Cybersecurity of healthcare IoT-based systems: Regulation and case-oriented assessment

Strielkina, Anastasiia; Illiashenko, Oleg; Zhydenko, Marina; Uzun, Dmytro

doi:10.1109/dessert.2018.8409101

Cited by 35 publications

(15 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Patient privacy and safety must be preserved while data transfers to medical personnel remain easy to manage [51]. Data transfers should be encrypted from end to end during the transfer of configurations, commands, and private health data [52].…”

Section: Security Requirements Needed For Medical Implant Devicesmentioning

confidence: 99%

Medical Internet of Things: A Survey of the Current Threat and Vulnerability Landscape

McGowan

Sittig

Andel

2021

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

The Internet of things (IoT) is a system that utilizes the Internet to facilitate communication between sensors and devices. Given the ubiquitous nature of IoT devices, it is seemingly inevitable that IoT would be used as a conduit to transform healthcare. One such medical IoT (mIoT) device that is revolutionizing healthcare is the medical implant device. These mIoT implant devices which control insulin pumps, cardioverter defibrillators and bone growth stimulators have redefined the way patient data is accessed, and healthcare is delivered. These implant devices are a double-edged sword. While they allow for the effective and efficient noninvasive treatment of patients, this external communication makes the medical implants vulnerable to cyberattacks synonymous with IoT devices. As a result, privacy and security vulnerabilities have surfaced as pronounced challenges for mIoT devices. This work summarizes and synthesizes the inherent vulnerabilities associated with mIoT devices and the implications regarding patient safety.

show abstract

Section: Security Requirements Needed For Medical Implant Devicesmentioning

confidence: 99%

Medical Internet of Things: A Survey of the Current Threat and Vulnerability Landscape

McGowan

Sittig

Andel

2021

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

show abstract

“…There are some U.S regulations like Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act, centred in healthcare data regulation but they usually do not present any clear indications on how to protect private information or cybersecurity measures to be taken into account. This establishes the necessity of new cybersecurity industry standards like the proposed by Strielkina et al [10]. These standards should be included in mandatory healthcare regulations, independent of novel technological solutions, forcing new IoT healthcare devices to be cybersecurity compliant.…”

Section: Related Workmentioning

confidence: 99%

Security and privacy issues of data-over-sound technologies used in IoT healthcare devices

Cilleruelo

Junquera-Sánchez

de‐Marcos

et al. 2021

2021 IEEE Globecom Workshops (GC Wkshps)

View full text Add to dashboard Cite

Internet of things (IoT) healthcare devices, like other IoT devices, typically use proprietary protocol communications. Usually, these proprietary protocols are not audited and may present security flaws. Further, new proprietary protocols are desgined in the field of IoT devices, like data-over-sound communications. Data-over-sound is a new method of communication based on audio with increasing popularity due to its low hardware requirements. Only a speaker and a microphone are needed instead of the specific antennas required by Bluetooth or Wi-Fi protocols. In this paper, we analyze, audit and reverse engineer a modern IoT healthcare device used for performing electrocardiograms (ECG). The audited device is currently used in multiple hospitals and allows remote health monitoring of a patient with heart disease. For this auditing, we follow a black-box reverse-engineering approach and used STRIDE threat analysis methodology to assess all possible attacks. Following this methodology, we successfully reverse the proprietary dataover-sound protocol used by the IoT healthcare device and subsequently identified several vulnerabilities associated with the device. These vulnerabilities were analyzed through several experiments to classify and test them. We were able to successfully manipulate ECG results and fake heart illnesses. Furthermore, all attacks identified do not need any patient interaction, being this a transparent process which is difficult to detect. Finally, we suggest several short-term solutions, centred in the device isolation, as well as long-term solutions, centred in involved encryption capabilities.

show abstract

“…While SACs are usually used to establish evidence-based security assurance for a given system, researchers have reported cases where SAC could be used to achieve dif- External forces Comply with security requirements of safety-critical systems Cyra et al [18] External forces Comply with standards and regulation Finnegan et al [20] External forces Comply with regulation and maintain confidence in the product in question Finnegan et al ( 2) [21] External forces Comply with regulation He et al [35] External forces Reason about cybersecurity policies and procedures Mohammadi et al [47] External forces Learn from the safety domain where it is a proven approach Ray et al [56] External forces Comply with regulation and internal needs from cyber-physical systems' manufacturers Sklyar et al ( 2) [63,65,64] External forces Comply with standards Sljivo et al [66] External forces Comply with standards and regulation Strielkina et al [69] External forces Comply with security regulation Goodger et al [28] Knowledge transfer Learn from the safety domain to integrate oversight for safety and security Ionita et al [38] Knowledge transfer Learn from the safety domain where it is a proven approach Netkachova et al ( 2) [49] Knowledge transfer Learn from the safety domain where it is a proven approach Poreddy et al [55] Knowledge transfer Learn from the safety domain, where it is a proven approach Sklyar et al [62] Knowledge transfer Learn from the safety domain, where it is a proven in-use approach Ben Othmane et al [7] Process improvement Trace security requirements and assure security during iterative development. Ben Othmane et al [8] Process improvement Assure security during iterative development Cheah et al [14] Process improvement Cope with the increasing connectivity of systems Cockram et al [16] Process improvement Reduces both technical and program risks through process improvement Gallo et al [26] Process improvement Factor analytical and implementation work per component, requisite, technology, or life-cycle Lipson et al [42] Process improvement Help analyzing complex systems Netkachova et al [50] Process improvement Tackle security issues which have intensified challenges of engineering safety-critical sys...…”

Section: Usage Scenariosmentioning

confidence: 99%

“…Ben Othmane et al [8] Process improvement Assure security during iterative development Cheah et al [14] Process improvement Cope with the increasing connectivity of systems Cockram et al [16] Process improvement Reduces both technical and program risks through process improvement Gallo et al [26] Process improvement Factor analytical and implementation work per component, requisite, technology, or life-cycle Lipson et al [42] Process improvement Help analyzing complex systems Netkachova et al [50] Process improvement Tackle security issues which have intensified challenges of engineering safety-critical systems. Weinstock et al [75] Process improvement Include people and processes in security assurance in addition to technology Alexander et al [4] Security assessment Help security evaluators to focus their attention on critical parts of the system Bloomfield et al [11] Security assessment Ensure the fulfillment of security requirements Finnegan et al [21] Security assessment Improve overall security practices and demonstrate confidence in security Hawkins et al [34] Security assessment Justify and assess confidence in critical properties Knight [41] Security assessment Spot security related weaknesses in the system Poreddy et al [55] Security assessment Assist in identifying security loopholes while changing the system Rodes et al [57] Security assessment Measure software security Strielkina et al [69] Security assessment Acquire an input for decision making of requirement conformity Vivas et al [74] Security assessment Acquire confidence that the security of the system meets the requirements Agudo et al [3] Structure & documentation Incorporate certifications and evaluation methods in an evidence-based structure Alexander et al [4] Structure & documentation Summarize security thinking when vendors are involved Finnegan et al [22] Structure & documentation Communicate and report achieved security level Knight [41] Structure & documentation Document rational for security claims Netkachova et al [51] Structure & documentation Aid in communication as it provides a summary of issues and their interrelationship Patu et al [54] Structure & documentation Aid in the survival of modern system, with respect to security challenges Ray et al [56] Structure & documentation Comply with internal needs from cyber-physical systems' manufacturers ferent goals. We looked into...…”

Section: Usage Scenariosmentioning

confidence: 99%

Security assurance cases—state of the art of an emerging approach

2021

View full text Add to dashboard Cite

Security Assurance Cases (SAC) are a form of structured argumentation used to reason about the security properties of a system. After the successful adoption of assurance cases for safety, SAC are getting significant traction in recent years, especially in safety-critical industries (e.g., automotive), where there is an increasing pressure to be compliant with several security standards and regulations. Accordingly, research in the field of SAC has flourished in the past decade, with different approaches being investigated. In an effort to systematize this active field of research, we conducted a systematic literature review (SLR) of the existing academic studies on SAC. Our review resulted in an in-depth analysis and comparison of 51 papers. Our results indicate that, while there are numerous papers discussing the importance of SAC and their usage scenarios, the literature is still immature with respect to concrete support for practitioners on how to build and maintain a SAC. More importantly, even though some methodologies are available, their validation and tool support is still lacking.

show abstract

Cybersecurity of healthcare IoT-based systems: Regulation and case-oriented assessment

Cited by 35 publications

References 15 publications

Medical Internet of Things: A Survey of the Current Threat and Vulnerability Landscape

Medical Internet of Things: A Survey of the Current Threat and Vulnerability Landscape

Security and privacy issues of data-over-sound technologies used in IoT healthcare devices

Security assurance cases—state of the art of an emerging approach

Contact Info

Product

Resources

About