Networked Medical Devices

CYS401: Cyber Laws & Security Policy

Academic Year (2021-2022) – First Semester
Lecturer: Maryam Aldossary

Individual Assignment 2
Sara Alsaidan | 2180002161 | 20 Nov
Table of Contents
Introduction ......................................................................................................................... 2
Networked Medical Devices ............................................................................................... 3
Vulnerabilities and attacks .................................................................................................. 4
Regulations for networked medical devices ....................................................................... 5
Countermeasures ................................................................................................................. 5
Conclusion .......................................................................................................................... 6
References ........................................................................................................................... 7
Abbreviation ....................................................................................................................... 8

Table of Figure
Figure 1 Medical Devices’ Communication Architecture .................................................. 3
Figure 2 sources of vulnerabilities ...................................................................................... 4
Figure 3 Attack on Medical Devices .................................................................................. 4

PAGE 1
Introduction
Digital development provides a range of services that make health services providers
highly dependent on technology. The management of patient information, the management
of health care providers, or the use of devices to help reduce patient risk are areas where
tremendous progress has been made recently. The patient can use portable and small
devices by themselves, while large devices require specialized facilities and expert
handling. As these technologies evolve, we will need networks to prepare health facilities,
adapt these devices, and communicate remotely with patients' devices. Scientists and
researchers seek countermeasures to protect information systems from attacks by
adversaries in technologies and networks. The healthcare industry has created medical
regulations to ensure information security and verify these regulations' availability in
hospitals. This report presents a review of networked medical devices, vulnerabilities and
attacks, regulations, and countermeasures based on research carried out by Tahreem
Yaqoob, Haider Abbas, and Mohammed Atiquzzaman in [1].

PAGE 2
Networked Medical Devices
According to the World Health Organization (WHO), medical devices differ in design,
implementation, and method of work, medical devices are defined as any device, tool, or
machine used to diagnose disease, treatment, and patient monitoring [2]. It has been
classified into three sections: Hard based, Soft rebased, Software, and Hardware-based.
Most medical devices use software and hardware-based class [3] The Medical Devices'
Communication Architecture Figure 1 defines three structural levels tier 1, tier 2, and tier
3.

Figure 1 Medical Devices’ Communication Architecture

The communication technologies in medical devices discussed are ZigBee, Bluetooth,

BLE, IEEE 802.115, IEEE 802.11ah, and IEEE 802.3. These techniques have been
compared in terms of a standard adopted, frequency, network topology, transmission range,
encryption, and authentication. After comparing this technique, they classified it into three
types depending on their transmission range and the protocol's security: The first is the
Implementable type, and the second is wearables. These are the types needed to transfer
sensitive data among different gateway and stations makes secure data transmission an
essential issue. Therefore, the nature of wearable and implantable medical devices is not
possible to incorporate traditional security mechanisms And, finally, the on-site equipment
type.

PAGE 3
Vulnerabilities and attacks

The network model in Figure 1 has been used to identify seven sources of
vulnerabilities. These, as in Figure 2.

Figure 2 sources of vulnerabilities

Each medical device is vulnerable to different attacks depending on the attack methodology
(Reverse engineering, communication protocol, static or dynamic analysis, traffic analysis,
communication channel exploitation, FTP server exploitation, Network analysis, malicious
command, and others). The attack exploited depends on the device and its vulnerability, a
common attack on medical devices in Figure 3.

Figure 3 Attack on Medical Devices

PAGE 4
Regulations for networked medical devices
HIPPA, GDPR, EU, and FDA Policies developed by international agencies due to the
renaissance in medical devices to be followed when manufacturing medical devices to
overcome security challenges. Each institution has its categories and regulatory boards to
obtain medical device accreditation. The FDA classified the medical device into low to
medium risk, medium to high risk, and High to very high risk. The low to medium risk
have most devices. All other policies have a classification, but the FDA was obvious
compared to them. The importance of providing security to the patient makes the control
of the vulnerability affect the privacy and safety of the patient since they have common
interests. Transparency Challenges this is critical if the developers of the device want it to
go worldwide because of other different countries with different regulations. Furthermore,
some limitations of existing regulations: Nevertheless, most agency regulation does not
control privacy [4]. Each regulation has Fines and Penalties for Non-Compliance.

Countermeasures
The medical device should be protected because the information detected and analyzed
from the human body should be accurate. The researcher finds countermeasures in both
Software and Hardware-based, so the scientists implement different techniques to solve the
vulnerability found in some technology such as software protocols and hardware chipset
embedded in legacy equipment. This technique has advantages and disadvantages.
However, the disadvantage can be ignored since the techniques are beneficial. Some
technique requires costly chip or algorithms that can't apply to the small wearable device.
however, the on-site device can be protected very well because it is large and can adopt
security techniques. The cost can be tolerated because it helps many patients, not one
person. Attestation-Based Architecture can protect the on-site device, Isolation-Based
Mechanisms, Bio-Cryptographic Key schema and other schemes, different protocols, CIA
Mechanisms.

PAGE 5
Conclusion
The success of wearable technologies and devices is very significant, especially with
the COVID-19. It has become not only required protection by manufacturers and the health
sector, the user's knowledge, and awareness of how to use these technologies and the
protection of his data and its accuracy affects the protection. Therefore, the time that the
data needs to transfer and processed and then acted in case of danger requires an efficient
process. The developer should consider the speed of the Internet and the algorithms used
to process this data with adequate quality. Social, cultural, and cost problems are also
challenging as some people view them as untrustworthy or costly and privacy issues and
explaining to the patient the risk of medical device exploitation in plain terms. Moreover,
small size, lack of resources in the devices, movement of the devices, and importance of
data require a power source for a long time and avoid interruption if possible, which
consider as a challenge to the medical and security experts.
Cybersecurity should be applied in the manufacturing and procurement of medical devices.
Healthcare IT departments should focus on mitigating and preventing risk before exploiting
medical devices. As an acritical review, the reviewed paper should focus on awareness and
a new technology path such as defending healthcare supply chains, artificial intelligence,
and increased vulnerability disclosure from manufacturers [5].

PAGE 6
References
[1] T. Yaqoob, H. Abbas and M. Atiquzzaman, "Security Vulnerabilities, Attacks,
Countermeasures, and Regulations of Networked Medical Devices—A Review," in IEEE
Communications Surveys & Tutorials, vol. 21, no. 4, pp. 3723-3768, Fourthquarter 2019,
doi: 10.1109/COMST.2019.2914094.

[2] G. Syringe. (2013). Overview: FDA Regulation of Medical Devices. Accessed: Mar. 2,
2018. [Online]. Available: http://www.qrasupport.com/FDA-MED-DEVICE.html

[3] G. Tanev, P. Tzolov, and R. Apiafi, “A value blueprint approach to cybersecurity in

networked medical devices,” Technol. Innov. Manag. Rev., vol. 5, no. 8, pp. 17–25, 2015.

[4] B. Macfarlane. FDA Regulation of Mobile Medical Apps. Accessed: Dec. 10, 2018.
[Online].Available:https://www.namsa.com/wpcontent/uploads/2015/10/WP.006FDARe
gulationofMobileMedical Apps_a06.pdf.

[5] Lauver, M. (2021, October 26). Five new trends in Healthcare Cybersecurity. Security
Magazine RSS. Retrieved November 20, 2021, from
https://www.securitymagazine.com/articles/96391-five-new-trends-in-healthcare-
cybersecurity.

PAGE 7
Abbreviation

WHO: World Health Organization.

WBAN: Wireless Body Area Network.

HIMSS: Healthcare Information and Management Systems Society.

IMDs: International Material Data System.

BLE: Bluetooth Low Energy.

CIA: Confidentiality, Integrity, Availability.

MITM: Man In The Middle.

HIPAA: Health Insurance Portability and Accountability Act.

FDA: Federal Drug Administration.

EU: European Union.

GDPR: General Data Protection Regulation.

FTP: File Transfer Protocol.

IT: Information Technology.

PAGE 8