Security Architectures:

Security architectures involve novel designs of providing security by architectural changes in the medical device design. Since, devices are resource constraints, novel architectures for providing security are required that take least resources while providing considerable security levels. This field might involve either additional hardware additions/changes or changes in protocols/software.

1. Security in resource-constrained computer systems provides a good survey of what is out there in security schemes for resource-constraint embedded systems.
    
2. Block Cipher Based Security for Severely Resource-constrained Implantable Medical Devices approach is summarized below:
• Two new protocols are suggested with the experimental setup of Artificial Accommodation System (micromechatronic lens).
• First: Stream mode: Quick command communication and continuous exchange of sensor data between IMDs, with basic security.
• Second: Session mode: Cipher block chaining and challenge response scheme are utilized for higher security to send sensitive information.
  
3. The Design space of Ultra-low Energy Asymmetric Cryptography is mostly an architecture heavy paper that will require a computer architecture background to fully understand their new architecture they propose. Simplifying their approach: 
• Three different architecture proposed for low energy asymmetric cryptography. As we know asymmetric cryptography has been at the backseat because of its intense operations.  
• One with a baseline processor, next the processor with instruction set changes and third a special added processor accelerating the baseline. Implying greater security demands special purpose hardware.

Wireless Security:

A good reference in this field provides a wireless network for security medical devices or a network of them as well - MedMon: Securing medical devices through wireless monitoring and anomaly detection:-

• New truly non-invasive defense against wireless attacks based on wireless monitoring and multi-layer anomaly detection. Medical security monitor performs passive monitoring of device and intercepts only when anomaly is detected. Ideal for Inter-IWMDs communication.
• Security is contained in security policies which have mainly two layers of abstraction: physical and behavioral.Physical involves parameters like time of arrival, differential TOA, received signal strength indicator, angle of arrival. Behavioral involves data change, rate of data change, condition specific values.
• Security policy: Medmon models remote control and meter communication as behavioral anomalies and jam any command signal by default or raises warning for any meter or remote control data transmission.

External Devices

Guess researchers want patients to strap on another devices to protect them from attacks to their already strapped on/implanted medical device.
From a technical point of view however, since medical devices have low resources, external devices can provide the buffer to perform all the intensive security computations and communications with the external world and be assured their communication with the medical device will always be secure and proof read by it. The following articles suggest few of these external devices:

1. Absence Makes the Heart Grow Fonder - a summary is below:
• Communication Cloaker is suggested that balances safety and open access in emergencies along with security and privacy under adversarial conditions with protection of battery life and quick response time. 
• IMD, cloaker and programmer communication can be: cloaker should proxy the communications between the programmer and IMD or cloaker should hand-off a lightweight access credential to the programmer. The cloaker’s presence is apprehended by it detecting a pulse of the wearer.
2. IMDGuard - an external wearable guardian is a popular reference in this topic:-
• ECG signals as keys. Cannot forge IMD except during physical contacts. Prevent attackers from jamming the signals between IMD and Guardian by notifications.
• IMDGuard does the authentication of programmer so as to save IMD battery and has two modes of operation - emergency and regular.
• Guardian cannot stop messages between attacker and IMD, but can jam messages other way round since it knows IMD’s credentials.

The surging research in attacking medical devices is also because there is an equal surge towards preventing these attacks! Every article also discusses countermeasures for their attacks or at least suggests proper precautions and steps to be taken to prevent such attacks. The following set of posts will discuss the articles where preventing attacks on medical devices in general are proposed. They wrap the entire ecosystem of a healthcare system also.

I hope the posts on attacking medical devices has given a good overview of the picture of these attacks on life critical devices. My last post in this domain is a doozy one!
Data analytics in healthcare is booming with several companies cropping up and changing the nature of how we view medical data. This has also lead to some very optimistic conclusions that show the future for big data analytics in healthcare. But taking a moment to think about any vulnerabilities in this system might lead to erroneous and probably appalling conclusions.
The following reference poisons training data itself for these machine learning algorithms that work on big data analytics. This can lead to severe security attacks as it changes conclusions of the algorithms. This is a vulnerability for the entire healthcare industry and data cleansing is required - Systematic Poisoning Attacks on and Defenses for Machine Learning in Healthcare. Summarizing:

• The attack model chosen is of causative attacks called poisoning attacks where an attacker can add malicious data to the training set with the assumption that there is access to a super awesome computer, knowledge of training set and adding malicious data is not suspicious.
• The attack scheme is a generic and algorithm-independent one and can be implanted without any knowledge of the type of machine learning algorithm used. 
• Malicious instances I whose attribute values match the attacked class and labels the attacking class are generated using weighted pseudo-random values for the attributes. Attacking without access to the database is based on generating an artificial dataset off the feedback from the machine learning algorithm

No fear, as counter measures are proposed which seem to be viable.

• Periodically constructing a model using training dataset and evaluating it with a validation dataset and notifying if there is a sudden change in accuracy metrics. Metrics include currently-classified instances and kappa statistics. The first pass evaluation computes the golden value from the trusted state and the further evaluations are checked with this golden value to check for attacks.

This post takes us away from medical devices but can be totally applied to medical devices and has been spoken about in research. Firmware modification involved modifying the firmware to malicious ones when devices need to update! Updates are essential and in most cases are required to be connected to the Internet that results in the vulnerability - When Firmware Modifications Attack: A Case Study of Embedded Exploitation. Summarizing:

• Firmware modification attacks transcend operating system versions and instruction set architectures and can adhere to entire family of devices (networked embedded systems).
• Successfully implanted infected malware to a range of printers as well as exposed third party vulnerabilities. Exploits kernel structure and memory accesses. 

The attack steps seem to be the same in most of the attacks that can be summarized to the below steps:

1. Reverse engineer the medical device and communication protocols.
2. Identify vulnerabilities that can be easily manipulated.
3. Utilize more powerful devices in terms of their communication range or manipulate the stipulated communication device's message packet. 
4. Medical device attacked!

Lets jump from Defibrillators to Insulin Pump which is another device that has been subject to attacks - Hijacking an insulin pump. To specifically notes most of the required hardware including the medical device was off the shelf. Summarizing:

• Experimental setup of attacks: USRP, glucose meter, insulin pump and remote control. Software: GNU radio for intercepting radio communication using USRP. Frequency of communication is public thus daughter boards and antenna are of that frequency. Modulation scheme is detected by down-converting it to near baseband. Packet format and ID is found by eavesdropping on the communication and intercepting the data packets. Generally data packets for an insulin pump are: Device type-Device PIN-payload information- CRC-end pattern.
• Attacks can be without the knowledge of PIN like DoS, privacy invasion etc. and with the PIN. USRP, setup can trigger active and passive attacks. Passive for signal knowledge and eavesdropping and active for control of pump.