The FDA has been an active and crucial government body in the case of medical device security. In a way the research community are pushing the FDA for stringent rules or a checklist to maintain security in medical devices by manufactures.
The essential link here is the website of FDA, that have a separate listing of Medical Devices! It delves into the entirety of medical devices from research to events to safety issues and much more. Another additional link I am particularly interested in is the recalls section. This would help me in my project as it provides data for study about causes of recalls. I am pursuing the same for my project.

I end the medical device introduction topic with the paper - "Emerging Frontiers in Embedded Security", IEEE International Conference on VLSI Design, 2013. The paper has not much content but emphasis the needs for secure designs in future IoTs especially Implantable Medical Devices and calls for robust design of the same. Concerns are: access control, resource constraints, software updates, diverse devices and users, functional complexity etc, which I have already highlighted in my double edges sword doodle. 

Why medical device security is a double edged sword?

The below doodle is self-explanatory to the problems medical device security face in the realm of industry, research and government. Most of the research aims at trying to improve the technical aspects of this double-edged sword with the industry and government aiming at the logistics. 

A brief explanation of what I wanted to convey:

• The FDA and the Device manufactures are the ones that overpower all other factors and are at the top of this tradeoff.
• Reliability of medical devices tradesoff with security and resources, since we are dealing with severely constraint devices.
• With the advent of IoT medical devices in the near future, a whole threat of cyberattacks is looming. 
• Other concerns include device specific attacks, emergency access to these medical devices if necessary and possible device access usages. 
• Since humans are involved in the loop, it complicates matters adversely. 

MIS506 Project Proposal

Evaluation and Analysis of Security Breaches and Attacks on Medical Devices

Brief Introduction:

    With increasing embedded devices connected to the Internet - Internet of Things, security issues will only rise, both on software, hardware and both hardware-software. The medical domain is a critical segment of the IoTs with the advent of Internet connected medical devices and implantable medical devices As medical devices interact more intimately with human beings, security becomes a critical issue. Specific challenges uniquely define the security threats in medical devices viz. crucial resource constraints, device safety, sensitive data protection and emergency access(irrespective of an attack). Security breaches/attacks and mechanisms to mitigate them, in medical devices will have drastic affects on the aforementioned aspects. New attacks are discovered in the research community that target loopholes in medical device design, thus requiring special validation of the entire device design and manufacture cycle.

     There is a strong requirement however to study and analyse the attack platform on the medial devices in other words What part of the medical device system are the attackers targeting?. This would provide a direction for channelizing research and industry efforts to prevent them.

Project Plan:

    Though there are not many publicly disclosed cases of medical devices attacks, simple cases like detection of vulnerabilities would be a good start for the study as this translated to possible loopholes for future attacks. I plan to study and analyse vulnerabilities in medical devices in greater detail especially what components are vulnerable which may be software, hardware, interface, input-output, wireless communication or cloud systems. In-depth analysis of what further sub-components of these components are vulnerable would be necessary. This study and analysis would give a better perspective of where the possible attack surfaces lie and what should the preventive measure target. As much research has suggested security has to be incorporated from ground-up. Research [1][2][3] has been carried out in this direction but do not delve into the sub-components level and results are oriented only towards a study direction rather than an analysis and test bed for preventive scheme direction which I would like to explore in the ECE506 project. The required raw data for this project will be obtained from the several sources including but not limited to the sources that the references have obtained their data from.

References:

[1] Z. Bliznakov et. al., ”Analysis and Classification of Medical Device Recalls”, IFMBE Proceedings.

[2] Homa Alemzadeh et. al., ”Analysis of Safety-Critical Computer Failure in Medical Devices”, IEEE Computer and Reliability Societies, 2013.

[3] Daniel B. Kramer et. al., ”Security and Privacy Qualities of Medical Devices: An Analysis of FDA Postmarket Surveillance”, PLoS ONE, 2012.

Another popular article from an active research group that delve into medical devices security is ''Reliability and security of implantable and wearable medical devices" from the Implantable Bio-medical Microsystems book chapter. It can be observed that Implantable devices is where most of the research is in as the word suggests it is intrusive and hence much more of a threat than non-intrusive medical devices.
The highlights of this reading is as follows:

• Reliability and security issues are realized at the network level through the composition of unreliable and unsecured individual nodes. Security to be an issue only at the network level when combined unlike wearables that require every node to be secure.
• Reliability is the key issue and factors like power system, processor, memory, software, radio communication,humans, hardware etc can be responsible for issues.
• Mechanism to assure the same include - fail-safe, trusted platform modules and malware detection units based on various physical characteristics. 

Privacy is another important aspect that goes hand in hand with security especially in the age of mobile health or mHealth. Privacy is one concern that provides the meaningful use in Electronic Health Records. An introduction to privacy requirements and aspects of mHealth are discussed in the survey paper ''Privacy in Mobile Technology for Personal Healthcare" which is worth a read. 

One thing we will observe in medical device security is that all issues are a double-edged sword!!

Let me begin with a highly cited introductory technical paper on medical device security and privacy especially targeting implantable ones :- "Security and Privacy for Implantable Medical Devices" - IEEE Pervasive Computing Mobile and Ubiquitous Systems 2008. 

Brief Introduction: 

• Balance security-privacy-safety-utility with efficacy.
• General framework for evaluating security and privacy of wireless IMDs giving design goals for the same.
• Safety and utility goals: data access/accuracy, software update, configurability, resource efficient, multidevice coordination and device identification.
• Security and privacy goals: authorization, availability, device software and settings, data integrity, device knowledge/presence and sensitive information privacy.
• Tradeoffs: security versus emergency access-device resources-usability.
• Cryptographic and energy-centric methods for providing security and privacy at low cost without diminishing the efficacy of IMD functionality.

                                

There is an active research community into medical device security with plentiful material. I shall try to post material in a cohesive directed manner, following the overview below:

I had redirected the viewers to the link posted in my previous post as it gives a good eagle's eye view of the medical device security scene from all angles. My research is focused towards medical device security as well, so many of my posts would be with respect to technical papers and journals.
Below I provide a few more links that give a general aspect of medical device security and its perspective from the industry, people and mainly the FDA!!

• "FDA is a step backward in medical device security "
• "Delloite's take on medical device security"
• "Why should medical device security be top priority"
• "The Archimedes Center for Medical Device Security"

The icing on the cake link: "Who cares about medical device security?"