Skip to main content
SpringerLink
Log in

Cybersecurity Vulnerabilities in Biomedical Devices: A Hierarchical Layered Framework

  • Chapter
  • First Online:
Internet of Things Use Cases for the Healthcare Industry

  • 1136 Accesses

Abstract

Any biomedical device requiring power from a source other than the human body or gravity is considered an active device. Currently available active biomedical devices encompass an enormous variety of technologies, ranging from large imaging machines to miniature implantable stimulators. These devices are vulnerable to cybersecurity threats, especially for devices capable of communication with an internet network. An attack exploiting these vulnerabilities can cause a variety of consequences, including data theft, denial-of-service, and serious patient harm. The chapter provides a comprehensive review of cyberattacks on biomedical devices in a hierarchical layered framework (e.g., sensing, communication, and control) with three specific attacks as case studies: (1) MRI unit-based attack, (2) infusion pump-based attack, and (3) implantable medical device attack.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 139.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 179.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 179.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Robertson J, Reel M (2015) It’s way too easy to hack the hospital. Wired. http://www.bloomberg.com/features/2015-hospital-hack/

  2. Schich A (2019) Active medical devices. https://www.med-cert.com/en_certification/en_medical-device/

  3. TrapX Labs (2015) Anatomy of an attack medjack (Medical Device Hijack), pp 1–39

    Google Scholar 

  4. U.S. Food and Drug Administration (2014) Content of Premarket Submissions for Management of Cybersecurity in Medical Devices Guidance for Industry and Food and Drug Administration Staff (Document Issued on: October 2, 2014), FDA Guide, p 6

    Google Scholar 

  5. FDA (2014) Content of Premarket Submissions for Management of Cybersecurity in Medical Devices Guidance for Industry and Food and Drug Administration Staff. FDA Guide, p 6

    Google Scholar 

  6. Witonsky P (2012) Leveraging EHR investments through medical device connectivity. Healthc Financ Manage 66(8):50–3

    Google Scholar 

  7. Brookstone A (2011) Pros and Cons of wireless and local networks. http://www.americanehr.com/blog/2011/08/the-pros-and-cons-of-wireless-and-local-networks/

  8. Meldrum SJ (1979) Association for the advancement of medical instrumentation 14th annual meeting. J Med Eng Technol 3(5):259

    Article  Google Scholar 

  9. Health Level Seven International (2014) Health Level Seven International: tools & resources. http://www.hl7.org/participate/toolsandresources.cfm

  10. CEN/CT, “CEN/TC 251,” (2015) European Committee for Standardization. http://cimlaboratory.com/

  11. Personal Connected Health Alliance, “Personal Connected Health Alliance,” (2018). http://www.pchalliance.org/

  12. Brien GO, Brien GO, Edwards S (2017) Securing wireless infusion pumps in healthcare delivery organizations, p 354

    Google Scholar 

  13. Rodrigues JJPC, Sendra Compte S, de la Torra Diez I (2016) Digital imaging and communications in medicine. In: e-Health Systems, pp 53–74

    Google Scholar 

  14. IEEE 11073-10207-2017—IEEE Health informatics—Point-of-care medical device communication. IEEE Standards Association. https://standards.ieee.org/standard/11073-10207-2017.html

  15. ISO, “ISO/TC 215 Health informatics,” (1998). https://www.iso.org/committee/54960.html

  16. Ayala L (2016) Cybersecurity for hospitals and healthcare facilities

    Google Scholar 

  17. Archibold RC (2001) Hospital details failures leading to M.R.I. fatality. The NewYork Times. http://www.nytimes.com/2001/08/22/nyregion/hospital-details-failures-leading-to-mri-fatality.html?src=pm

  18. Challa S, Wazid M, Das AK, Khan MK (2018) Authentication protocols for implantable medical devices: taxonomy, analysis and future directions. IEEE Consum Electron Mag 7(1)

    Google Scholar 

  19. Wu F, Eagles S (2016) Cybersecurity for medical device manufacturers: ensuring safety and functionality. Biomed Instrum Technol 50(1)

    Google Scholar 

  20. Camara C, Peris-Lopez P, Tapiador JE (2015) Security and privacy issues in implantable medical devices: a comprehensive survey. J Biomed Informat 55

    Google Scholar 

  21. Klonoff DC (2015) Cybersecurity for connected diabetes devices. J Diabetes Sci Technol 9(5)

    Google Scholar 

  22. Zheng G, Zhang G, Yang W, Valli R, Shankaran R, Orgun MA (2018) From WannaCry to WannaDie: security trade-offs and design for implantable medical devices. In: 2017 17th international symposium communication informative technology ISC 2017, vol 2018-Janua, pp 1–5

    Google Scholar 

  23. Wu L, Du X, Guizani M, Mohamed A (2017) Access control schemes for implantable medical devices: a survey. IEEE Internet Things J

    Google Scholar 

  24. Ellouze N, Rekhis S, Boudriga N, Allouche M (2017) Cardiac implantable medical devices forensics: postmortem analysis of lethal attacks scenarios. Digit Investig

    Google Scholar 

  25. Zheng G et al (2019) A critical analysis of ecg-based key distribution for securing wearable and implantable medical devices. IEEE Sens J 19(3):1186–1198

    Article  Google Scholar 

  26. Rekhis S, Boudriga N, Ellouze N (2017) Securing implantable medical devices against cyberspace attacks. In: 2017 2nd international conference anti-cyber crimes, ICACC 2017, pp 187–192

    Google Scholar 

  27. Pycroft L, Aziz TZ (2018) Security of implantable medical devices with wireless connections: the dangers of cyber-attacks. Expert Rev Med Devices 15(6):403–406

    Article  Google Scholar 

  28. Mcdonald KA, Security CI, Clinic M, Wirth A, Architect DH (2018) The intersection of patient safety and medical device cybersecurity

    Google Scholar 

  29. Pycroft L et al (2016) Brainjacking: implant security issues in invasive neuromodulation. World Neurosurg 92

    Google Scholar 

  30. Altawy R, Youssef AM (2016) Security tradeoffs in cyber physical systems: a case study survey on implantable medical devices. IEEE Access 4

    Google Scholar 

  31. Hasan R, Zawoad S, Noor S, Haque MM, Burke D (2016) How secure is the healthcare network from insider attacks? An audit guideline for vulnerability analysis. In: Proceedings—international computer software and applications conference

    Google Scholar 

  32. Meng W, Li W, Wang Y, Au MH (2018) Detecting insider attacks in medical cyber–physical networks based on behavioral profiling. Future Generat Comput Syst

    Google Scholar 

  33. Kompara M, Hölbl M (2018) Survey on security in intra-body area network communication. Ad Hoc Netw 70

    Google Scholar 

  34. Arney D, Venkatasubramanian KK, Sokolsky O, Lee I (2011) Biomedical devices and systems security. In: Proceedings of the annual international conference of the IEEE engineering in medicine and biology society, EMBS

    Google Scholar 

  35. Williams PAH, Woodward AJ (2015) Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem. Med Devices Evidence Res 8

    Google Scholar 

  36. Ali B, Awad AI (2018) Cyber and physical security vulnerability assessment for IoT-based smart homes. Sensors (Switzerland)

    Google Scholar 

  37. Stine I, Rice M, Dunlap S, Pecarina J (2017) A cyber risk scoring system for medical devices. Int J Crit Infrastruct Prot

    Google Scholar 

  38. Kramer DB, Fu K (2017) Cybersecurity concerns and medical devices lessons from a pacemaker advisory. JAMA J Am Med Assoc

    Google Scholar 

  39. Lee M, Lee K, Shim J, Cho SJ, Choi J (2017) Security threat on wearable services: empirical study using a commercial smartband. In: 2016 IEEE international conference on consumer electronics-Asia, ICCE-Asia 2016

    Google Scholar 

  40. Jagannathan S, Sorini A (2016) Self-authentication in medical device software: an approach to include cybersecurity in legacy medical devices. In: ISPCE 2016—proceedings: IEEE symposium on product compliance engineering

    Google Scholar 

  41. Pozzobon O, Canzian L, Danieletto M, Chiara AD (2010) Anti-spoofing and open GNSS signal authentication with signal authentication sequences. In: Programme and abstract book—5th ESA workshop on satellite navigation technologies and European workshop on GNSS Signals and signal processing, NAVITEC 2010

    Google Scholar 

  42. Salem A, Zaidan D, Swidan A, Saifan R (2016) Analysis of strong password using keystroke dynamics authentication in touch screen devices. In: Proceedings—2016 cybersecurity and cyberforensics conference, CCC 2016

    Google Scholar 

  43. Anderson S, Williams T (2018) Cybersecurity and medical devices: are the ISO/IEC 80001-2-2 technical controls up to the challenge? Comput Stand Interfaces

    Google Scholar 

  44. Kulac S, Sazli MH, Ilk HG (2018) External relaying based security solutions for wireless implantable medical devices: a review. In: Proceedings of the 2018 11th IFIP wireless and mobile networking conference, WMNC 2018

    Google Scholar 

  45. Gao Y, Liu W (2015) A security routing model based on trust for medical sensor networks. In: Proceedings of 2015 IEEE international conference communication software networks, ICCSN 2015, pp 405–408

    Google Scholar 

  46. Wazid M, Das AK, Kumar N, Conti M, Vasilakos AV (2018) A novel authentication and key agreement scheme for implantable medical devices deployment. IEEE J Biomed Heal Informat 22(4):1299–1300

    Article  Google Scholar 

  47. Das AK, Wazid M, Kumar N, Khan MK, Choo KKR, Park YH (2018) Design of secure and lightweight authentication protocol for wearable devices environment. IEEE J Biomed Heal Informat

    Book  Google Scholar 

  48. Challa S et al (2018) An efficient ECC-based provably secure three-factor user authentication and key agreement protocol for wireless healthcare sensor networks. Comput Electr Eng 69:534–554

    Article  Google Scholar 

  49. Ellouze N, Rekhis S, Boudriga N, Allouche M (2018) Powerless security for cardiac implantable medical devices: use of wireless identification and sensing platform. J Netw Comput Appl

    Google Scholar 

  50. Paliokas I, Tsoniotis N, Votis K, Tzovaras D (2019) A blockchain platform in connected medical-device environments: trustworthy technology to guard against cyberthreats. IEEE Consum Electron Mag 8(4):50–55

    Article  Google Scholar 

  51. BSI (2019) Multi-part Document BS EN 419251—security requirements for device for authentication. The British Standards Institution. https://landingpage.bsigroup.com/LandingPage/Series?UPI=BS EN 419251

  52. Al-Janabi S, Al-Shourbaji I, Shojafar M, Shamshirband S (2017) Survey of main challenges (security and privacy) in wireless body area networks for healthcare applications. Egypt Informat J 18(2)

    Google Scholar 

  53. Kohli S, Exploring cyber security vulnerabilities in the age of IoT. Cyber Security Threats, IGI Global, 1609–1623

    Google Scholar 

  54. Xu J, Venkatasubramanian KK, Sfyrla V (2016) A methodology for systematic attack trees generation for interoperable medical devices. In: 10th annual international systems conference, SysCon 2016—Proceedings

    Google Scholar 

  55. Mosenia A, Jha NK (2018) OpSecure: a secure unidirectional optical channel for implantable medical devices. IEEE Trans Multi Scale Comput Syst 4(3):410–419

    Article  Google Scholar 

  56. Mikson C, Hammargren L, Strunk E (2017) Medical devices and data: protecting patients and their PHI

    Google Scholar 

  57. Alabdulatif A, Khalil I, Yi X, Guizani M (2019) Secure edge of things for smart healthcare surveillance framework. IEEE Access

    Google Scholar 

  58. Chizari H, Lupu EC (2019) Extracting randomness from the trend of IPI for cryptographic operators in implantable medical devices. IEEE Trans Dependable Secur Comput

    Google Scholar 

  59. Gaukstern E, Krishnan S (2018) Cybersecurity threats targeting networked critical medical devices. In: ASEE IL-IN section conference, vol 2

    Google Scholar 

  60. Owens B (2016) Stronger rules needed for medical device cybersecurity. Lancet 387(10026):1364

    Article  Google Scholar 

  61. Slotwiner D (2019) Editorial commentary: cybersecurity of cardiac implantable electronic devices—role of the clinician. Trends Cardiovasc Med

    Google Scholar 

  62. Slotwiner DJ, Deering TF, Fu K, Russo AM, Walsh MN, Van Hare GF (2018) Cybersecurity vulnerabilities of cardiac implantable electronic devices: communication strategies for clinicians. Hear Rhythm

    Google Scholar 

  63. FDA (2014) Infusion pumps—infusion pump improvement initiative

    Google Scholar 

  64. Trapx B (2018) MEDJACK.4 medical device Hijacking, pp 1–29

    Google Scholar 

  65. Sabio R (2017) 5 ways to detect a cyber attack. Huffpost. https://www.huffingtonpost.ca/2017/01/30/detect-cyber-attack_n_13880814.html

  66. Sikder AK, Petracca G, Aksu H, Jaeger T, Uluagac AS (2018) A survey on sensor-based threats to

    Google Scholar 

  67. Anand K (2016) Healthcare cyber security and compliance guide. Imperva

    Google Scholar 

  68. Brown MJ, Herrera B (2013) Method and apparatus for MRI compatible communications. US20140275970A1

    Google Scholar 

  69. Tomlinson K (2017) The lurker in your MRI machine wants money, not your life. Archer Energy Solutions LLC. https://archerint.com/the-lurker-in-your-mri-machine-wants-money-not-your-life/

  70. TrapX (2019) The most effective solution for advanced breach detection. https://trapx.com/product/

  71. Ewaida B (2010) Pass-the-hash attacks: tools and mitigation, p 53

    Google Scholar 

  72. Jadeja N, Parmar V (2016) Implementation and mitigation of various tools for pass the hash attack. Proc Comput Sci

    Google Scholar 

  73. Perez R (2017) Article 29 Working Party still not happy with Windows 10 privacy controls. Haymarket Media, Inc. http://www.scmagazine.com/home/security-news/privacy-compliance/article-29-working-party-still-not-happy-with-windows-10-privacy-controls/

  74. O’Brien G, Edwards S, Littlefield K, McNab N, Wang S, Zheng K (2018) Securing wireless infusion pumps in healthcare delivery organizations

    Google Scholar 

  75. CISA (2013) Hospira Symbiq infusion system. Biomed Saf Stand 43(18):144

    Google Scholar 

  76. FDA (2017) LifeCare PCA3 and PCA5 infusion pump systems by Hospira: FDA safety communication—security vulnerabilities. https://wayback.archive-it.org/7993/20170112164109/http:/www.fda.gov/Safety/MedWatch/SafetyInformation/SafetyAlertsforHumanMedicalProducts/ucm446828.htm

  77. Thomson I (2015) This hospital drug pump can be hacked over a network—and the US FDA is freaking out. Register. https://www.theregister.co.uk/2015/08/01/fda_hospitals_hospira_pump_hacks/

  78. CISA (2015) Hospira Plum A+ and Plum A+3 Infusion systems. Biomed Saf Stand 45(8):60–61

    Google Scholar 

  79. Stanley N, Coderre M (2016) An introduction to medical device cyber security a European perspective. Healthc Inf Manag Syst Soc

    Google Scholar 

  80. Shadid R, Haerinia M, Sayan R, Noghanian S (2018) Hybrid inductive power transfer and wireless antenna system for biomedical implanted devices. Prog Electromagn Res C 88(June):77–88

    Google Scholar 

  81. Haerinia M (2018) Modeling and simulation of inductive-based wireless power transmission systems. In: Olfa K (eds) Energy harvesting for wireless sensor networks: technology, components and system design, 1st edn., De Gruyter: Berlin, Germany; Boston, MA, USA, pp 197–220

    Google Scholar 

  82. Alpine Security (2019) Most dangerous hacked medical devices. https://www.alpinesecurity.com/blog/most-dangerous-hacked-medical-devices

  83. US FDA (2019) Cybersecurity vulnerabilities affecting medtronic implantable cardiac devices, programmers, and home monitors: FDA safety communication

    Google Scholar 

  84. Department of Homeland Security (2019) Medtronic conexus radio frequency telemetry protocol

    Google Scholar 

  85. P. S. Development (2011) Integrated circuits for implantable medical devices

    Google Scholar 

  86. Cichonski J (2019) Security for IOT sensor building management systems case study

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of North Dakota (UND), Grand Forks, ND, USA

    F. Badrouchi, A. Aymond, M. Haerinia, D. F. Selvaraj, K. Tavakolian & P. Ranganathan

  2. University of Tunis EL Manar (UTM), Tunis, Tunisia

    S. Badrouchi

  3. Dr. MGR Educational and Research Institute, Chennai, India

    Sumathy Eswaran

Authors
  1. F. Badrouchi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. A. Aymond
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. M. Haerinia
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. S. Badrouchi
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. D. F. Selvaraj
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. K. Tavakolian
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. P. Ranganathan
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Sumathy Eswaran
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to P. Ranganathan .

Editor information

Editors and Affiliations

  1. Site Reliability Engineering (SRE) Division, Reliance Jio Infocomm Ltd. (RJIL), Bangalore, India

    Pethuru Raj

  2. Lord Buddha Education Foundation, Kathmandu, Nepal

    Jyotir Moy Chatterjee

  3. Computer Science & Engineering Department, Chitkara University Institute of Engineering and Technology, Chandigarh, Punjab, India

    Abhishek Kumar

  4. School of Computer Science & Engineering, Galgotias University, Greater Noida, Uttar Pradesh, India

    B. Balamurugan

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Badrouchi, F. et al. (2020). Cybersecurity Vulnerabilities in Biomedical Devices: A Hierarchical Layered Framework. In: Raj, P., Chatterjee, J., Kumar, A., Balamurugan, B. (eds) Internet of Things Use Cases for the Healthcare Industry. Springer, Cham. https://doi.org/10.1007/978-3-030-37526-3_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-37526-3_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-37525-6

  • Online ISBN: 978-3-030-37526-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation