Medical Imaging Device Security: An Exploratory Study

03/30/2019 ∙ by Pingchuan Ma, et al. ∙ IEEE 0

Recent years have witnessed a boom of connected medical devices, which brings security issues in the meantime. As an essential category of medical devices, from our observation, medical imaging devices are under enormous potential security risk. To address it, many works have been done, and effective methods were proposed in the past decades. However, it remains to review current medical imaging devices and evaluate the security and privacy of these devices. We first investigate 15 devices (such as X-Ray, DSA, CT, etc.) which vary in manufacturers and functions to have an overview of medical imaging devices, hacking techniques, their protection mechanisms and the threat model. We further analyse them and have confirmed that all of them have more or fewer security defects, some of which can be attacked by a well-trained hacker. Then, we design a list of criteria and define a multi-level hierarchy for both vendors and government agencies to rate the products. At last, some actionable recommendations are given to help developers to protect these devices.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Healthcare today increasingly depends on computers, networking and information systems. Due to the need of digital healthcare, most diagnostic imaging systems are connected to the Internet/LAN (Local Area Network), of which some even provide an online HMI (Human-Machine Interface) such as web applications. However, limited mechanisms are applied to ensure system security and health data privacy. From the perspective of attackers, these systems are vulnerable and can be easily exploited.

1.1 Motivation

In the past decades, PACS/RIS (Picture Archiving and Communications System/Radiography Information System) has gone through digital evolutionary improvements, including richer function, better user experience and advancement in security. However, there are still many security needs in hospitals and healthcare institutions. Farhadi et al. surveyed the security needs in the state hospital of Iran and concluded that these systems had the patient health data, but they did not have suitable mechanisms to interface network or taking reports [9].

Before this work, we presented an overview of security issues on diagnostic imaging systems at CCS’18 and discovered many security defects from devices sold by some of the world’s biggest vendors [24]. Our investigation shows that most of the diagnostic imaging systems are under risk and their information security should be further improved.

However, our previous work doesn’t illustrate a comprehensive overview of protection mechanisms as well as their threats. Additionally, protection mechanisms are not well presented. Hence, we conveyed an exploratory study on the security and privacy of medical imaging devices.

1.2 Contribution

For diagnostic imaging systems mentioned above, comprehensive security analysis together with effective assessment methods is highly needed, which provides a baseline for both government agencies and vendors to rate the security and privacy of these products in the premarket stage. In summary, our main contributions are:

  • We present an overview of hacking techniques and protection mechanisms of medical imaging devices.

  • We propose the threat model based on the work scheme.

  • We design a list of criteria and define a multi-level hierarchy system for medical imaging devices evaluation.

  • We propose some actionable recommendations for secure development.

2 Background

In this section, we will briefly introduce the background of medical imaging device security and related industrial standards.

2.1 Diagnostic Imaging System

The diagnostic imaging system is a technique that creates visual representations of the interior of a body for clinical analysis and medical intervention, where the medical imaging devices are the main component for image acquisition and processing. To be fully effective, diagnostic imaging systems are supported by modern digital archiving technologies, known as PACS/RIS. These systems are costly and likely to be in operations for more than ten years. As a result, many systems are based on Windows XP, while Microsoft announced the end of support for Windows XP in 2014 [18].

The workflow for imaging can be described as follows:

Step 1 Doctors arrange a patient to take an image in PACS/RIS.

Step 2 PACS/RIS registers the patient and schedule a diagnostic imaging system to serve the patient.

Step 3 Diagnosticians execute the commands, and medical imaging devices take the image.

Step 4 Digital films transfer to diagnostician’s workstation and archive in PACS/RIS.

Step 5 Doctors view the digital image in PACS/RIS.

As a result, diagnostic imaging systems play an essential role in the whole process. The diagnostic imaging system in the workflow includes workstations and image-acquisition devices. The primary target in this paper is workstations of diagnosticians, which processes and stores health data and controls radiological machines.

2.2 Industrial Standards

Standards were published in the industry during the past decades to guide vendors developing more secure devices.

Digital Imaging and Communications in Medicine (DICOM) is an international standard to transmit, store, retrieve, print, process, and display medical imaging information. In terms of communication security of DICOM, when it was first published in the 1980s, on one concerned with information security and encoding was the only security mechanism over 20 years. Therefore, ISO 12052 [19], as a DICOM standard proposed in 2016, designed enormous security mechanisms that should be implemented.

Standards such as IEC TR 80001-2-2:2012 entitled “Application of risk management for IT-networks incorporating medical devices – Part 2-2: Guidance for the communication of medical device security needs, risks and controls” [13] and HIMSS/NEMA Standard HN 1-2013 “Manufacturer Disclosure Statement for Medical Device Security” [14] to protect diagnostic imaging systems from intrusion. They described some security abilities and relevant disclosure mechanism for vendors to ensure compliance.

However, the standards above are far from enough for government agencies to establish a model for examining whether a device is secure enough to appear on the market. Besides, we must take into account the security issues involved in a whole lifecycle, such as vulnerabilities.

3 Hacking Techniques

To successfully penetrate targets, a well-trained hacker is likely to adopt a series of hacking techniques. In this section, we would present some possible methods for medical imaging devices analysis.

3.1 Port Scanning

Port scanning is the most popular technique for penetrating systems which probes a server or host for open ports. A great number of tools are developed and vary in rule-libraries for port scanning, such as Nmap111https://nmap.org, Unicornscan222https://sectools.org/tool/unicornscan and Netcat333http://netcat.sourceforge.net/. With the help of well-designed tools, as is shown in Fig. 1, hackers can identify the service as well as its version on a certain port and utilise vulnerabilities to exploit it.

Figure 1: Nmap for Port Scanning

However, in practice, due to the firewall, a vast number of ports are closed or filtered (Scanned 84 services on a device without firewall and 66 services on a device with a firewall). Besides, some devices provide customised services which cannot be recognised by mainstream tools.

3.2 Traffic Analysis

As is shown in Fig. 2, Wireshark444https://www.wireshark.org is typically used for collect the traffic of medical imaging devices. Because of plaintext communication, attackers can analyse the traffic and further identify or modify some sensitive information.

Figure 2: Wireshark for Traffic Analysis

In practice, the medical imaging device is linked with an Ethernet line, and another Ethernet line from the mirror port of the switch is linked with the workstation to analyse all data transmission using Wireshark. However, some devices enable SSL communication, and we need to install our private certification on the devices to analyse encrypted data. Besides, some devices utilise VPN (Virtual Private Network) to send health data, and traffic analysis is not available in this case.

3.3 Reverse Engineering

Reverse engineering is the process of analysing software to identify the interrelationships of different components and to discover security vulnerabilities. It is regarded as a practical approach to exploit and penetrate target devices. Usually, most software is presented in forms of binary code, and some are even obfuscated to prevent source code leakage. So, it is an extremely time-consuming task, especially when the system is huge and complicated.

In our case, medical imaging devices are provided by the vendors, and we are not allowed to reverse their software. Instead, we can ask some technical detail to the developers, which helps us find some security flaws.

3.4 Physical Brute-Force

Medical imaging devices are a kind of CPS (Cyber-Physical System), and we assume that attackers may have physical access to target devices.

For example, although the attackers don’t know the PIN code of a medical imaging device, he can view health data by taking the machines apart and getting the disk. Also, most devices enable the “Emergency Access” mode which provides limited functions without any authentication. Therefore, based on the assumption, we are compelled to consider whether protection mechanisms are adopted to prevent physical brute-force.

4 Overview of Our Investigation

In this section, we would present an overview of our investigation, introduce the security issues we found and then propose a threat model.

4.1 Device Overview

We have got access to many manufacturers and tested their devices about security and privacy. The manufacturers are international companies, which contains the most market shares in the global medical imaging device market. To protect the commercial reputation of these vendors, we use A, B, , H to denote different vendors respectively.

4.2 Result

We tested 15 devices in terms of storage encryption, transmission encryption, physical lock, system hardening and security guidance. We also test other aspects, including authentication, data archiving, etc. To improve the readability, we select the above terms to analyse. To avoid confusion, the term named “System Hardening” refers to various software-level mechanisms such as firewall, anti-virus, patch installation and other software mechanisms aiming at the overall software system protection. “Storage Encryption” and “Transmission Encryption” refer to whether data is encrypted in different stages respectively. “Physical Lock” refers to the mechanism that prevents illegal brute-force to the physical devices. “Security Guidance” refers to the handbook or instruction for users’ correct configuration.

Manufacturer Type
Storage
Encryption
Transmission
Encryption
Physical Lock System Hardening Security Guidance

 

A DSA N/A Partial Full Partial N/A
A CT N/A N/A Full Partial N/A
A DR Full Partial Full Full N/A
A Mini C Partial Partial Full Partial N/A
B DSA Partial N/A N/A Partial N/A
B DIC Partial N/A N/A Partial N/A
C DR N/A N/A N/A Partial N/A
C CT N/A N/A Full Partial N/A
D CT Partial N/A Full Partial Partial
E CT Partial Partial N/A Partial Full
E DR Partial Partial Full Partial Full
F Mammography X-Ray N/A Partial Full Partial Full
G Dental X-Ray N/A Partial Full Partial Full
H CT N/A N/A N/A N/A N/A
H DR Full Full N/A Full Full
Table 1: Result of Medical Imaging Device Security. “Partial” in Storage Encryption means that the devices only encrypt part of health data; “Partial” in Transmission Encryption means that the devices only encrypt data in some special context; “Partial” in System Hardening and Security Guidance means that not all requirements in the term are satisfied.

As is shown in Table. 1, none of the devices can fully satisfy our requirements. Some devices only adopt fundamental protection mechanisms which can be exploited by some attack vectors. In terms of encryption, the fact is that only a small part of data is encrypted or well protected. In terms of transmission, there is a notable point that while some devices design a grading system and adopt full support to the security requirements at the highest level, the default configuration only meets the lowest level where little mechanisms are adopted.

4.3 Additional Security Issues

Some striking issues in current systems are not presented in the table above, and we describe as follows.

As a consequence, even script kiddies can invade these vulnerable systems and steal patients’ health data, let alone professional hackers. Therefore, effective measures should be taken by both vendors and government agencies to reverse the situation.

4.4 Threat Model

Generally, medical imaging devices are expected to be used in the internal hospital network and have extensive collaboration with systems inside and outside the internal network respectively. We present a typical medical imaging device in a hospital network in Fig. 3. Typically, the devices are connected with PACS/RIS and vendors’ remote servers outside hospital network for patch upgrading, VPN establishment and remote control. The PACS/RIS in hospital archives and renders the medical images, from which doctors’ workstations download the images.

Figure 3: Visualisation of a typical medical imaging device in a hospital network. Lines between devices/systems indicate data/control message transmission.

Based on the work scheme, three types of attack vectors might be feasible. (1) remote servers exploitation, where attacks can hack the vendors servers, then attack the devices, (2) internal network penetration, where attacks have access to hospital network (such as using the public WiFi in the hospital), then attack the devices, (3) physical brute-force, where attackers can social-engineer the stuff in hospital, then attack the devices.

Remote servers exploitation. Because vendors can command and control the devices, attacks can firstly exploit the servers and then enormous approaches can be adopted to exploit the devices, including (1) pushing malicious patch, (2) establishing VPN and hijacking, monitoring the traffic, (3) directly control the devices based on the feature of remote control.

Internal network penetration. Many hospitals don’t isolate the internal office network with public WiFi network, which leads to the chance that attacks have direct access to the devices. Hence, they can penetrate the devices by the open port and vulnerabilities.

Physical brute-force. In some cases, social engineering is adopted by attackers to get physical access to the devices. Once the physical access is stolen by attackers, the devices are under tremendous threats if enough protection mechanisms are not implemented.

5 Protection Mechanisms

In this section, we would compare current protection mechanisms with hacking techniques as well as other criteria to have a full landscape of medical imaging device security.

5.1 Encrypted Data Storage & Transmission

From the perspective of health data security, encryption methods are first applied to increase security, confidentiality and integrity during data transmission and storage.

For example, manufacturer A provides OpenVPN-enabled communication between medical imaging devices and PACS/RIS system, when the security mode is turned into the highest security level, so-called DoD Mode. As a result, traffic is naturally encrypted. Some devices provide https-based communication to enable secure transmission.

In terms of storage encryption, the developers claimed that users could install the hardware security module (HSM) additionally which enables data encryption feature; however, it is not installed by default.

5.2 Network Protection

Connected with a local area network, medical devices are likely to suffer from man-in-the-middle attacks. For medical imaging devices, a medical image standard, namely DICOM, enables node authentication in its file header. A notion called Application Entity Title (AE Title) is used to identify the DICOM nodes communicating between each other. To be precise, devices utilise AE Title, an IP address and a port number to identify a certain node in the network.

However, it is true that this mechanism cannot defence the ARP attack. Attackers can use ARP attack to create a fake node with a correct IP address and send DICOM file with correct AE Title at a correct port. Hardly can devices distinguish the malicious node unless other mechanisms are deployed. In other words, AE Title-based mechanism only prevents the case that caused by errors rather than malicious attacks. More effective methods for medical imaging device node authentication remain to be studied.

5.3 Physical Safeguards

As is mentioned in the previous section, under the assumption that attackers can have physical access to the devices, it is necessary to deploy safeguards in case of brute-force attacks.

Typically, devices are based on a workstation from some computer manufacturers such as hp. Hence, these workstations are pre-installed with a physical lock to prevent illegal access to hardware. However, due to the lack of detail instructions, most devices only enable partial physical safeguards according to Table. 1.

5.4 System Hardening

“System Hardening” refers to a series of software-based protection mechanisms. Specifically, we investigate the function of the firewall, shortcut closure, patch installation and anti-virus applications. Shortcuts need to be closed because attackers can escape from the current interface and create a malicious process by some shortcuts, such as Ctrl+Shift+Delete in Windows system.

5.5 Security Guidance

The reason we choose security guidance as a part of device protection mechanisms is that we firmly believe human plays a vital in security management and useful guidance can help users have a better understanding of their security situations and make the better configuration in their context. Current device guidance cares more about the functions of devices and only presents little security knowledge, and it is hard for a user without information security knowledge to config the extremely complex devices.

5.6 Evaluation

In this subsection, we refer to the framework proposed by Yuan et al. [22]. Their dimensions of evaluation contain deployment effort as well as runtime effort, and in this paper, we also consider the effectiveness of protection mechanisms. The cost of each protection mechanism includes the developer’s effort, the runtime cost and the effectiveness, which are the three dimensions shown in Fig. 4. To be precise, the area of circles indicates the effectiveness of protection mechanisms. Based on our study, different mechanisms vary in places and circle sizes.

Figure 4: Evaluation of Protection Mechanisms

Deployment effort is a term that presents an important criterion to evaluate the performance of a protection mechanism. For developers, the primary objective is to build secure devices at as little as possible cost. The deployment cost guides developers to adopt mechanisms which are easy to implement. We would consider the criterion from the perspectives of the change occurred on original systems and the cost of equipment.

Runtime effort

is a term that shows how much performance would be influenced by a certain mechanism. It is important to maintain a great user experience and enable fast response of devices. Specifically, hardware-assisted mechanisms do not take into account of the runtime effort. Generally, we mainly estimate the runtime effort by the volume of performance loss.

Effectiveness is the most significant criterion to present a comprehensive evaluation of protection mechanisms. Circles in different sizes represent the effectiveness of protection mechanisms. The related analysis is given previously.

https is much easier to develop when compared with building a VPN server. Besides, VPN also requires more runtime efforts than the figure of https. However, VPN slightly outperforms https because it won’t be attacked in the case that user installs a malicious certification though it is quite uncommon. In terms of HSM, the encryption together with decryption is completed by external hardware. Thus, the runtime efforts are lower than others’ counterparts. Integrated into DICOM standard, AE Title-based protection mechanism tends to take only a little runtime efforts and deployment efforts to authenticate remote node. As a means of hardware-assisted mechanisms, similarly, the physical lock doesn’t need many runtime efforts. But it is not easy to install if not pre-installed by workstation vendors. Firewall and anti-virus play an essential role in device protection. It is not easy to develop a firewall or anti-virus software in the customised system environment and consumes computing resource to filter malicious traffic. But it is supposed to be taken into consideration when users’ security need is high. Patch installation takes a great number of deployment efforts as well as runtime efforts. Besides, some compatibility problems may take place when some software is upgraded. Despite the enormous efforts, it is still worth and necessary to be adopted for its great effectiveness.

5.7 Comparison

To have a deeper comprehension of the relationship between protection mechanisms and hacking techniques, we make a further comparison from the perspective of different protection in Table. 2.

To begin with, VPN and https almost enable the same feature in terms of secret communication, while VPN provides better resistance against insecure certification. HSM utilises a hardware-assisted approach to prevent the data from illegal access. The hacking technique corresponded with AE Title is hard to summarise in that it is more an error-correction mechanism than a protection mechanism. We argue that firewall can prevent port scanning as well as reverse engineering, because some firewall provides a malicious traffic filter, which, to some extent, contributes to the defence of reverse engineering. Similarly, patch installation also protects devices from being attacked by reverse engineering. Timely upgrading can fix vulnerabilities and provides a more secure system. Security guidance is not a part of the hardware and software systems of the devices. Nevertheless, from the perspective of products, appropriate security guidance plays a fundamental role to prevent threats introduced by human factors.

Port Scanning Traffic Analysis Reverse Engineering Physical Brute-Force Others

 

VPN Insecure Certification
https
HSM
AE Title
Physical Lock
Firewall
Anti-virus Virus
Shortcut Closure Interface Escape
Patch Installation Vulnerability Exploitation
Security Guidance Human Factors
Table 2: Comparison between Protection Mechanisms and Hacking Techniques.

6 Hierarchy System

Requirement CL1 CL2 CL3

 

Storage Encryption
Transmission Encryption *
Node Authentication *
Physical Safeguards *
Role-based
Access Control
Identity Authentication
(If applicable)
Data Tracebility *
Auditing
System Hardening
Security Guidance
Table 3: Levels of Device Protection. “*” means the mechanism is not required at this level. “” means at least one mechanism is taken to enable the corresponding feature, while the mechanism(s) may not be effective enough. “” means at least one effective mechanism is taken to enable the corresponding feature

In this section, we present a multi-level hierarchy system for medical imaging device security evaluation in Table. 3.

Whether a mechanism should be taken involves many considerations. To establish the rating system, we consult with experts with industry, government and academic background respectively and refer to relevant standards and regulations. For example, we use the notion of “Node Authentication” instead of AE Title and add the notions of “Access Control”, “Identity Authentication” as well as “Data Traceability”.

For storage encryption, “” means that either some of the health data, including demographic data in the file header, is not encrypted, or the health data is encrypted by a weak algorithm, such as DES. “” in transmission encryption means that the communication protocol is out of date (such as SSL 3.0 and lower versions). Specifically, both https and VPN at correct versions are regarded as “✓”. For devices at CL1, node authentication is not needed. For CL3 devices, mechanisms such as AE Title are not adequate to provide the highest-level security protection. Identity authentication is needed for all levels of devices if applicable. It is not applicable for doctors to complete identity authentication with bloodied hands when some devices are used in surgery. Data traceability is required for CL2 and CL3 devices. Usually, UID in DICOM standard can help to identify the source. Comprehensive auditing, system hardening and security guidance are necessary for all devices, while some small print may be different for each level.

7 Related Work

In this section, we would introduce some related works.

Kevin Fu et al. firstly found that software radio can be applied to attack implantable cardioverter defibrillators (ICD) and proposed three approaches for defence in S&P’08 [12]. They reverse-engineered the ICD’s communication protocol. Then software-defined radio attacks were applied to get patients’ medical information and even turn off devices. Various aspects of implantable medical device security have been further studied [8, 6, 20, 7, 17]. Arney et al. presented a review of biomedical devices and systems security [3]. However, medical imaging devices are not mentioned.

Johannes et al. gave a comprehensive overview of security challenges for medical devices [21]. They presented challenges along with illustrative examples. However, the cases related to medical imaging devices are not described in detail as well, and system security implications of medical devices are not given. Daniel et al. studied the security quality of medical devices under the administration of FDA Postmarket Guideline [16]. They mentioned a recall of a radiation therapy system in that “the product has a software problem in which previous patient measurement data gets associated with another patient’s image”.

Their works draw wide attention from academia, government and industry. The U.S. FDA has highlighted cybersecurity considerations of medical devices. An enormous amount of exploitations aiming at implantable medical devices were proposed, including insulin pumps [10, 11, 23], blood pressure monitors and digital temperature monitors [5]. In the case of insulin pumps, attackers can control remote devices and release a lethal dose of insulin without alerting patients, which may directly harm the patients.

Besides implantable medical devices, Tamara et al. presented an experimental study of the surgical teleoperated robotic systems [4]. They presented some Denial-of-Service attacks on the Raven II robot. Then, Homa et al. proposed a model-based analysis framework to detect and mitigate attacks [1]. Almohri et al. focused on threat modelling the medical cyber-physical systems from various aspects [2].

Generally, researchers have studied medical device security in many fields. However, security and privacy issues involved in medical imaging devices remain to be explored.

Srinivasan et al. presented an overview of generic medical device security frameworks and proposed a methodology called “Cybersecurity Preliminary Hazards Analysis” for medical devices cybersecurity assessment [15]. Their method is based on guidelines and standards issued by official organisations and used for embedded devices in their paper.

Zhiqiang et al. firstly studied the security issues in the specific area of diagnostic imaging system [18]. They focused on DICOM standard, tested some devices and discovered several security defects. However, their work only provides minimal information about diagnostic imaging systems and remains to be further completed. Then, Pingchuan et al. proposed a fine-grained quantitative approach to evaluate the security situation of medical imaging devices.

8 Conclusion

In this paper, we test 15 representative devices and present a comprehensive overview of medical imaging device security. The result of our tests demonstrates that most devices are under risks and need to be improved for software security, network security, data security and system security.

We also compare the protection mechanisms implemented in current products and possible hacking techniques and propose the threat model to have a deeper understanding of the field. A list of criteria and a hierarchy system are proposed to rate devices. The system provides an actionable way for developers to improve their products and for government agencies to evaluate devices in the pre-market stage.

Acknowlledgement

The authors would like to thank anonymous reviewers and Ning Zhang, WashU for their valuable comments. The authors would also like to thank vendors involved in the work for their supports.

References

  • [1] Alemzadeh, H., Chen, D., Li, X., Kesavadas, T., Kalbarczyk, Z.T., Iyer, R.K.: Targeted attacks on teleoperated surgical robots: Dynamic model-based detection and mitigation. In: 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). pp. 395–406 (June 2016). https://doi.org/10.1109/DSN.2016.43
  • [2] Almohri, H., Cheng, L., Yao, D., Alemzadeh, H.: On threat modeling and mitigation of medical cyber-physical systems. In: 2017 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies (CHASE). pp. 114–119. IEEE (2017)
  • [3] Arney, D., Venkatasubramanian, K.K., Sokolsky, O., Lee, I.: Biomedical devices and systems security. In: 2011 Annual International Conference of the IEEE Engineering in Medicine and Biology Society. pp. 2376–2379. IEEE (2011)
  • [4] Bonaci, T., Yan, J., Herron, J., Kohno, T., Chizeck, H.J.: Experimental analysis of denial-of-service attacks on teleoperated robotic systems. In: Proceedings of the ACM/IEEE Sixth International Conference on Cyber-Physical Systems. pp. 11–20. ACM (2015)
  • [5] Burke, D.: Bios medical / thermor llc - ulnerability report - blood pressure and digital temperature. ABSECURITY (2018)
  • [6] Burleson, W., Clark, S.S., Ransford, B., Fu, K.: Design challenges for secure implantable medical devices. In: Proceedings of the 49th Annual Design Automation Conference. pp. 12–17. ACM (2012)
  • [7] Denning, T., Borning, A., Friedman, B., Gill, B.T., Kohno, T., Maisel, W.H.: Patients, pacemakers, and implantable defibrillators: Human values and security for wireless implantable medical devices. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. pp. 917–926. ACM (2010)
  • [8] Denning, T., Fu, K., Kohno, T.: Absence makes the heart grow fonder: New directions for implantable medical device security. In: HotSec (2008)
  • [9] Farhadi, A., Ahmadi, M.: The information security needs in radiological information systems—an insight on state hospitals of iran, 2012. Journal of Digital Imaging 26(6), 1040–1044 (Dec 2013). https://doi.org/10.1007/s10278-013-9618-3, https://doi.org/10.1007/s10278-013-9618-3
  • [10] Finkle, J.: New rules for avoiding cyber bugs in medical devices. Sci Am (2016)
  • [11] Goodin, D.: Insulin pump hack delivers fatal dosage over the air. The Register 27(10) (2011)
  • [12] Halperin, D., Heydt-Benjamin, T.S., Ransford, B., Clark, S.S., Defend, B., Morgan, W., Fu, K., Kohno, T., Maisel, W.H.: Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses. In: 2008 IEEE Symposium on Security and Privacy (sp 2008). pp. 129–142 (May 2008). https://doi.org/10.1109/SP.2008.31
  • [13] IEC, T.: 80001-2-2: 2012 application of risk management for it-networks incorporating medical devices part 2-2: Guidance for the disclosure and communication of medical device security needs, risks and controls. BSI Standards Publication (2012)
  • [14] Information, H., Society, M.S.: Manufacturer disclosure statement for medical device security (mds2)
  • [15] Jagannathan, S., Sorini, A.: A cybersecurity risk analysis methodology for medical devices. In: 2015 IEEE Symposium on Product Compliance Engineering (ISPCE). pp. 1–6. IEEE (2015)
  • [16] Kramer, D.B., Baker, M., Ransford, B., Molina-Markham, A., Stewart, Q., Fu, K., Reynolds, M.R.: Security and privacy qualities of medical devices: An analysis of fda postmarket surveillance. PLoS One 7(7), e40200 (2012)
  • [17] Maisel, W.H., Kohno, T.: Improving the security and privacy of implantable medical devices. The New England journal of medicine 362(13), 1164—1166 (April 2010). https://doi.org/10.1056/nejmp1000745, https://doi.org/10.1056/NEJMp1000745
  • [18] MediTechSafe: Diagnostic imaging: More susceptible to cyber-attacks. https://www.meditechsafe.com/single-post/2018/04/16/Diagnostic-Imaging-More-Susceptible-to-Cyber-attacks
  • [19] NEMA, P.: Iso 12052, digital imaging and communications in medicine (dicom) standard. National Electrical Manufacturers Association (2016)
  • [20] Rushanan, M., Rubin, A.D., Kune, D.F., Swanson, C.M.: Sok: Security and privacy in implantable medical devices and body area networks. In: 2014 IEEE Symposium on Security and Privacy. pp. 524–539. IEEE (2014)
  • [21] Sametinger, J., Rozenblit, J.W., Lysecky, R.L., Ott, P.: Security challenges for medical devices. Commun. ACM 58(4), 74–82 (2015)
  • [22] Tian, Y., Chen, E., Ma, X., Chen, S., Wang, X., Tague, P.: Swords and shields: a study of mobile game hacks and existing defenses. In: Proceedings of the 32nd Annual Conference on Computer Security Applications. pp. 386–397. ACM (2016)
  • [23] Wadhwa, T.: Yes, you can hack a pacemaker (and other medical devices too). Forbes Online. Tech 12 (2012)
  • [24] Wang, Z., Ma, P., Chi, Y., Zhang, J.: Medical devices are at risk: Information security on diagnostic imaging system. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. pp. 2309–2311. ACM (2018)