Medical device vulnerability mitigation effort gap analysis taxonomy

Abstract The use of medical devices in healthcare networks is increasing as governments and private entities look to improve clinical outcomes while reducing overall costs associate with healthcare service delivery. These devices which used to be stand-alone, are now becoming more integrated with corporate and clinical networks, sharing data between devices and other data information systems. As a result, healthcare networks are being targeted by hackers and malicious users and there is increasing concern about the possible risks that medical devices pose to both the security of patient data and the physical safety of patients. Therefore, a Medical Device Vulnerability Mitigation Effort Gap Analysis Taxonomy (MDV-MEGA) toolset is proposed to better understand what effort has been made by different associated parties to tackle the medical device vulnerability problem, and ultimately, help the associated parties determine which areas need further attention. This paper reviews literature over the last five years aiming to identify the amount of effort that has been contributed by five medical device associated parties: Authority, Device Manufacturers, Healthcare Facilities, Standards Organisations and Academia. First, a general background is presented to highlight existing issues, then the research and effort trends are discussed along with a presentation of the collated data. Additionally, each effort item is presented in the Medical Device Vulnerability Mitigation Effort Gap Analysis (MDV-MEGA) Taxonomy. Finally, the overall picture is summarised and, based on the results, recommendations to tackle the identified effort gaps, and future areas of research are proposed.

[1]  William L Holden The Vital Role of Device Manufacturers As Cybercitizens. , 2015, Biomedical instrumentation & technology.

[2]  Joel J. P. C. Rodrigues,et al.  Mobile-health: A review of current state in 2015 , 2015, J. Biomed. Informatics.

[3]  Alex Mihailidis,et al.  Assistive Computing Devices: A Pilot Study to Explore Nurses' Preferences and Needs , 2006, Computers, informatics, nursing : CIN.

[4]  Insup Lee,et al.  Security and Interoperable-Medical-Device Systems, Part 2: Failures, Consequences, and Classification , 2012, IEEE Security & Privacy.

[5]  Monika Darji,et al.  Detection of Active Attacks on Wireless IMDs Using Proxy Device and Localization Information , 2014, SSCC.

[6]  William Bradley Glisson,et al.  Compromising a Medical Mannequin , 2015, AMCIS.

[7]  Sherman Eagles,et al.  80001: new era dawns for medical devices. , 2011, Biomedical instrumentation & technology.

[8]  Kim-Kwang Raymond Choo,et al.  Fine-grained Database Field Search Using Attribute-Based Encryption for E-Healthcare Clouds , 2016, Journal of Medical Systems.

[9]  Patricia A. H. Williams,et al.  Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem , 2015, Medical devices.

[10]  Juan E. Tapiador,et al.  Security and privacy issues in implantable medical devices: A comprehensive survey , 2015, J. Biomed. Informatics.

[11]  Norm Archer,et al.  Factors of Adoption of Mobile Information Technology by Homecare Nurses: A Technology Acceptance Model 2 Approach , 2010, Computers, informatics, nursing : CIN.

[12]  Ming Li,et al.  Secure ad hoc trust initialization and key management in wireless body area networks , 2013, TOSN.

[13]  Jianfeng Wang,et al.  Applications, challenges, and prospective in emerging body area networking technologies , 2010, IEEE Wireless Communications.

[14]  Nancy G. Leveson,et al.  An investigation of the Therac-25 accidents , 1993, Computer.

[15]  David Kotz,et al.  A threat taxonomy for mHealth privacy , 2011, 2011 Third International Conference on Communication Systems and Networks (COMSNETS 2011).

[16]  Reiner Creutzburg,et al.  Security risk of medical devices in IT networks: the case of an infusion and infusion syringe pump , 2015, Electronic Imaging.

[17]  Sherman Eagles,et al.  Cybersecurity for Medical Device Manufacturers: Ensuring Safety and Functionality. , 2016, Biomedical instrumentation & technology.

[18]  Steve Hanna,et al.  Take Two Software Updates and See Me in the Morning: The Case for Software Security Evaluations of Medical Devices , 2011, HealthSec.

[19]  R J Rodrigues,et al.  Policy and Practice Information systems: the key to evidence- based health practice , 2000 .

[20]  Asuman Dogac,et al.  Interoperability of Medical Device Information and the Clinical Applications: An HL7 RMIM based on the ISO/IEEE 11073 DIM , 2011, IEEE Transactions on Information Technology in Biomedicine.

[21]  J. Hudson,et al.  Standardization and the European Standards Organisations , 2013 .

[22]  Athanasios V. Vasilakos,et al.  ReTrust: Attack-Resistant and Lightweight Trust Management for Medical Sensor Networks , 2012, IEEE Transactions on Information Technology in Biomedicine.

[23]  Where next for evidence based healthcare? , 2013, BMJ : British Medical Journal.

[24]  Kim-Kwang Raymond Choo,et al.  The cyber threat landscape: Challenges and future research directions , 2011, Comput. Secur..

[25]  Brian Fitzgerald,et al.  Managing security risks with 80001. , 2011, Biomedical instrumentation & technology.

[26]  Stephen Allen Medical device software under the microscope , 2014, Netw. Secur..

[27]  Tadayoshi Kohno,et al.  A Review of the Security of Insulin Pump Infusion Systems , 2011, Journal of diabetes science and technology.

[28]  Andrew Stoner Australia's medical technology hub , 2012 .

[29]  A. Webster,et al.  Medical device regulation in Australia: safe and effective? , 2012, The Medical journal of Australia.

[30]  H. Handoll,et al.  How to perform a systematic review , 2004 .

[31]  D. Sackett,et al.  Choosing the best research design for each question , 1997, BMJ.

[32]  Jeremy A. Hansen,et al.  A taxonomy of vulnerabilities in implantable medical devices , 2010, SPIMACS '10.

[33]  Dean F. Sittig,et al.  Review of Reported Clinical Information System Adverse Events in US Food and Drug Administration Databases , 2011, Applied Clinical Informatics.

[34]  Roman L. Lysecky,et al.  Security challenges for medical devices , 2015, Commun. ACM.

[35]  Wenjia Li,et al.  BAN-trust: An attack-resilient malicious node detection scheme for body area networks , 2016, 2016 International Conference on Computing, Networking and Communications (ICNC).

[36]  Jonathan P Jarow,et al.  Medical devices: US medical device regulation. , 2015, Urologic oncology.

[37]  William Bradley Glisson,et al.  Identifying Opportunities to Compromise Medical Devices , 2016, AMCIS.

[38]  Henry A. DePhillipsIII Initiatives and Barriers to Adopting Health Information Technology , 2007 .

[39]  Martha Vockley,et al.  Safe and secure? Healthcare in the cyberworld. , 2012, Biomedical instrumentation & technology.

[40]  Craig Standing,et al.  Mobile technology and healthcare: the adoption issues and systemic problems , 2008, Int. J. Electron. Heal..

[41]  Henry A DePhillips,et al.  Initiatives and Barriers to Adopting Health Information Technology , 2007 .

[42]  Dorothy Marinucci,et al.  Advances in Cyber Security , 2013 .

[43]  Kevin Fu,et al.  Security and Privacy Qualities of Medical Devices: An Analysis of FDA Postmarket Surveillance , 2012, PloS one.

[44]  Athanasios V. Vasilakos,et al.  A Distributed Trust Evaluation Model and Its Application Scenarios for Medical Sensor Networks , 2012, IEEE Transactions on Information Technology in Biomedicine.

[45]  Kim-Kwang Raymond Choo,et al.  Forensic Taxonomy of Popular Android mHealth Apps , 2015, AMCIS.

[46]  Kim-Kwang Raymond Choo,et al.  Healthcare-Related Data in the Cloud: Challenges and Opportunities , 2016, IEEE Cloud Computing.

[47]  Tyler Moore,et al.  Abuse Reporting and the Fight Against Cybercrime , 2017, ACM Comput. Surv..

[48]  Anthony J Coronado,et al.  Healthcare cybersecurity risk management: keys to an effective plan. , 2014, Biomedical instrumentation & technology.

[49]  Fergal McCaffery,et al.  Framework to Assist Healthcare Delivery Organisations and Medical Device Manufacturers Establish Security Assurance for Networked Medical Devices , 2013, EuroSPI.

[50]  Sarah B Henderson,et al.  Evaluation of interventions to reduce air pollution from biomass smoke on mortality in Launceston, Australia: retrospective analysis of daily mortality, 1994-2007 , 2013, BMJ.

[51]  D. Eddy Evidence-based medicine: a unified approach. , 2005, Health affairs.

[52]  Kevin Fu,et al.  Trustworthy Medical Device Software , 2011 .