Security Architectures:

Security architectures involve novel designs of providing security by architectural changes in the medical device design. Since, devices are resource constraints, novel architectures for providing security are required that take least resources while providing considerable security levels. This field might involve either additional hardware additions/changes or changes in protocols/software.

1. Security in resource-constrained computer systems provides a good survey of what is out there in security schemes for resource-constraint embedded systems.
    
2. Block Cipher Based Security for Severely Resource-constrained Implantable Medical Devices approach is summarized below:
• Two new protocols are suggested with the experimental setup of Artificial Accommodation System (micromechatronic lens).
• First: Stream mode: Quick command communication and continuous exchange of sensor data between IMDs, with basic security.
• Second: Session mode: Cipher block chaining and challenge response scheme are utilized for higher security to send sensitive information.
  
3. The Design space of Ultra-low Energy Asymmetric Cryptography is mostly an architecture heavy paper that will require a computer architecture background to fully understand their new architecture they propose. Simplifying their approach: 
• Three different architecture proposed for low energy asymmetric cryptography. As we know asymmetric cryptography has been at the backseat because of its intense operations.  
• One with a baseline processor, next the processor with instruction set changes and third a special added processor accelerating the baseline. Implying greater security demands special purpose hardware.

Wireless Security:

A good reference in this field provides a wireless network for security medical devices or a network of them as well - MedMon: Securing medical devices through wireless monitoring and anomaly detection:-

• New truly non-invasive defense against wireless attacks based on wireless monitoring and multi-layer anomaly detection. Medical security monitor performs passive monitoring of device and intercepts only when anomaly is detected. Ideal for Inter-IWMDs communication.
• Security is contained in security policies which have mainly two layers of abstraction: physical and behavioral.Physical involves parameters like time of arrival, differential TOA, received signal strength indicator, angle of arrival. Behavioral involves data change, rate of data change, condition specific values.
• Security policy: Medmon models remote control and meter communication as behavioral anomalies and jam any command signal by default or raises warning for any meter or remote control data transmission.

External Devices

Guess researchers want patients to strap on another devices to protect them from attacks to their already strapped on/implanted medical device.
From a technical point of view however, since medical devices have low resources, external devices can provide the buffer to perform all the intensive security computations and communications with the external world and be assured their communication with the medical device will always be secure and proof read by it. The following articles suggest few of these external devices:

1. Absence Makes the Heart Grow Fonder - a summary is below:
• Communication Cloaker is suggested that balances safety and open access in emergencies along with security and privacy under adversarial conditions with protection of battery life and quick response time. 
• IMD, cloaker and programmer communication can be: cloaker should proxy the communications between the programmer and IMD or cloaker should hand-off a lightweight access credential to the programmer. The cloaker’s presence is apprehended by it detecting a pulse of the wearer.
2. IMDGuard - an external wearable guardian is a popular reference in this topic:-
• ECG signals as keys. Cannot forge IMD except during physical contacts. Prevent attackers from jamming the signals between IMD and Guardian by notifications.
• IMDGuard does the authentication of programmer so as to save IMD battery and has two modes of operation - emergency and regular.
• Guardian cannot stop messages between attacker and IMD, but can jam messages other way round since it knows IMD’s credentials.

The surging research in attacking medical devices is also because there is an equal surge towards preventing these attacks! Every article also discusses countermeasures for their attacks or at least suggests proper precautions and steps to be taken to prevent such attacks. The following set of posts will discuss the articles where preventing attacks on medical devices in general are proposed. They wrap the entire ecosystem of a healthcare system also.

I hope the posts on attacking medical devices has given a good overview of the picture of these attacks on life critical devices. My last post in this domain is a doozy one!
Data analytics in healthcare is booming with several companies cropping up and changing the nature of how we view medical data. This has also lead to some very optimistic conclusions that show the future for big data analytics in healthcare. But taking a moment to think about any vulnerabilities in this system might lead to erroneous and probably appalling conclusions.
The following reference poisons training data itself for these machine learning algorithms that work on big data analytics. This can lead to severe security attacks as it changes conclusions of the algorithms. This is a vulnerability for the entire healthcare industry and data cleansing is required - Systematic Poisoning Attacks on and Defenses for Machine Learning in Healthcare. Summarizing:

• The attack model chosen is of causative attacks called poisoning attacks where an attacker can add malicious data to the training set with the assumption that there is access to a super awesome computer, knowledge of training set and adding malicious data is not suspicious.
• The attack scheme is a generic and algorithm-independent one and can be implanted without any knowledge of the type of machine learning algorithm used. 
• Malicious instances I whose attribute values match the attacked class and labels the attacking class are generated using weighted pseudo-random values for the attributes. Attacking without access to the database is based on generating an artificial dataset off the feedback from the machine learning algorithm

No fear, as counter measures are proposed which seem to be viable.

• Periodically constructing a model using training dataset and evaluating it with a validation dataset and notifying if there is a sudden change in accuracy metrics. Metrics include currently-classified instances and kappa statistics. The first pass evaluation computes the golden value from the trusted state and the further evaluations are checked with this golden value to check for attacks.

This post takes us away from medical devices but can be totally applied to medical devices and has been spoken about in research. Firmware modification involved modifying the firmware to malicious ones when devices need to update! Updates are essential and in most cases are required to be connected to the Internet that results in the vulnerability - When Firmware Modifications Attack: A Case Study of Embedded Exploitation. Summarizing:

• Firmware modification attacks transcend operating system versions and instruction set architectures and can adhere to entire family of devices (networked embedded systems).
• Successfully implanted infected malware to a range of printers as well as exposed third party vulnerabilities. Exploits kernel structure and memory accesses. 

The attack steps seem to be the same in most of the attacks that can be summarized to the below steps:

1. Reverse engineer the medical device and communication protocols.
2. Identify vulnerabilities that can be easily manipulated.
3. Utilize more powerful devices in terms of their communication range or manipulate the stipulated communication device's message packet. 
4. Medical device attacked!

Lets jump from Defibrillators to Insulin Pump which is another device that has been subject to attacks - Hijacking an insulin pump. To specifically notes most of the required hardware including the medical device was off the shelf. Summarizing:

• Experimental setup of attacks: USRP, glucose meter, insulin pump and remote control. Software: GNU radio for intercepting radio communication using USRP. Frequency of communication is public thus daughter boards and antenna are of that frequency. Modulation scheme is detected by down-converting it to near baseband. Packet format and ID is found by eavesdropping on the communication and intercepting the data packets. Generally data packets for an insulin pump are: Device type-Device PIN-payload information- CRC-end pattern.
• Attacks can be without the knowledge of PIN like DoS, privacy invasion etc. and with the PIN. USRP, setup can trigger active and passive attacks. Passive for signal knowledge and eavesdropping and active for control of pump.

Attacking commercially available devices! Not in the TV show Homeland, but in reality. Most of these attacks can be pointed to the manufacturers not paying too much attention to security. On the other side, security is still not a strictly enforced necessity so it is natural that manufacturers would go easy on means to provide the same. With such research publications, there is spread of the emphasis of security for the future of medical devices.
To start with a cool title to the paper - Take two software updates and see me in the morning. A summary of the paper:

• A commercial Automated external Defibrillator is taken and malicious updates are successfully launched.No, cryptographic controls were detected. Several software vulnerabilities are present including buffer overflow and cryptographic flaws.
•  IDA Pro5.6 is use for reverse engineering and off-the shelf hardware/software used. Vulnerabilities discussed: buffer overflow, weak password authentication, weak CRC as digital signatures and credentials stored in plaintext.
• Limited to one manufacturer but opens the door for the issue of medical device attacks.

  I finally end this blog with breaking medical devices. Though this might sound like a pessimistic topic it gives hopes for optimism of the need to incorporate safety measures in medical devices for the future where cyberattacks and security/safety issues will only rise. Many of the topics and reference provided will include the attack and also the countermeasure for the same.
  The classical incident of breaking medical devices is of Barnaby Jack who I spoke about in my first post of this blog. Have medical device manufactures reacted by providing countermeasures for the same? what is the situation from their side?..The answer is still uncertain, but as we have seen there is tremendous work from the research field and an active involvement from the FDA.

Software Security: Software security has been/is an active area of research for ages in computer systems. But, with medical devices becoming more complex with more software functionality the risk factor for software attacks has exponentially increased with medical devices in the loop and IoT in general. Software security is an expansive topic by itself and it is hard to cover. The following reference gives the high level requirement of assessing the integrity of medical device software. Though they introduce tools to check software, the bigger picture is that software in medical devices is something to worry about (it's written by people at the FDA!).
Link: Static Analysis of Medical Device Software using CodeSonar

Hardware Security: Hardware security as stated in the Malware section has been growing aggressively, mainly attributed to the face that computer systems nowadays have been manufactured by several companies and especially outsourced. With this into account it is not possible to detect hardware threats that may have been implanted into the computer system. The following links give a brief picture of hardware risks and hardware layers.
Links:

• Generic Infusion Pump Hazard Analysis and Safety Requirements Version 1.0
• SoK: Security and Privacy in Implantable Medical Devices and Body Area Networks

 Miscellaneous: This topic considers the aspects of the following:

1. Resources: This constraint has been discussed as a double edged sword as security algorithms are resource hungry and medical devices are severely short of that. This was the case in smartphone in the early 2000's but with the advent of technology it is no longer a problem, however that can be the testbench for the current IoT/medical devices.  
   Links:
• Low-Energy Encryption for Medical Devices: Security Adds an Extra Design Dimension
• Security in resource-constrained computer systems
2. Algorithms: Analysis of various algorithms for security which can be encryption or decyption or unique algorithms for security in such environments like medical devices or sensor nodes. Again, sensor nodes can be generalized to medical devices because they have roughly the same characteristics.
   Links:
• Analysis of Hardware Encryption Versus Software Encryption on Wireless Sensor Network Motes
• Absence Makes the Heart Grow Fonder: New Directions for Implantable Medical Device Security (You can see the pun :D, this article is worth a read!)

Malware: Malware is a common term heard in the software realm from a long time. However, it has successfully creeped into the hardware realm too and is commonly termed hardware trojans. With hardware malware comes the highest risk of security levels that will require robust hardware-software to counteract with. If such a malware is implanted in a medical device then the consequences are surely fatal. The following paper discusses in detail the malware's evolution in smart devices and possible detection schemes.
Link: Evolution, Detection and Analysis of Malware for Smart Devices

The next set of links and material would be on analysis of security in medical devices. There is a wide array of research that I have simplified under this topic. It incorporates how research has been working on in analyzing security, what aspects are considered?, how is it getting better?, what are the vulnerabilities? etc. Analysis of security also involves general aspects of software, hardware analysis of security, malware analysis, possible resource analysis for using security schemes in medical devices etc. The analysis of security is a vast topic and I would subdivide it as follows, giving a reference for each that would introduce the viewers to the topic and what I wanted to convey.

1. Malware
2. Software security
3. Hardware security
4. Miscellaneous 

More on the FDA: The FDA is an integral body that comprises of tonnes of data regarding medical devices their recalls, threats, security failures etc. It also provides checklists of organizations and manufactures for providing safety and security. The relevance of FDA has been immense in most of the works in medical device security. However, the FDA has no legal remit from Congress to directly regulate privacy!! The following readings provide analysis of the FDA databases along with the involvement of FDA in research.

• Security and Privacy Qualities of Medical Devices
• Inside Risks Reducing Risks of IMDs
• Safety Issues Involving Medical Devices 

The FDA has been an active and crucial government body in the case of medical device security. In a way the research community are pushing the FDA for stringent rules or a checklist to maintain security in medical devices by manufactures.
The essential link here is the website of FDA, that have a separate listing of Medical Devices! It delves into the entirety of medical devices from research to events to safety issues and much more. Another additional link I am particularly interested in is the recalls section. This would help me in my project as it provides data for study about causes of recalls. I am pursuing the same for my project.

I end the medical device introduction topic with the paper - "Emerging Frontiers in Embedded Security", IEEE International Conference on VLSI Design, 2013. The paper has not much content but emphasis the needs for secure designs in future IoTs especially Implantable Medical Devices and calls for robust design of the same. Concerns are: access control, resource constraints, software updates, diverse devices and users, functional complexity etc, which I have already highlighted in my double edges sword doodle. 

Why medical device security is a double edged sword?

The below doodle is self-explanatory to the problems medical device security face in the realm of industry, research and government. Most of the research aims at trying to improve the technical aspects of this double-edged sword with the industry and government aiming at the logistics. 

A brief explanation of what I wanted to convey:

• The FDA and the Device manufactures are the ones that overpower all other factors and are at the top of this tradeoff.
• Reliability of medical devices tradesoff with security and resources, since we are dealing with severely constraint devices.
• With the advent of IoT medical devices in the near future, a whole threat of cyberattacks is looming. 
• Other concerns include device specific attacks, emergency access to these medical devices if necessary and possible device access usages. 
• Since humans are involved in the loop, it complicates matters adversely. 

MIS506 Project Proposal

Evaluation and Analysis of Security Breaches and Attacks on Medical Devices

Brief Introduction:

    With increasing embedded devices connected to the Internet - Internet of Things, security issues will only rise, both on software, hardware and both hardware-software. The medical domain is a critical segment of the IoTs with the advent of Internet connected medical devices and implantable medical devices As medical devices interact more intimately with human beings, security becomes a critical issue. Specific challenges uniquely define the security threats in medical devices viz. crucial resource constraints, device safety, sensitive data protection and emergency access(irrespective of an attack). Security breaches/attacks and mechanisms to mitigate them, in medical devices will have drastic affects on the aforementioned aspects. New attacks are discovered in the research community that target loopholes in medical device design, thus requiring special validation of the entire device design and manufacture cycle.

     There is a strong requirement however to study and analyse the attack platform on the medial devices in other words What part of the medical device system are the attackers targeting?. This would provide a direction for channelizing research and industry efforts to prevent them.

Project Plan:

    Though there are not many publicly disclosed cases of medical devices attacks, simple cases like detection of vulnerabilities would be a good start for the study as this translated to possible loopholes for future attacks. I plan to study and analyse vulnerabilities in medical devices in greater detail especially what components are vulnerable which may be software, hardware, interface, input-output, wireless communication or cloud systems. In-depth analysis of what further sub-components of these components are vulnerable would be necessary. This study and analysis would give a better perspective of where the possible attack surfaces lie and what should the preventive measure target. As much research has suggested security has to be incorporated from ground-up. Research [1][2][3] has been carried out in this direction but do not delve into the sub-components level and results are oriented only towards a study direction rather than an analysis and test bed for preventive scheme direction which I would like to explore in the ECE506 project. The required raw data for this project will be obtained from the several sources including but not limited to the sources that the references have obtained their data from.

References:

[1] Z. Bliznakov et. al., ”Analysis and Classification of Medical Device Recalls”, IFMBE Proceedings.

[2] Homa Alemzadeh et. al., ”Analysis of Safety-Critical Computer Failure in Medical Devices”, IEEE Computer and Reliability Societies, 2013.

[3] Daniel B. Kramer et. al., ”Security and Privacy Qualities of Medical Devices: An Analysis of FDA Postmarket Surveillance”, PLoS ONE, 2012.

Another popular article from an active research group that delve into medical devices security is ''Reliability and security of implantable and wearable medical devices" from the Implantable Bio-medical Microsystems book chapter. It can be observed that Implantable devices is where most of the research is in as the word suggests it is intrusive and hence much more of a threat than non-intrusive medical devices.
The highlights of this reading is as follows:

• Reliability and security issues are realized at the network level through the composition of unreliable and unsecured individual nodes. Security to be an issue only at the network level when combined unlike wearables that require every node to be secure.
• Reliability is the key issue and factors like power system, processor, memory, software, radio communication,humans, hardware etc can be responsible for issues.
• Mechanism to assure the same include - fail-safe, trusted platform modules and malware detection units based on various physical characteristics. 

Privacy is another important aspect that goes hand in hand with security especially in the age of mobile health or mHealth. Privacy is one concern that provides the meaningful use in Electronic Health Records. An introduction to privacy requirements and aspects of mHealth are discussed in the survey paper ''Privacy in Mobile Technology for Personal Healthcare" which is worth a read. 

One thing we will observe in medical device security is that all issues are a double-edged sword!!

Let me begin with a highly cited introductory technical paper on medical device security and privacy especially targeting implantable ones :- "Security and Privacy for Implantable Medical Devices" - IEEE Pervasive Computing Mobile and Ubiquitous Systems 2008. 

Brief Introduction: 

• Balance security-privacy-safety-utility with efficacy.
• General framework for evaluating security and privacy of wireless IMDs giving design goals for the same.
• Safety and utility goals: data access/accuracy, software update, configurability, resource efficient, multidevice coordination and device identification.
• Security and privacy goals: authorization, availability, device software and settings, data integrity, device knowledge/presence and sensitive information privacy.
• Tradeoffs: security versus emergency access-device resources-usability.
• Cryptographic and energy-centric methods for providing security and privacy at low cost without diminishing the efficacy of IMD functionality.

                                

There is an active research community into medical device security with plentiful material. I shall try to post material in a cohesive directed manner, following the overview below:

I had redirected the viewers to the link posted in my previous post as it gives a good eagle's eye view of the medical device security scene from all angles. My research is focused towards medical device security as well, so many of my posts would be with respect to technical papers and journals.
Below I provide a few more links that give a general aspect of medical device security and its perspective from the industry, people and mainly the FDA!!

• "FDA is a step backward in medical device security "
• "Delloite's take on medical device security"
• "Why should medical device security be top priority"
• "The Archimedes Center for Medical Device Security"

The icing on the cake link: "Who cares about medical device security?"

The link below gives a brief idea into the scenes of hacking implantable medical devices. As the blog states it has been termed - "Medjacking". The link has an overall picture and summary of several research papers that have found success in the realm of breaking into medical devices. My blog will delve further into details of the same and providing more detailed overall picture with additional technical details.

http://resources.infosecinstitute.com/hcking-implantable-medical-devices/

Let us start with the story of Barnaby Jack.
Profile: Ingenious programmer, hacker and computer security expert.
From: New Zealand
Place of Death: San Francisco 2014
Reason for Death: Accidental drug overdose of combining benadryl, heroin and cocaine. 
Conspiracy: Wondering why a prodigy would die to a puny overdose of hard drugs? Let's get to his background. Barnaby Jack was an avid hacker who successfully hacked into an ATM that automatically spit out bills giving the title "Jackpotting ATM". He showcased his awesome skills at the BlackHat Conference in 2010.
In 2011 he successfully hacked into insulin pumps causing it to pump out an overdose of insulin, high enough to kill the patient. He showcased this casein the McAfee conference. 
In 2012 he showcased his hack into a pacemaker at the BreakPoint conference. He showed how easy it was to assassinate an individual with that model of pacemaker. He famously termed "It was easier than in TV" - referring to the assassination of the vice president in the TV series Homeland. 
With such glory in the field of hacking openly showcasing his hacks of off the shelf medical devices and ATMs, the conspiracy theory erupted - he was assassinated by the government or medical device companies.