Abstract
Any biomedical device requiring power from a source other than the human body or gravity is considered an active device. Currently available active biomedical devices encompass an enormous variety of technologies, ranging from large imaging machines to miniature implantable stimulators. These devices are vulnerable to cybersecurity threats, especially for devices capable of communication with an internet network. An attack exploiting these vulnerabilities can cause a variety of consequences, including data theft, denial-of-service, and serious patient harm. The chapter provides a comprehensive review of cyberattacks on biomedical devices in a hierarchical layered framework (e.g., sensing, communication, and control) with three specific attacks as case studies: (1) MRI unit-based attack, (2) infusion pump-based attack, and (3) implantable medical device attack.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Robertson J, Reel M (2015) It’s way too easy to hack the hospital. Wired. http://www.bloomberg.com/features/2015-hospital-hack/
Schich A (2019) Active medical devices. https://www.med-cert.com/en_certification/en_medical-device/
TrapX Labs (2015) Anatomy of an attack medjack (Medical Device Hijack), pp 1–39
U.S. Food and Drug Administration (2014) Content of Premarket Submissions for Management of Cybersecurity in Medical Devices Guidance for Industry and Food and Drug Administration Staff (Document Issued on: October 2, 2014), FDA Guide, p 6
FDA (2014) Content of Premarket Submissions for Management of Cybersecurity in Medical Devices Guidance for Industry and Food and Drug Administration Staff. FDA Guide, p 6
Witonsky P (2012) Leveraging EHR investments through medical device connectivity. Healthc Financ Manage 66(8):50–3
Brookstone A (2011) Pros and Cons of wireless and local networks. http://www.americanehr.com/blog/2011/08/the-pros-and-cons-of-wireless-and-local-networks/
Meldrum SJ (1979) Association for the advancement of medical instrumentation 14th annual meeting. J Med Eng Technol 3(5):259
Health Level Seven International (2014) Health Level Seven International: tools & resources. http://www.hl7.org/participate/toolsandresources.cfm
CEN/CT, “CEN/TC 251,” (2015) European Committee for Standardization. http://cimlaboratory.com/
Personal Connected Health Alliance, “Personal Connected Health Alliance,” (2018). http://www.pchalliance.org/
Brien GO, Brien GO, Edwards S (2017) Securing wireless infusion pumps in healthcare delivery organizations, p 354
Rodrigues JJPC, Sendra Compte S, de la Torra Diez I (2016) Digital imaging and communications in medicine. In: e-Health Systems, pp 53–74
IEEE 11073-10207-2017—IEEE Health informatics—Point-of-care medical device communication. IEEE Standards Association. https://standards.ieee.org/standard/11073-10207-2017.html
ISO, “ISO/TC 215 Health informatics,” (1998). https://www.iso.org/committee/54960.html
Ayala L (2016) Cybersecurity for hospitals and healthcare facilities
Archibold RC (2001) Hospital details failures leading to M.R.I. fatality. The NewYork Times. http://www.nytimes.com/2001/08/22/nyregion/hospital-details-failures-leading-to-mri-fatality.html?src=pm
Challa S, Wazid M, Das AK, Khan MK (2018) Authentication protocols for implantable medical devices: taxonomy, analysis and future directions. IEEE Consum Electron Mag 7(1)
Wu F, Eagles S (2016) Cybersecurity for medical device manufacturers: ensuring safety and functionality. Biomed Instrum Technol 50(1)
Camara C, Peris-Lopez P, Tapiador JE (2015) Security and privacy issues in implantable medical devices: a comprehensive survey. J Biomed Informat 55
Klonoff DC (2015) Cybersecurity for connected diabetes devices. J Diabetes Sci Technol 9(5)
Zheng G, Zhang G, Yang W, Valli R, Shankaran R, Orgun MA (2018) From WannaCry to WannaDie: security trade-offs and design for implantable medical devices. In: 2017 17th international symposium communication informative technology ISC 2017, vol 2018-Janua, pp 1–5
Wu L, Du X, Guizani M, Mohamed A (2017) Access control schemes for implantable medical devices: a survey. IEEE Internet Things J
Ellouze N, Rekhis S, Boudriga N, Allouche M (2017) Cardiac implantable medical devices forensics: postmortem analysis of lethal attacks scenarios. Digit Investig
Zheng G et al (2019) A critical analysis of ecg-based key distribution for securing wearable and implantable medical devices. IEEE Sens J 19(3):1186–1198
Rekhis S, Boudriga N, Ellouze N (2017) Securing implantable medical devices against cyberspace attacks. In: 2017 2nd international conference anti-cyber crimes, ICACC 2017, pp 187–192
Pycroft L, Aziz TZ (2018) Security of implantable medical devices with wireless connections: the dangers of cyber-attacks. Expert Rev Med Devices 15(6):403–406
Mcdonald KA, Security CI, Clinic M, Wirth A, Architect DH (2018) The intersection of patient safety and medical device cybersecurity
Pycroft L et al (2016) Brainjacking: implant security issues in invasive neuromodulation. World Neurosurg 92
Altawy R, Youssef AM (2016) Security tradeoffs in cyber physical systems: a case study survey on implantable medical devices. IEEE Access 4
Hasan R, Zawoad S, Noor S, Haque MM, Burke D (2016) How secure is the healthcare network from insider attacks? An audit guideline for vulnerability analysis. In: Proceedings—international computer software and applications conference
Meng W, Li W, Wang Y, Au MH (2018) Detecting insider attacks in medical cyber–physical networks based on behavioral profiling. Future Generat Comput Syst
Kompara M, Hölbl M (2018) Survey on security in intra-body area network communication. Ad Hoc Netw 70
Arney D, Venkatasubramanian KK, Sokolsky O, Lee I (2011) Biomedical devices and systems security. In: Proceedings of the annual international conference of the IEEE engineering in medicine and biology society, EMBS
Williams PAH, Woodward AJ (2015) Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem. Med Devices Evidence Res 8
Ali B, Awad AI (2018) Cyber and physical security vulnerability assessment for IoT-based smart homes. Sensors (Switzerland)
Stine I, Rice M, Dunlap S, Pecarina J (2017) A cyber risk scoring system for medical devices. Int J Crit Infrastruct Prot
Kramer DB, Fu K (2017) Cybersecurity concerns and medical devices lessons from a pacemaker advisory. JAMA J Am Med Assoc
Lee M, Lee K, Shim J, Cho SJ, Choi J (2017) Security threat on wearable services: empirical study using a commercial smartband. In: 2016 IEEE international conference on consumer electronics-Asia, ICCE-Asia 2016
Jagannathan S, Sorini A (2016) Self-authentication in medical device software: an approach to include cybersecurity in legacy medical devices. In: ISPCE 2016—proceedings: IEEE symposium on product compliance engineering
Pozzobon O, Canzian L, Danieletto M, Chiara AD (2010) Anti-spoofing and open GNSS signal authentication with signal authentication sequences. In: Programme and abstract book—5th ESA workshop on satellite navigation technologies and European workshop on GNSS Signals and signal processing, NAVITEC 2010
Salem A, Zaidan D, Swidan A, Saifan R (2016) Analysis of strong password using keystroke dynamics authentication in touch screen devices. In: Proceedings—2016 cybersecurity and cyberforensics conference, CCC 2016
Anderson S, Williams T (2018) Cybersecurity and medical devices: are the ISO/IEC 80001-2-2 technical controls up to the challenge? Comput Stand Interfaces
Kulac S, Sazli MH, Ilk HG (2018) External relaying based security solutions for wireless implantable medical devices: a review. In: Proceedings of the 2018 11th IFIP wireless and mobile networking conference, WMNC 2018
Gao Y, Liu W (2015) A security routing model based on trust for medical sensor networks. In: Proceedings of 2015 IEEE international conference communication software networks, ICCSN 2015, pp 405–408
Wazid M, Das AK, Kumar N, Conti M, Vasilakos AV (2018) A novel authentication and key agreement scheme for implantable medical devices deployment. IEEE J Biomed Heal Informat 22(4):1299–1300
Das AK, Wazid M, Kumar N, Khan MK, Choo KKR, Park YH (2018) Design of secure and lightweight authentication protocol for wearable devices environment. IEEE J Biomed Heal Informat
Challa S et al (2018) An efficient ECC-based provably secure three-factor user authentication and key agreement protocol for wireless healthcare sensor networks. Comput Electr Eng 69:534–554
Ellouze N, Rekhis S, Boudriga N, Allouche M (2018) Powerless security for cardiac implantable medical devices: use of wireless identification and sensing platform. J Netw Comput Appl
Paliokas I, Tsoniotis N, Votis K, Tzovaras D (2019) A blockchain platform in connected medical-device environments: trustworthy technology to guard against cyberthreats. IEEE Consum Electron Mag 8(4):50–55
BSI (2019) Multi-part Document BS EN 419251—security requirements for device for authentication. The British Standards Institution. https://landingpage.bsigroup.com/LandingPage/Series?UPI=BS EN 419251
Al-Janabi S, Al-Shourbaji I, Shojafar M, Shamshirband S (2017) Survey of main challenges (security and privacy) in wireless body area networks for healthcare applications. Egypt Informat J 18(2)
Kohli S, Exploring cyber security vulnerabilities in the age of IoT. Cyber Security Threats, IGI Global, 1609–1623
Xu J, Venkatasubramanian KK, Sfyrla V (2016) A methodology for systematic attack trees generation for interoperable medical devices. In: 10th annual international systems conference, SysCon 2016—Proceedings
Mosenia A, Jha NK (2018) OpSecure: a secure unidirectional optical channel for implantable medical devices. IEEE Trans Multi Scale Comput Syst 4(3):410–419
Mikson C, Hammargren L, Strunk E (2017) Medical devices and data: protecting patients and their PHI
Alabdulatif A, Khalil I, Yi X, Guizani M (2019) Secure edge of things for smart healthcare surveillance framework. IEEE Access
Chizari H, Lupu EC (2019) Extracting randomness from the trend of IPI for cryptographic operators in implantable medical devices. IEEE Trans Dependable Secur Comput
Gaukstern E, Krishnan S (2018) Cybersecurity threats targeting networked critical medical devices. In: ASEE IL-IN section conference, vol 2
Owens B (2016) Stronger rules needed for medical device cybersecurity. Lancet 387(10026):1364
Slotwiner D (2019) Editorial commentary: cybersecurity of cardiac implantable electronic devices—role of the clinician. Trends Cardiovasc Med
Slotwiner DJ, Deering TF, Fu K, Russo AM, Walsh MN, Van Hare GF (2018) Cybersecurity vulnerabilities of cardiac implantable electronic devices: communication strategies for clinicians. Hear Rhythm
FDA (2014) Infusion pumps—infusion pump improvement initiative
Trapx B (2018) MEDJACK.4 medical device Hijacking, pp 1–29
Sabio R (2017) 5 ways to detect a cyber attack. Huffpost. https://www.huffingtonpost.ca/2017/01/30/detect-cyber-attack_n_13880814.html
Sikder AK, Petracca G, Aksu H, Jaeger T, Uluagac AS (2018) A survey on sensor-based threats to
Anand K (2016) Healthcare cyber security and compliance guide. Imperva
Brown MJ, Herrera B (2013) Method and apparatus for MRI compatible communications. US20140275970A1
Tomlinson K (2017) The lurker in your MRI machine wants money, not your life. Archer Energy Solutions LLC. https://archerint.com/the-lurker-in-your-mri-machine-wants-money-not-your-life/
TrapX (2019) The most effective solution for advanced breach detection. https://trapx.com/product/
Ewaida B (2010) Pass-the-hash attacks: tools and mitigation, p 53
Jadeja N, Parmar V (2016) Implementation and mitigation of various tools for pass the hash attack. Proc Comput Sci
Perez R (2017) Article 29 Working Party still not happy with Windows 10 privacy controls. Haymarket Media, Inc. http://www.scmagazine.com/home/security-news/privacy-compliance/article-29-working-party-still-not-happy-with-windows-10-privacy-controls/
O’Brien G, Edwards S, Littlefield K, McNab N, Wang S, Zheng K (2018) Securing wireless infusion pumps in healthcare delivery organizations
CISA (2013) Hospira Symbiq infusion system. Biomed Saf Stand 43(18):144
FDA (2017) LifeCare PCA3 and PCA5 infusion pump systems by Hospira: FDA safety communication—security vulnerabilities. https://wayback.archive-it.org/7993/20170112164109/http:/www.fda.gov/Safety/MedWatch/SafetyInformation/SafetyAlertsforHumanMedicalProducts/ucm446828.htm
Thomson I (2015) This hospital drug pump can be hacked over a network—and the US FDA is freaking out. Register. https://www.theregister.co.uk/2015/08/01/fda_hospitals_hospira_pump_hacks/
CISA (2015) Hospira Plum A+ and Plum A+3 Infusion systems. Biomed Saf Stand 45(8):60–61
Stanley N, Coderre M (2016) An introduction to medical device cyber security a European perspective. Healthc Inf Manag Syst Soc
Shadid R, Haerinia M, Sayan R, Noghanian S (2018) Hybrid inductive power transfer and wireless antenna system for biomedical implanted devices. Prog Electromagn Res C 88(June):77–88
Haerinia M (2018) Modeling and simulation of inductive-based wireless power transmission systems. In: Olfa K (eds) Energy harvesting for wireless sensor networks: technology, components and system design, 1st edn., De Gruyter: Berlin, Germany; Boston, MA, USA, pp 197–220
Alpine Security (2019) Most dangerous hacked medical devices. https://www.alpinesecurity.com/blog/most-dangerous-hacked-medical-devices
US FDA (2019) Cybersecurity vulnerabilities affecting medtronic implantable cardiac devices, programmers, and home monitors: FDA safety communication
Department of Homeland Security (2019) Medtronic conexus radio frequency telemetry protocol
P. S. Development (2011) Integrated circuits for implantable medical devices
Cichonski J (2019) Security for IOT sensor building management systems case study
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Badrouchi, F. et al. (2020). Cybersecurity Vulnerabilities in Biomedical Devices: A Hierarchical Layered Framework. In: Raj, P., Chatterjee, J., Kumar, A., Balamurugan, B. (eds) Internet of Things Use Cases for the Healthcare Industry. Springer, Cham. https://doi.org/10.1007/978-3-030-37526-3_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-37526-3_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-37525-6
Online ISBN: 978-3-030-37526-3
eBook Packages: Computer ScienceComputer Science (R0)