Biomedical Devices and Systems Security

Medical devices have been changing in revolutionary ways in recent years. One is in their form-factor. Increasing miniaturization of medical devices has made them wearable, light-weight, and ubiquitous; they are available for continuous care and not restricted to clinical settings. Further, devices are increasingly becoming connected to external entities through both wired and wireless channels. These two developments have tremendous potential to make healthcare accessible to everyone and reduce costs. However, they also provide increased opportunity for technology savvy criminals to exploit them for fun and profit. Consequently, it is essential to consider medical device security issues. In this paper, we focused on the challenges involved in securing networked medical devices. We provide an overview of a generic networked medical device system model, a comprehensive attack and adversary model, and describe some of the challenges present in building security solutions to manage the attacks. Finally, we provide an overview of two areas of research that we believe will be crucial for making medical device system security solutions more viable in the long run: forensic data logging, and building security assurance cases

SECURING HEALTH CARE INFORMATION SYSTEMS USING VISUALISATION TECHNIQUES (32)

Health care information systems form the backbone of health care infrastructures and are increasingly reliant on medical devices to capture and transmit data. These devices, however, are vulnerable to attacks from the digital domain. The number of differing medical devices and information systems interacting with one another in new and increasingly less secure and disparate ways creates new challenges in information systems security. This work-in-progress paper presents a system design and methodology for modelling data interactions and data flow within the health care infrastructure. The system will increase situational awareness for users of information systems and promote stronger cyber security best practices and policies within this rapidly evolving landscape

Securing Health Care Information Systems using Visualisation Techniques

Health care information systems form the backbone of health care infrastructures and are increasingly reliant on medical devices to capture and transmit data. These devices, however, are vulnerable to attacks from the digital domain. The number of differing medical devices and information systems interacting with one another in new and increasingly less secure and disparate ways creates new challenges in information systems security. This work-in-progress paper presents a system design and methodology for modelling data interactions and data flow within the health care infrastructure. The system will increase situational awareness for users of information systems and promote stronger cyber security best practices and policies within this rapidly evolving landscape

Developing a novel ontology for cybersecurity in internet of medical things-enabled remote patient monitoring

IoT has seen remarkable growth, particularly in healthcare, leading to the rise of IoMT. IoMT integrates medical devices for real-time data analysis and transmission but faces challenges in data security and interoperability. This research identifies a significant gap in the existing literature regarding a comprehensive ontology for vulnerabilities in medical IoT devices. This paper proposes a fundamental domain ontology named MIoT (Medical Internet of Things) ontology, focusing on cybersecurity in IoMT (Internet of Medical Things), particularly in remote patient monitoring settings. This research will refer to similar-looking acronyms, IoMT and MIoT ontology. It is important to distinguish between the two. IoMT is a collection of various medical devices and their applications within the research domain. On the other hand, MIoT ontology refers to the proposed ontology that defines various concepts, roles, and individuals. MIoT ontology utilizes the knowledge engineering methodology outlined in Ontology Development 101, along with the structured life cycle, and estab- lishes semantic interoperability among medical devices to secure IoMT assets from vulnerabilities and cyberattacks. By defining key concepts and relationships, it becomes easier to understand and analyze the complex network of information within the IoMT. The MIoT ontology captures essential key terms and security-related entities for future extensions. A conceptual model is derived from the MIoT ontology and validated through a case study. Furthermore, this paper outlines a roadmap for future research, highlighting potential impacts on security automation in healthcare applications

Medical Internet of Things: A Survey of the Current Threat and Vulnerability Landscape

The Internet of things (IoT) is a system that utilizes the Internet to facilitate communication between sensors and devices. Given the ubiquitous nature of IoT devices, it is seemingly inevitable that IoT would be used as a conduit to transform healthcare. One such medical IoT (mIoT) device that is revolutionizing healthcare is the medical implant device. These mIoT implant devices which control insulin pumps, cardioverter defibrillators and bone growth stimulators have redefined the way patient data is accessed, and healthcare is delivered. These implant devices are a double-edged sword. While they allow for the effective and efficient noninvasive treatment of patients, this external communication makes the medical implants vulnerable to cyberattacks synonymous with IoT devices. As a result, privacy and security vulnerabilities have surfaced as pronounced challenges for mIoT devices. This work summarizes and synthesizes the inherent vulnerabilities associated with mIoT devices and the implications regarding patient safety

Challenges and Research Directions in Medical Cyber-Physical Systems

Medical cyber-physical systems (MCPS) are lifecritical, context-aware, networked systems of medical devices. These systems are increasingly used in hospitals to provide highquality continuous care for patients. The need to design complex MCPS that are both safe and effective has presented numerous challenges, including achieving high assurance in system software, intoperability, context-aware intelligence, autonomy, security and privacy, and device certifiability. In this paper, we discuss these challenges in developing MCPS, some of our work in addressing them, and several open research issue

An assessment of blockchain consensus protocols for the Internet of Things

In a few short years the Internet of Things has become an intrinsic part of everyday life, with connected devices included in products created for homes, cars and even medical equipment. But its rapid growth has created several security problems, with respect to the transmission and storage of vast amounts of customers data, across an insecure heterogeneous collection of networks. The Internet of Things is therefore creating a unique set of risk and problems that will affect most households. From breaches in confidentiality, which could allow users to be snooped on, through to failures in integrity, which could lead to consumer data being compromised; devices are presenting many security challenges to which consumers are ill equipped to protect themselves from. Moreover, when this is coupled with the heterogeneous nature of the industry, and the interoperable and scalability problems it becomes apparent that the Internet of Things has created an increased attack surface from which security vulnerabilities may be easily exploited. However, it has been conjectured that blockchain may provide a solution to the Internet of Things security and scalability problems. Because of blockchain’s immutability, integrity and scalability, it is possible that its architecture could be used for the storage and transfer of Internet of Things data. Within this paper a cross section of blockchain consensus protocols have been assessed against a requirement framework, to establish each consensus protocols strengths and weaknesses with respect to their potential implementation in an Internet of Things blockchain environment

Multidisciplinary Approaches and Challenges in Integrating Emerging Medical Devices Security Research and Education

Traditional embedded systems such as secure smart cards and nano-sensor networks have been utilized in various usage models. Nevertheless, emerging secure deeply-embedded systems, e.g., implantable and wearable medical devices, have comparably larger “attack surface”. Specifically, with respect to medical devices, a security breach can be life-threatening (for which adopting traditional solutions might not be practical due to tight constraints of these often-battery-powered systems), and unlike traditional embedded systems, it is not only a matter of financial loss. Unfortunately, although emerging cryptographic engineering research mechanisms for such deeply-embedded systems have started solving this critical, vital problem, university education (at both graduate and undergraduate level) lags comparably. One of the pivotal reasons for such a lag is the multi-disciplinary nature of the emerging security bottlenecks. Based on the aforementioned motivation, in this work, at Rochester Institute of Technology, we present an effective research and education integration strategy to overcome this issue in one of the most critical deeply-embedded systems, i.e., medical devices. Moreover, we present the results of two years of implementation of the presented strategy at graduate-level through fault analysis attacks, a variant of side-channel attacks. We note that the authors also supervise an undergraduate student and the outcome of the presented work has been assessed for that student as well; however, the emphasis is on graduate-level integration. The results of the presented work show the success of the presented methodology while pinpointing the challenges encountered compared to traditional embedded system security research/teaching integration of medical devices security. We would like to emphasize that our integration approaches are general and scalable to other critical infrastructures as well

Education and Research Integration of Emerging Multidisciplinary Medical Devices Security

Traditional embedded systems such as secure smart cards and nano-sensor networks have been utilized in various usage models. Nevertheless, emerging secure deeply-embedded systems, e.g., implantable and wearable medical devices, have comparably larger “attack surface”. Specifically, with respect to medical devices, a security breach can be life-threatening (for which adopting traditional solutions might not be practical due to tight constraints of these often-battery-powered systems), and unlike traditional embedded systems, it is not only a matter of financial loss. Unfortunately, although emerging cryptographic engineering research mechanisms for such deeply-embedded systems have started solving this critical, vital problem, university education (at both graduate and undergraduate level) lags comparably. One of the pivotal reasons for such a lag is the multi-disciplinary nature of the emerging security bottlenecks. Based on the aforementioned motivation, in this work, at Rochester Institute of Technology, we present an effective research and education integration strategy to overcome this issue in one of the most critical deeply-embedded systems, i.e., medical devices. Moreover, we present the results of two years of implementation of the presented strategy at graduate-level through fault analysis attacks, a variant of side-channel attacks. We note that the authors also supervise an undergraduate student and the outcome of the presented work has been assessed for that student as well; however, the emphasis is on graduate-level integration. The results of the presented work show the success of the presented methodology while pinpointing the challenges encountered compared to traditional embedded system security research/teaching integration of medical devices security. We would like to emphasize that our integration approaches are general and scalable to other critical infrastructures as well