Risk Assessment Methodologies for the Internet of Medical Things: A Survey and Comparative Appraisal

The Internet of Medical Things (IoMT) has revolutionized health care services by providing significant benefits in terms of patient well being and relevant costs. Traditional risk assessment methodologies, however, cannot be effectively applied in the IoMT context since IoMT devices form part of a distributed and trustless environment and naturally support functionalities that favor reliability and usability instead of security. In this work we present a survey of risk assessment and mitigation methodologies for IoMT. For conducting the survey, we assess two streams of literature. First, we systematically review and classify the current scientific research in IoMT risk assessment methodologies. Second, we review existing standards/best practices for IoMT security assessment and mitigation in order to i) provide a comparative assessment of these standards/best practices on the basis of predefined criteria (scope and/or coverage, maturity level, and relevant risk methodology applied) and ii) identify common themes for IoMT security controls. Based on the analysis, we provide various IoMT research and implementation gaps along with a road map of fruitful areas for future research. The paper could be of significant value to security assessment researchers and policymakers/stakeholders in the health care industry.

[1]  Karen A. Scarfone,et al.  Core Cybersecurity Features Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers , 2019 .

[2]  Antonio F. Skarmeta,et al.  Test-based risk assessment and security certification proposal for the Internet of Things , 2018, 2018 IEEE 4th World Forum on Internet of Things (WF-IoT).

[3]  Zibouda Aliouat,et al.  A Review of Security in Internet of Things , 2019, Wireless Personal Communications.

[4]  Theodore W. Manikas,et al.  Modeling Medical System Threats with Conditional Probabilities Using Multiple-Valued Logic Decision Diagrams , 2012, 2012 IEEE 42nd International Symposium on Multiple-Valued Logic.

[5]  Joint Task Force Transformation Initiative Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach , 2014 .

[6]  Norbert Pohlmann,et al.  Threat modeling for mobile health systems , 2018, 2018 IEEE Wireless Communications and Networking Conference Workshops (WCNCW).

[7]  Amr M. Youssef,et al.  Security Tradeoffs in Cyber Physical Systems: A Case Study Survey on Implantable Medical Devices , 2016, IEEE Access.

[8]  Lynda L. McGhie,et al.  THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT , 2004 .

[9]  Yasuo Tan,et al.  A Quantitative Study of Vulnerabilities in the Internet of Medical Things , 2020, ICISSP.

[10]  Jin B. Hong,et al.  A framework for automating security analysis of the internet of things , 2017, J. Netw. Comput. Appl..

[11]  C. Goodman Association for the Advancement of Medical Instrumentation , 1988 .

[12]  Hongmei Chi,et al.  Survey of Security Challenges in NFC and RFID for E-Health Applications , 2016, Int. J. E Health Medical Commun..

[13]  Karen A. Scarfone,et al.  Guide to Bluetooth Security , 2008 .

[14]  Kevin Fu,et al.  Security and Privacy for Implantable Medical Devices , 2008, IEEE Pervasive Comput..

[15]  Haider Abbas,et al.  Security Vulnerabilities, Attacks, Countermeasures, and Regulations of Networked Medical Devices—A Review , 2019, IEEE Communications Surveys & Tutorials.

[16]  Geethapriya Thamilarasu,et al.  Machine-Learning Classifiers for Security in Connected Medical Devices , 2017, 2017 26th International Conference on Computer Communication and Networks (ICCCN).

[17]  R H Aswathy,et al.  Internet of things (IoT): a survey on protocols and security risks , 2018 .

[18]  Karen A. Scarfone,et al.  Technical Guide to Information Security Testing and Assessment , 2008 .

[19]  William Bradley Glisson,et al.  Attack-Graph Threat Modeling Assessment of Ambulatory Medical Devices , 2017, HICSS.

[20]  Karen Scarfone,et al.  Considerations for managing Internet of Things (IoT) cybersecurity and privacy risks , 2018 .

[21]  D. Tranfield,et al.  Producing a systematic review. , 2009 .

[22]  Petar Radanliev,et al.  Economic impact of IoT cyber risk - Analysing past and present to predict the future developments in IoT risk analysis and IoT cyber insurance , 2018, IoT 2018.

[23]  Pieter H. Hartel,et al.  Model-based qualitative risk assessment for availability of IT infrastructures , 2010, Software & Systems Modeling.

[24]  Joint Task Force Transformation Initiative,et al.  Security and Privacy Controls for Federal Information Systems and Organizations , 2013 .

[25]  Sufian Hameed,et al.  Understanding Security Requirements and Challenges in Internet of Things (IoT): A Review , 2019, J. Comput. Networks Commun..

[26]  Patricia A. H. Williams,et al.  Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem , 2015, Medical devices.

[27]  Miklós Kozlovszky,et al.  Medical device software risk assessment using FMEA and fuzzy linguistic approach: Case study , 2016, 2016 IEEE 11th International Symposium on Applied Computational Intelligence and Informatics (SACI).

[28]  Fang Liu,et al.  Security and Privacy in the Medical Internet of Things: A Review , 2018, Secur. Commun. Networks.

[29]  Juan E. Tapiador,et al.  Security and privacy issues in implantable medical devices: A comprehensive survey , 2015, J. Biomed. Informatics.

[30]  Tauseef Jamal,et al.  IoT Smart Health Security Threats , 2019, 2019 19th International Conference on Computational Science and Its Applications (ICCSA).

[31]  S. Radack The Common Vulnerability Scoring System (CVSS) , 2007 .

[32]  Parthasarathy Panchatcharam,et al.  Internet of Things (IOT) in Healthcare - Smart Health and Surveillance, Architectures, Security Analysis and Data Transfer: A Review , 2019, Int. J. Softw. Innov..

[33]  Sabu M. Thampi,et al.  Vulnerability-based risk assessment and mitigation strategies for edge devices in the Internet of Things , 2019, Pervasive Mob. Comput..

[34]  Karen A. Scarfone,et al.  Guide to Data-Centric System Threat Modeling , 2016 .

[35]  K. Scarfone,et al.  Guidelines for Managing the Security of Mobile Devices in the Enterprise , 2013 .

[36]  Cristina Alcaraz,et al.  A Survey of IoT-Enabled Cyberattacks: Assessing Attack Paths to Critical Infrastructures and Services , 2018, IEEE Communications Surveys & Tutorials.

[37]  Yuji Takahashi,et al.  Proposal and Application of Security/Safety Evaluation Method for Medical Device System that Includes IoT , 2018, ICNCC 2018.

[38]  Marcantonio Catelani,et al.  Risk assessment in the use of medical devices: A proposal to evaluate the impact of the human factor , 2014, 2014 IEEE International Symposium on Medical Measurements and Applications (MeMeA).

[39]  Christos Douligeris,et al.  Security in IoMT Communications: A Survey , 2020, Sensors.

[40]  P. Venkat Rangan,et al.  IoT cyber risk: a holistic analysis of cyber risk assessment frameworks, risk vectors, and risk ranking process , 2020, EURASIP J. Inf. Secur..

[41]  Xinyu Yang,et al.  A Survey on Internet of Things: Architecture, Enabling Technologies, Security and Privacy, and Applications , 2017, IEEE Internet of Things Journal.

[42]  Long Cheng,et al.  On Threat Modeling and Mitigation of Medical Cyber-Physical Systems , 2017, 2017 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies (CHASE).

[43]  Sajjan G. Shiva,et al.  A Framework for Ranking IoMT Solutions Based on Measuring Security and Privacy , 2018 .

[44]  José M. Fernandez,et al.  Risk assessment of cyber-attacks on telemetry-enabled cardiac implantable electronic devices (CIED) , 2019, Int. J. Inf. Sec..

[45]  Christian Poellabauer,et al.  Wearable device user authentication using physiological and behavioral metrics , 2017, 2017 IEEE 28th Annual International Symposium on Personal, Indoor, and Mobile Radio Communications (PIMRC).

[46]  Carol Woody,et al.  Threat Modeling: A Summary of Available Methods , 2018 .

[47]  A BharathiMalakreddy,et al.  A Review on Identification & Analysis of Security Issues and Challenges of IoT based Healthcare , 2019 .

[48]  Barry Irwin,et al.  A privacy and security threat assessment framework for consumer health wearables , 2017, Information Security for South Africa.

[49]  Alain Guinet,et al.  Home Health Care vulnerability assessment using graph theory and matrix methods , 2017 .

[50]  Mazliza Othman,et al.  Internet of Things security: A survey , 2017, J. Netw. Comput. Appl..

[51]  Sajjan G. Shiva,et al.  Security and Privacy in the Internet of Medical Things: Taxonomy and Risk Assessment , 2017, 2017 IEEE 42nd Conference on Local Computer Networks Workshops (LCN Workshops).

[52]  Kevin Fu,et al.  Controlling for cybersecurity risks of medical device software , 2013, Commun. ACM.

[53]  Kai Zhao,et al.  A Survey on the Internet of Things Security , 2013, 2013 Ninth International Conference on Computational Intelligence and Security.

[54]  Baijian Yang,et al.  Internet of things: Survey on security , 2017, Inf. Secur. J. A Glob. Perspect..

[55]  Wolfgang Leister,et al.  Threats identification for the smart Internet of Things in eHealth and adaptive security countermeasures , 2015, 2015 7th International Conference on New Technologies, Mobility and Security (NTMS).

[56]  Supplemental Tool: Executing A Critical Infrastructure Risk Management Approach Executing a Critical Infrastructure Risk Management Approach , 2013 .

[57]  Wan Haslina Hassan,et al.  Current research on Internet of Things (IoT) security: A survey , 2019, Comput. Networks.

[58]  Yuval Elovici,et al.  CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning , 2019, USENIX Security Symposium.

[59]  Stephen D. Wolthusen,et al.  Towards Composable Threat Assessment for Medical IoT (MIoT) , 2017, EUSPN/ICTH.

[60]  Joan Hash,et al.  Building an Information Technology Security Awareness and Training Program , 2003 .

[61]  D. Moher,et al.  Preferred reporting items for systematic reviews and meta-analyses: the PRISMA statement. , 2010, International journal of surgery.

[62]  Hicham Lakhlef,et al.  Internet of things security: A top-down survey , 2018, Comput. Networks.

[63]  Wei Ni,et al.  Anatomy of Threats to the Internet of Things , 2019, IEEE Communications Surveys & Tutorials.

[64]  Raghu Nallani,et al.  Combating Malware with Whitelisting in IoT-based Medical Devices , 2017 .

[65]  Mahmoud Ammar,et al.  Journal of Information Security and Applications , 2022 .

[66]  I. Balasingham,et al.  Threat Assessment of Wireless Patient Monitoring Systems , 2008, 2008 3rd International Conference on Information and Communication Technologies: From Theory to Applications.

[67]  Sugata Sanyal,et al.  Survey of Security and Privacy Issues of Internet of Things , 2015, ArXiv.