A New Methodology for Information Security Risk Assessment for Medical Devices and Its Evaluation

by   Tom Mahler, et al.

As technology advances towards more connected and digital environments, medical devices are becoming increasingly connected to hospital networks and to the Internet, which exposes them, and thus the patients using them, to new cybersecurity threats. Currently, there is a lack of a methodology dedicated to information security risk assessment for medical devices. In this study, we present the Threat identification, ontology-based Likelihood, severity Decomposition, and Risk integration (TLDR) methodology for information security risk assessment for medical devices. The TLDR methodology uses the following steps: (1) identifying the potentially vulnerable components of medical devices, in this case, four different medical imaging devices (MIDs); (2) identifying the potential attacks, in this case, 23 potential attacks on MIDs; (3) mapping the discovered attacks into a known attack ontology - in this case, the Common Attack Pattern Enumeration and Classifications (CAPECs); (4) estimating the likelihood of the mapped CAPECs in the medical domain with the assistance of a panel of senior healthcare Information Security Experts (ISEs); (5) computing the CAPEC-based likelihood estimates of each attack; (6) decomposing each attack into several severity aspects and assigning them weights; (7) assessing the magnitude of the impact of each of the severity aspects for each attack with the assistance of a panel of senior Medical Experts (MEs); (8) computing the composite severity assessments for each attack; and finally, (9) integrating the likelihood and severity of each attack into its risk, and thus prioritizing it. The details of steps six to eight are beyond the scope of the current study; in the current study, we had replaced them by a single step that included asking the panel of MEs [in this case, radiologists], to assess the overall severity for each attack and use it as its severity...



There are no comments yet.


page 1

page 2

page 3

page 4


A Structured Analysis of Information Security Incidents in the Maritime Sector

Cyber attacks in the maritime sector can have a major impact on world ec...

Medical Imaging Device Security: An Exploratory Study

Recent years have witnessed a boom of connected medical devices, which b...

Identifying and Modeling Security Threats for IoMT Edge Network using Markov Chain and Common Vulnerability Scoring System (CVSS)

In this work, we defined an attack vector for networks utilizing the Int...

Know Your Enemy: Characteristics of Cyber-Attacks on Medical Imaging Devices

Purpose: Used extensively in the diagnosis, treatment, and prevention of...

How Secure Is Your IoT Network?

The proliferation of IoT devices in smart homes, hospitals, and enterpri...

Risk Assessment of Cyber Attacks on Telemetry Enabled Cardiac Implantable Electronic Devices (CIED)

Cardiac Implantable Electronic Devices (CIED) are fast becoming a fundam...

You Overtrust Your Printer

Printers are common devices whose networked use is vastly unsecured, per...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.