4 research outputs found

    Risk Assessment Framework for Evaluation of Cybersecurity Threats and Vulnerabilities in Medical Devices

    Get PDF
    Medical devices are vulnerable to cybersecurity exploitation and, while they can provide improvements to clinical care, they can put healthcare organizations and their patients at risk of adverse impacts. Evidence has shown that the proliferation of devices on medical networks present cybersecurity challenges for healthcare organizations due to their lack of built-in cybersecurity controls and the inability for organizations to implement security controls on them. The negative impacts of cybersecurity exploitation in healthcare can include the loss of patient confidentiality, risk to patient safety, negative financial consequences for the organization, and loss of business reputation. Assessing the risk of vulnerabilities and threats to medical devices can inform healthcare organizations toward prioritization of resources to reduce risk most effectively. In this research, we build upon a database-driven approach to risk assessment that is based on the elements of threat, vulnerability, asset, and control (TVA-C). We contribute a novel framework for the cybersecurity risk assessment of medical devices. Using a series of papers, we answer questions related to the risk assessment of networked medical devices. We first conducted a case study empirical analysis that determined the scope of security vulnerabilities in a typical computerized medical environment. We then created a cybersecurity risk framework to identify threats and vulnerabilities to medical devices and produce a quantified risk assessment. These results supported actionable decision making at managerial and operational levels of a typical healthcare organization. Finally, we applied the framework using a data set of medical devices received from a partnering healthcare organization. We compare the assessment results of our framework to a commercial risk assessment vulnerability management system used to analyze the same assets. The study also compares our framework results to the NIST Common Vulnerability Scoring System (CVSS) scores related to identified vulnerabilities reported through the Common Vulnerability and Exposure (CVE) program. As a result of these studies, we recognize several contributions to the area of healthcare cybersecurity. To begin with, we provide the first comprehensive vulnerability assessment of a robotic surgical environment, using a da Vinci surgical robot along with its supporting computing assets. This assessment supports the assertion that networked computer environments are at risk of being compromised in healthcare facilities. Next, our framework, known as MedDevRisk, provides a novel method for risk quantification. In addition, our assessment approach uniquely considers the assets that are of value to a medical organization, going beyond the medical device itself. Finally, our incorporation of risk scenarios into the framework represents a novel approach to medical device risk assessment, which was synthesized from other well-known standards. To our knowledge, our research is the first to apply a quantified assessment framework to the problem area of healthcare cybersecurity and medical networked devices. We would conclude that a reduction in the uncertainty about the riskiness of the cybersecurity status of medical devices can be achieved using this framework

    Attack Modeling and Mitigation Strategies for Risk-Based Analysis of Networked Medical Devices

    Get PDF
    The escalating integration of network-enabled medical devices raises concerns for both practitioners and academics in terms of introducing new vulnerabilities and attack vectors. This prompts the idea that combining medical device data, security vulnerability enumerations, and attack-modeling data into a single database could enable security analysts to proactively identify potential security weaknesses in medical devices and formulate appropriate mitigation and remediation plans. This study introduces a novel extension to a relational database risk assessment framework by using the open-source tool OVAL to capture device states and compare them to security advisories that warn of threats and vulnerabilities, and where threats and vulnerabilities exist provide mitigation recommendations. The contribution of this research is a proof of concept evaluation that demonstrates the integration of OVAL and CAPEC attack patterns for analysis using a database-driven risk assessment framework

    Identifying Opportunities to Compromise Medical Devices

    No full text
    The amalgamation of computerized equipment into medical arenas is creating environments that are conducive to security breaches. While previous medical device research has been conducted on medical training equipment, wearable and implantable devices, and on telesurgical systems, there has been minimal research investigating cyber-security vulnerabilities in real-world computer-facilitated surgical environments. The research contribution is an initial empirical analysis of the viability of security vulnerabilities in a computer-facilitated surgical environment. The preliminary results of this investigation generated information that can be used to develop Security Criteria for Integrated Medical Devices

    Understanding De-identification of Healthcare Big Data

    No full text
    In society’s increasingly computerized world, the intensification of electronic data collection is resulting in large volumes of new data (known as big data). This is creating new opportunities for secondary uses of this data, particularly in the healthcare sector. The opportunities for secondary uses of healthcare data include constructive studies, research, policy assessment and other endeavors that could produce beneficial results such as improved healthcare quality and finding cures for diseases. However, protecting the privacy of individuals represented in data presents a challenge to the secondary utility of healthcare data. De-identifying data by removing any information that could be used to uniquely identify individuals is a potential solution to the challenge of protecting individual privacy. Hence, this research identifies a practical process for applying anonymizing techniques through a process model designed to handle requests for healthcare data