A New Methodology for Information Security Risk Assessment for Medical Devices and Its Evaluation

02/17/2020
by   Tom Mahler, et al.
0

As technology advances towards more connected and digital environments, medical devices are becoming increasingly connected to hospital networks and to the Internet, which exposes them, and thus the patients using them, to new cybersecurity threats. Currently, there is a lack of a methodology dedicated to information security risk assessment for medical devices. In this study, we present the Threat identification, ontology-based Likelihood, severity Decomposition, and Risk integration (TLDR) methodology for information security risk assessment for medical devices. The TLDR methodology uses the following steps: (1) identifying the potentially vulnerable components of medical devices, in this case, four different medical imaging devices (MIDs); (2) identifying the potential attacks, in this case, 23 potential attacks on MIDs; (3) mapping the discovered attacks into a known attack ontology - in this case, the Common Attack Pattern Enumeration and Classifications (CAPECs); (4) estimating the likelihood of the mapped CAPECs in the medical domain with the assistance of a panel of senior healthcare Information Security Experts (ISEs); (5) computing the CAPEC-based likelihood estimates of each attack; (6) decomposing each attack into several severity aspects and assigning them weights; (7) assessing the magnitude of the impact of each of the severity aspects for each attack with the assistance of a panel of senior Medical Experts (MEs); (8) computing the composite severity assessments for each attack; and finally, (9) integrating the likelihood and severity of each attack into its risk, and thus prioritizing it. The details of steps six to eight are beyond the scope of the current study; in the current study, we had replaced them by a single step that included asking the panel of MEs [in this case, radiologists], to assess the overall severity for each attack and use it as its severity...

READ FULL TEXT

page 1

page 2

page 3

page 4

research
12/13/2021

A Structured Analysis of Information Security Incidents in the Maritime Sector

Cyber attacks in the maritime sector can have a major impact on world ec...
research
03/30/2019

Medical Imaging Device Security: An Exploratory Study

Recent years have witnessed a boom of connected medical devices, which b...
research
05/05/2023

Large Language Models in Ambulatory Devices for Home Health Diagnostics: A case study of Sickle Cell Anemia Management

This study investigates the potential of an ambulatory device that incor...
research
04/23/2021

Identifying and Modeling Security Threats for IoMT Edge Network using Markov Chain and Common Vulnerability Scoring System (CVSS)

In this work, we defined an attack vector for networks utilizing the Int...
research
01/17/2018

Know Your Enemy: Characteristics of Cyber-Attacks on Medical Imaging Devices

Purpose: Used extensively in the diagnosis, treatment, and prevention of...
research
07/07/2022

A Methodology to Support Automatic Cyber Risk Assessment Review

Cyber risk assessment is a fundamental activity for enhancing the protec...
research
04/26/2019

Risk Assessment of Cyber Attacks on Telemetry Enabled Cardiac Implantable Electronic Devices (CIED)

Cardiac Implantable Electronic Devices (CIED) are fast becoming a fundam...

Please sign up or login with your details

Forgot password? Click here to reset