Security Scores for Medical Devices

Johannes Sametinger, Jerzy Rozenblit

2016

Abstract

Medical devices are indispensable for millions of patients worldwide. They increasingly depend on software and hardware components, and interoperate with other devices wirelessly and through the Internet. The sensitive nature of health records, the increasing interoperability of medical devices, and the fact that human well-being and life are at stake, puts medical device security at the forefront in healthcare technology. In this paper, we contrast medical devices’ safety with their security and introduce a stratification of security scores. We need such a grading to increase security awareness in the medical domain and as a guideline for designers and developers who will have to act appropriately to ensure devices’ trustworthiness and as a basis for stakeholders’ course of action when devices pose risks. We motivate and illustrate the scores by examples.

References

  1. Chunxiao, L., Raghunathan, A., Jha, N. K., 2011. Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system. 13th IEEE International Conference on e-Health Networking Applications and Services (Healthcom), pp 150-156. https://ieeexplore.ieee.org/ xpl/articleDetails.jsp?arnumber=6026732
  2. FDA, 2005. Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices, May 11, 2005. http://www.fda.gov/MedicalDevices/DeviceRegulatio nandGuidance/GuidanceDocuments/ucm089543.htm
  3. FDA 2013. FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks. June. http://www.fda.gov/MedicalDevices/Safety/Alertsand Notices/ucm356423.htm
  4. FDA, 2013b. Mobile Medical Applications - Guidance for Industry and Food and Drug Administration Staff. Sept. 2013. http://www.fda.gov/downloads/MedicalDevices/Devi ceRegulationandGuidance/GuidanceDocuments/UCM 263366.pdf
  5. FDA, 2014. Medical Devices - Classify Your Medical Device. http://www.fda.gov/MedicalDevices/DeviceRegu lationandGuidance/Overview/ClassifyYourDevice/de fault.htm
  6. FDA, 2015. Mobile Medical Applications - Guidance for Industry and Food and Drug Administration Staff, Feb. 09. http://www.fda.gov/downloads/MedicalDevices/.../ UCM263366.pdf.
  7. Fox News, 2010. Antivirus Program Goes Berserk, Freezes PCs. April 22. http://www.foxnews.com/tech/2010/ 04/22/antivirus-program-goes-berserk-freezes-pcs/
  8. Hevner, A. R., 2007. A Three Cycle View of Design Science Research, Scandinavian Journal of Information Systems, Vol. 19: Issue 2, Article 4. http://aisel.aisnet.org/sjis/vol19/iss2/4
  9. Fu K. and Blum J., 2013. Controlling for cybersecurity risks of medical device software, Communications of the ACM, vol. 56, no. 10, p. 35.
  10. Kaplan D., 2011. Black Hat: Insulin pumps can be hacked. SC Magazine, August 04. http://www.scmagazine.com/ black-hat-insulin-pumps-can-be-hacked/article/209106
  11. Kotz, D., Fu, K., Gunter, C., and Rubin, A., 2015. Security for mobile and cloud frontiers in healthcare, Communications of the ACM, vol. 58, no. 8, pp. 21-23.
  12. Kramer, D. B., Baker, M., Ransford, B., Molina-Markham, A., Stewart, Q., Fu, K., Reynolds, M. R., 2012. Security and Privacy Qualities of Medical Devices: An Analysis of FDA Postmarket Surveillance. http://www.plosone. org/article/info:doi/10.1371/journal.pone.0040200
  13. McGraw, G., 2004. Software Security, IEEE Security & Privacy, vol. 2, no. 2, pp. 80-83, March-April. doi:10.1109/MSECP.2004.1281254
  14. Kotz, D., 2011. A threat taxonomy for mHealth privacy, Workshop on Networked Healthcare Technology (NetHealth), January. http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=5716518
  15. Paul, N., Kohno, T., Klonoff, D. C., 2011. A Review of the Security of Insulin Pump Infusion Systems, Journal of Diabetes Science and Technology, vol. 5, Issue 6. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3262 727
  16. Manadhata, P., 2008. An Attack Surface Metric, CMU-CS08-152. http://reports-archive.adm.cs.cmu.edu/anon/ 2008/CMU-CS-08-152.pdf
  17. Ross, R. S., 2012. Guide for Conducting Risk Assessments, NIST Special Publication 800-30 Revision 1. http://csrc.nist.gov/publications/nistpubs/800-30-rev1/ sp800_30_r1.pdf
  18. Sametinger, J., Rozenblit, J., Lysecky, R., and Ott, P., 2015. Security Challenges for Medical Devices, Communications of the ACM, vol. 58, no. 4, pp. 74-82.
  19. Smith, E., 2012. Types of Medical Equipment. HIVE Health Media. January 22. http://www.hivehealthme dia.com/types-medical-equipment/
  20. Versel, N., 2013. West: Device interoperability with EHRs could save $30B annually. Mobihealthnews. http://mobihealthnews.com/21120/west-device-interop erability-with-ehrs-could-save-30b-annually/
  21. World Health Organization, 2003. Medical device regulations: global overview and guiding principles, ISBN 92-4-154618-2. http://whqlibdoc.who.int/ publications/2003/9241546182.pdf
Download


Paper Citation


in Harvard Style

Sametinger J. and Rozenblit J. (2016). Security Scores for Medical Devices . In Proceedings of the 9th International Joint Conference on Biomedical Engineering Systems and Technologies - Volume 5: SmartMedDev, (BIOSTEC 2016) ISBN 978-989-758-170-0, pages 533-541. DOI: 10.5220/0005838805330541


in Bibtex Style

@conference{smartmeddev16,
author={Johannes Sametinger and Jerzy Rozenblit},
title={Security Scores for Medical Devices},
booktitle={Proceedings of the 9th International Joint Conference on Biomedical Engineering Systems and Technologies - Volume 5: SmartMedDev, (BIOSTEC 2016)},
year={2016},
pages={533-541},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005838805330541},
isbn={978-989-758-170-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 9th International Joint Conference on Biomedical Engineering Systems and Technologies - Volume 5: SmartMedDev, (BIOSTEC 2016)
TI - Security Scores for Medical Devices
SN - 978-989-758-170-0
AU - Sametinger J.
AU - Rozenblit J.
PY - 2016
SP - 533
EP - 541
DO - 10.5220/0005838805330541