wireless communication and security protocols, and the lack of security protection mechanisms deployed on IMDs. In this paper, we propose a system for postmortem analysis of lethal attack scenarios targeting cardiac IMDs. Such a system reconciles in the same framework conclusions derived by technical investigators and deductions generated by pathologists. An inference system integrating a library of medical rules is used to automatically infer potential medical scenarios that could have led to the death of a patient. A Model Checking based formal technique allowing the reconstruction of potential technical attack scenarios on the IMD, starting from the collected evidence, is also proposed. A correlation between the results obtained by the two techniques allows to prove whether a potential attack scenario is the source of the patient's death.Comment: In Proceedings AIDP 2014, arXiv:1410.322

Cybersecurity Vulnerabilities in Medical Devices: A Complex Environment and Multifaceted Problem

The increased connectivity to existing computer networks has exposed medical devices to cybersecurity vulnerabilities from which they were previously shielded. For the prevention of cybersecurity incidents, it is important to recognize the complexity of the operational environment as well as to catalog the technical vulnerabilities. Cybersecurity protection is not just a technical issue; it is a richer and more intricate problem to solve. A review of the factors that contribute to such a potentially insecure environment, together with the identification of the vulnerabilities, is important for understanding why these vulnerabilities persist and what the solution space should look like. This multifaceted problem must be viewed from a systemic perspective if adequate protection is to be put in place and patient safety concerns addressed. This requires technical controls, governance, resilience measures, consolidated reporting, context expertise, regulation, and standards. It is evident that a coordinated, proactive approach to address this complex challenge is essential. In the interim, patient safety is under threat

Analysis of Safety-Critical Computer Failures in Medical Devices

Incidents due to malfunctioning medical devices are a major cause of serious injury and death in the United States. During 2006–2011, 5,294 recalls and around 1.2 million adverse events were reported to the U.S. Food and Drug Administration (FDA). Almost 23% of these recalls were due to computer-related failures, of which around 94% presented medium-to-high risk of severe health consequences (such as serious injury or death) to patients. This paper investigates the causes of failures in computer-based medical devices and their impact on patients, by analyzing human-written descriptions of recalls and adverse event reports, obtained from public FDA databases. We characterize computer-related failures by deriving fault classes, failure modes, recovery actions, and number of devices affected by the recalls. This analysis is used as a basis for identifying safety issues in life-critical medical devices and providing insights on the future challenges in the design of safety-critical medical devices.Princeton/MARCO / 2009-DT-2049Stanford/DTRA / 27451040-49741-AOpe