Log In Sign Up

A New Methodology for Information Security Risk Assessment for Medical Devices and Its Evaluation

by   Tom Mahler, et al.

As technology advances towards more connected and digital environments, medical devices are becoming increasingly connected to hospital networks and to the Internet, which exposes them, and thus the patients using them, to new cybersecurity threats. Currently, there is a lack of a methodology dedicated to information security risk assessment for medical devices. In this study, we present the Threat identification, ontology-based Likelihood, severity Decomposition, and Risk integration (TLDR) methodology for information security risk assessment for medical devices. The TLDR methodology uses the following steps: (1) identifying the potentially vulnerable components of medical devices, in this case, four different medical imaging devices (MIDs); (2) identifying the potential attacks, in this case, 23 potential attacks on MIDs; (3) mapping the discovered attacks into a known attack ontology - in this case, the Common Attack Pattern Enumeration and Classifications (CAPECs); (4) estimating the likelihood of the mapped CAPECs in the medical domain with the assistance of a panel of senior healthcare Information Security Experts (ISEs); (5) computing the CAPEC-based likelihood estimates of each attack; (6) decomposing each attack into several severity aspects and assigning them weights; (7) assessing the magnitude of the impact of each of the severity aspects for each attack with the assistance of a panel of senior Medical Experts (MEs); (8) computing the composite severity assessments for each attack; and finally, (9) integrating the likelihood and severity of each attack into its risk, and thus prioritizing it. The details of steps six to eight are beyond the scope of the current study; in the current study, we had replaced them by a single step that included asking the panel of MEs [in this case, radiologists], to assess the overall severity for each attack and use it as its severity...


page 1

page 2

page 3

page 4


A Structured Analysis of Information Security Incidents in the Maritime Sector

Cyber attacks in the maritime sector can have a major impact on world ec...

Medical Imaging Device Security: An Exploratory Study

Recent years have witnessed a boom of connected medical devices, which b...

Know Your Enemy: Characteristics of Cyber-Attacks on Medical Imaging Devices

Purpose: Used extensively in the diagnosis, treatment, and prevention of...

A Methodology to Support Automatic Cyber Risk Assessment Review

Cyber risk assessment is a fundamental activity for enhancing the protec...

Risk Assessment of Cyber Attacks on Telemetry Enabled Cardiac Implantable Electronic Devices (CIED)

Cardiac Implantable Electronic Devices (CIED) are fast becoming a fundam...

Combating Informational Denial-of-Service (IDoS) Attacks: Modeling and Mitigation of Attentional Human Vulnerability

This work proposes a new class of proactive attacks called the Informati...