Manuscript accepted on :12-05-2023
Published online on: 28-07-2023
Plagiarism Check: Yes
Reviewed by: Dr. Nagham Aljamali
Second Review by: Dr. Rishit Jangde
Final Approval by: Dr. Eman Refaat Youness
D. Nagasamy Venkatesh* and Muthupranesh. K
Department of Pharmaceutics, JSS College of Pharmacy, JSS Academy of Higher Education and Research, Ooty. Tamil Nadu. India.
Corresponding Author E-mail: nagasamyvenkatesh@jssuni.edu.in
DOI : https://dx.doi.org/10.13005/bpj/2707
Abstract
In modern healthcare systems, medical devices are playing a major role which involves personalized medical devices which improve the patient’s lifestyle as they can be remotely monitored and their data are transmissible. Due to these data transmissions, the number of connections to the existing computer networks is increased. Being interoperable and interconnected these personalized medical devices provide great benefits like improved sensing capabilities and actuating capabilities. But the problem with high connectivity computer networks is that it exposes medical device to high cybersecurity vulnerabilities. The main targets are the pacemakers and institutions like hospitals and clinics. Hackers can easily hack medical devices and change prescriptions. So a cybersecurity breach can leak a patient’s sensitive and confidential data and risk the patient’s life. To prevent these multifaceted problems from happening these problems must be viewed from a systematic perspective and requires governance, technical controls, regulation, and standards.
Keywords
Confidentiality; Cybersecurity; Cyberattack; Informed consent; Medical devices; Remote monitoring
Download this article as:Copy the following to cite this article: Venkatesh D. N, Muthupranesh K. A Review of the Impact of Cybersecurity in High-Risk Medical Devices and In-Vitro Medical Devices all Over the World. Biomed Pharmacol J 2023;16(3). |
Copy the following to cite this URL: Venkatesh D. N, Muthupranesh K. A Review of the Impact of Cybersecurity in High-Risk Medical Devices and In-Vitro Medical Devices all Over the World. Biomed Pharmacol J 2023;16(3). Available from: https://bit.ly/3KgYaHY |
Introduction
Latest advancements in technology have resulted in the transformation of the healthcare system which tends to improve patient care. One of the major parts of the healthcare system is the pharmaceutical sector and having medical devices is their critical aspect1. After implanted in the body or attached to the patient externally they serve a critical function by providing continued automated assistance to save lives. The medical devices attached to a single patient are commonly referred to as Personalized Medical Devices (PMDs)2. The devices implanted in the patient’s body are called Implantable Medical Devices (IMPDs). PMDs are medical devices with small firmware and modern hardware. They are wireless, mobile, and user-friendly. And they’re interconnected and interoperable as well. The interconnectivity and interoperability may provide a great benefit but they also expose the medical device to major risk concerns like cybersecurity breaches and cybersecurity vulnerabilities that can be exploited maliciously or triggered intentionally this can affect the device’s performance and they can be harmful to the patient by producing illness, injury or death3. So, all the stakeholders like Government, Hospitals, Healthcare organizations, and Medical Device Industries are responsible for maintaining the safety of the Patient as well as the Medical Device.
In the case of High-risk medical devices like cardiac pacemakers, insulin pumps, and implantable pulse generators they can be easily controlled and monitored using mobiles by using Bluetooth or an internet connection4. Some patients, such as prominent public figures are at greater risk of cybersecurity attacks. These attacks can do greater harm to the patients. And if this information is reported in the media it will greatly decrease the reputation of lifesaving medical implants. Usually, private information about high-risk medical devices is stored in Electronic Health Records (EHS) which has been reported that 90% of medical devices and Electronic Health Records have been the victims of cyber attacks5.
Because of these risks, the software and hardware used in high-risk medical devices require prior marketing approval and Remote monitoring of the High-risk medical devices and IVDs after being marketed to prevent and reduce cyberattacks. And one of the common methods is to apply security standards and policies including cyberattack awareness programs. The trends of cybersecurity can be understood based on 2 aspects:
Weakness and Bug Detection in the system
Identifying the cyber hackers and their methods6.
In this paper, we are going to discuss the methods that can be used to enhance safety, security, and privacy for medical devices that are controlled by the Internet while at the same time enabling higher mobility and Remote Monitoring.
Security Threats to Internet-Connected Devices Environment
Figure 1: Security Threats to Internet-Connected Devices Environment |
Cybersecurity Incidents
The most impact on the cybersecurity in a medical device is faced by Insulin pumps and Pacemakers. Research from the Archimedes – Ann Arbor Research Center for Medical Device Security at the University of Michigan has demonstrated the potential compromise to implanted devices30. It is found that insulin pumps- web interfaces, hard code administration passwords, and internet-accessed devices are found to be highly vulnerable in the environment of hospitals. And the internet accessed devices without authentication and encryption are the most vulnerable31, 36.
Data Transmission in Medical Devices
Nowadays radio frequency is commonly used for data transfer37. The bandwidth of the radio-frequencies for implants and pacemakers is 402-405 MHz, this bandwidth is common for devices all over the world, so this makes the devices more vulnerable. So, the process of broadcasting or misusing radiofrequency is called “radio piracy”11.
Electromagnetic interference is also one of the major concerns in which the non-cardiac external signals will interfere with the cardiac signals and manipulate them, for example, the airport scanners, smartwatches, and mobile phones38. Using filters like Bandpass filters we can filter the unwanted interference of the non-cardiac waves to interfere with medical devices12, 35.
Radiofrequency identification is a part of radiofrequency but it differs from Radiofrequency identification can carry more data but the range is shorter comparatively. There are two types – active and passive27. Active requires a battery source and is more complex unlike the passive which can deliver fewer data but shorter bandwidth33. And the shorter the bandwidth less possibility for hackers to hack as it reduces the surface area of attack whereas longer bands are costly to produce29. But it does not mean that it is not possible to hack the devices that transfer data in shorter bands, as we already have a history of hackings like Banking cards which deliver only shorter bands12.
Ways to Protect our Devices from Cybersecurity Risks
Increasing the security of the weakest link
Hackers usually target the weakest link as it requires only a minimum amount of time. So, they will target loopholes and insecure areas instead of targeting security areas22.
Multiple Defense mechanism
Instead of focusing on a single solution, focus on complex interconnected solutions as if one system fails other interconnected systems will protect the device23.
Level of trust
The level of trust between the application components is essential and proper controls should be maintained to ensure that a proper level of trust is established between the interactions26.
Hiding credentials
Keeping the encryption keys and passwords hidden is a critical task. So, a depth approach should be established to keep the credentials private and safe25.
Least privilege principle
each function of a security system should be maintained with the least privilege. As maintaining the least privilege prevents/ reduces any damages occurring from the loopholes of the system19.
Default security
While designing the systems access decisions should be provided rather than denying it. So, the user will get the option to accept or deny the program which is much easier to design and safer21.
Security Zoning
Encapsulation methods are used to create security zones/ trust zones, to handle the damage created by the trust or access breach20.
Simple Designs
These designs are systematically easy-to-use and verify systems and which is because simpler designs are much preferred18.
Privacy Promotion
Maintain privacy about the instructions and processes about the system works which provides hackers with the system information24.
Incorrect assumptions
Incorrect assumptions are always a major concern and major loopholes are due to these incorrect assumptions. So, they should be avoided13,14.
Cybersecurity and Remote Monitoring
The development of implantable medical devices leads to a reduction in their size and they have to typically rely on the software alone for their functioning they are highly internet accessible compared to the old devices17. The implantable medical devices contain radio interfaces that are programmed with wireless communication with the help of external device programmers34. The benefits are more but this broadens the surface area of the attack leaving the device vulnerable28. And wireless attacks are much easier to launch and whereas analog attacks are comparatively harder because of the narrow surface area for attack35. So, the remote monitoring of medical devices has become essential and medical devices should be monitored periodically15,16.
Conclusion
The risk of cybersecurity has becoming a major concern and, in this paper, we have learnt about the different types of cybersecurity attacks, and major cybersecurity incidents and the ways to prevent the cybersecurity attacks. Each type of cybersecurity attack requires specific methods of prevention. The need to protect businesses’ digital assets and medical equipment from cyberattacks has grown as a result of the development of the digital landscape. One of the difficulties in project management is balancing investments in security measures with rising development costs. Software testing experts and IT infrastructure staff need to incorporate security testing into their testing processes and regularly learn about security testing technologies and the most recent software and hardware security flaws. Given the multitude of rules, standards, frameworks, guidance documents, technical studies, and best practices on this subject, it has become more and more challenging to gain a clear understanding of regulatory requirements that address the security of connected medical devices and related software. While some standards lack explicit requirements on cybersecurity, they do offer some advice on how security controls should be implemented. In the software life cycle procedures, cybersecurity has grown to be of the utmost importance. The value of the company’s goods and services can increase by putting in place a proactive security strategy against risks.
Conflict of Interest
There is no conflict of interest.
Funding Sources
There are no funding sources.
References
- Hegde V. Cybersecurity for medical devices. Annual Reliability and Maintainability Symposium (RAMS) (2018) Jan 22 (pp. 1-6) IEEE (2018).
CrossRef - Beavers J, Pournouri S. Recent cyber-attacks and vulnerabilities in medical devices and healthcare institutions. Blockchain and Clinical Trial: Securing Patient Data :249-67. ((2019))
CrossRef - Schwartz S, Ross A, Carmody S, Chase P, Coley SC, Connolly J, Petrozzino C, Zuk M. The evolving state of medical device cybersecurity. Biomedical instrumentation & technology:52(2):103-11 (2018).
CrossRef - Lechner NH. An overview of cybersecurity regulations and standards for medical device software. In Central European Conference on Information and Intelligent Systems (pp. 237-249). Faculty of Organization and Informatics Varazdin (2017).
- Yuan S, Fernando A, Klonoff DC. Standards for medical device cybersecurity in. Journal of diabetes science and technology. (2018) Jul;12(4):743-6 (2018).
CrossRef - Baranchuk A, Refaat MM, Patton KK, Chung MK, Krishnan K, Kutyifa V, Upadhyay G, Fisher JD, Lakkireddy DR, American College of Cardiology’s Electrophysiology Section Leadership. Cybersecurity for cardiac implantable electronic devices: what should you know? Journal of the American College of Cardiology. Mar 20;71(11):1284-8 (2018).
CrossRef - Biasin E, Kamenjasevic E. Cybersecurity of medical devices: regulatory challenges in the EU ((2022)).
CrossRef - Ransford B, Kramer DB, Foo Kune D, Auto de Medeiros J, Yan C, Xu W, Crawford T, Fu K. Cybersecurity and medical devices: a practical guide for cardiac electrophysiologists. Pacing and Clinical Electrophysiology. Aug;40(8):913-7 (2017).
CrossRef - Gaukstern E, Krishnan S. Cybersecurity threats targeting networked critical medical devices. (2018)
- Williams PA, Woodward AJ. Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem. Medical Devices: Evidence and Research. Jul 20:305-16 (2015).
CrossRef - Stern AD, Gordon WJ, Landman AB, Kramer DB. Cybersecurity features of digital medical devices: an analysis of FDA product summaries. BMJ open. Jun 1;9(6):e025374 (2019).
CrossRef - Karmakar KK, Varadharajan V, Tupakula U, Nepal S, Thapa C. Towards a security-enhanced virtualized network infrastructure for the Internet of Medical Things (IoMT). In(2020) 6th IEEE conference on network softwarization (NetSoft) Jun 29 (pp. 257-261). IEEE (2020).
CrossRef - Pycroft L, Aziz TZ. Security of implantable medical devices with wireless connections: The dangers of cyber-attacks. Expert Review of Medical Devices. Jun 3;15(6):403-6 (2018).
CrossRef - Tabasum A, Safi Z, AlKhater W, Shikfa A. Cybersecurity issues in implanted medical devices. In(2018) International Conference on Computer and Applications (ICCA) Aug 25 (pp. 1-9). IEEE (2018).
CrossRef - Sadhu PK, Yanambaka VP, Abdelgawad A, Yelamarthi K. Prospect of internet of medical things: A review on security requirements and solutions. Sensors. Jul 24;22(15):5517 (2022).
CrossRef - Tran-Dang, H. Krommenacker, N.; Charpentier, P.; Kim, D.S. Toward the Internet of Things for Physical Internet: Perspectives and Challenges. IEEE Internet Things J., 7, 4711–4736 (2020).
CrossRef - Wazid, M. Singh, J. Das, A.K.; Shetty, S. Khan, M.K.; Rodrigues, J.J.P.C. ASCP-IoMT: AI-Enabled Lightweight Secure Communication Protocol for Internet of Medical Things. IEEE Access, 10, 57990–58004 (2022).
CrossRef - Amin, F. Majeed, A. Mateen, A. Abbasi, R.; Hwang, S.O. A Systematic Survey on the Recent Advancements in the Social Internet of Things. IEEE Access, 10, 63867–63884 (2022)
CrossRef - Noguchi, H.; Mori, T.; Sato, T. Framework for Search Application based on Time Segment of Sensor Data in Home Environment. In Proceedings of the Seventh International Conference on Networked Sensing Systems (INSS), Kassel, Germany, 15–18 June; pp. 261–264 (2020)
- Shamsoshoara, A. Korenda, A. Afghah, F. Zeadally, S. A Survey on Physical Unclonable Function (PUF)-based Security Solutions for Internet of Things. Comput. Netw., 183, 107593 (2020).
CrossRef - Masud, M. Gaba, G.S.; Alqahtani, S. Muhammad, G.; Gupta, B.B. Kumar, P. Ghoneim, A. A Lightweight and Robust Secure Key Establishment Protocol for Internet of Medical Things in COVID-19 Patients Care. IEEE Internet Things J., 8, 15694–15703 (2021).
CrossRef - Ullah, S.S. Hussain, S. Gumaei, A. Alhilal, M.S.; Alkhamees, B.F.; Uddin, M.; Al-Rakhami, M. A Cost-Effective Approach for NDN-Based Internet of Medical Things Deployment. Comput. Mater. Contin., 70, 233–249 (2022).
CrossRef - Egala, B.S.; Pradhan, A.K. Badarla, V.R.; Mohanty, S.P. Fortified-chain: A blockchain-based framework for security and privacy-assured internet of medical things with effective access control. IEEE Internet Things J., 8, 11717–11731 (2021).
CrossRef - Lin, P. Song, Q. Yu, F.R.; Wang, D. Guo, L. Task Offloading for Wireless VR-Enabled Medical Treatment With Blockchain Security Using Collective Reinforcement Learning. IEEE Internet Things J., 8, 15749–15761 (2021).
CrossRef - Abdellatif, A.A. Samara, L. Mohamed, A. Erbad, A. Chiasserini, C.F. Guizani, M.; O’Connor, M.D. Laughton, J. Medge-chain: Leveraging edge computing and blockchain for efficient medical data exchange. IEEE Internet Things J. (2021), 8, 15762–15775
CrossRef - Ding, Y. Wu, G. Chen, D. Zhang, N. Gong, L. Cao, M. Qin, Z. DeepEDN: A Deep-Learning-Based Image Encryption and Decryption Network for Internet of Medical Things. IEEE Internet Things J., 8, 1504–1518 (2020).
CrossRef - Liu, X. Yang, X. Luo, Y. Zhang, Q. Verifiable Multi-Keyword Search Encryption Scheme with Anonymous Key Generation for Medical Internet of Things. IEEE Internet Things J
- . Li, X. Peng, J. Obaidat, M.S.; Wu, F. Khan, M.K. Chen, C. A Secure Three-factor User Authentication Protocol with Forward Secrecy for Wireless Medical Sensor Network Systems. IEEE Syst. J., 14, 39–50 (2019).
CrossRef - Kumar, P. Lee, S.G.; Lee, H.J. E-SAP: Efficient-strong Authentication Protocol for Healthcare Applications using Wireless Medical Sensor Networks. Sensors, 12, 1625–1647 (2012).
CrossRef - Liu, H. Yao, X. Yang, T. Ning, H. Cooperative Privacy Preservation for Wearable Devices in Hybrid Computing-based Smart Health. IEEE Internet Things J., 6, 1352–1362 (2018).
CrossRef - Dharminder, D.; Gupta, P. Security Analysis and Application of Chebyshev Chaotic Map in the Authentication Protocols. Int. J. Comput. Appl., 43, 1095–1103 (2019).
CrossRef - Kumar, M. Chand, S. A Secure and Efficient Cloud-Centric Internet-of-Medical-Things-Enabled Smart Healthcare System with Public Verifiability. IEEE Internet Things J., 7, 10650–10659 (2020).
CrossRef - Deebak, B.D. Al-Turjman, F. Smart Mutual Authentication Protocol for Cloud-Based Medical Healthcare Systems using Internet of Medical Things. IEEE J. Sel. Areas Commun., 39, 346–360 (2020).
CrossRef - Sadhu, P.K. Yanambaka, V.P. Abdelgawad, A. Yelamarthi, K. Performance Analysis of Ring Oscillator PUF for Robust Security in Smart Transportation. In Proceedings of the Proceedings of IEEE 7th World Forum on Internet of Things (WF-IoT), New Orleans, LA, USA, 14 June–31 July; pp. 301–302 (2021).
CrossRef - Aman, M.N.; Javaid, U.; Sikdar, B. A Privacy-preserving and Scalable Authentication Protocol for the Internet of Vehicles. IEEE Internet Things J., 8, 1123–1139 (2020).
CrossRef - Ivanovska, E. Ribarska, J.T. Lazova, J. Popstefanova, N. Jovanoska, M.D. Jolevska, S.T. Providing Clinical Evidence under the MDR (2017)/745–New Challenges for Manufacturers in Medical Device Industry. Arh. Farm., 69, 39–49 (2019).
CrossRef - Sampath, T. Thamizharasan, S. Vijay Kumar Shetty, K. Timiri Shanmugam, P.S. ISO 14971 and ISO 24971: Medical Device Risk Management. In Medical Device Guidelines and Regulations Handbook; Springer: Berlin, Germany, pp. 31–56 (2022).
CrossRef - Alsubaei, F. Abuhussein, A.; Shandilya, V. Shiva, S. IoMT-SAF: Internet of Medical Things Security Assessment Framework. Internet Things, 8, 100123 (2019).
CrossRef - Baranchuk A, Refaat MM, Patton KK, Chung MK, Krishnan K, Kutyifa V, Upadhyay G, Fisher JD, Lakkireddy DR, American College of Cardiology’s Electrophysiology Section Leadership. Cybersecurity for cardiac implantable electronic devices: what should you know? Journal of the American College of Cardiology. Mar 20;71(11):1284-8 (2018).
CrossRef - Li C, Raghunathan A, Jha NK. Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system. In2011 IEEE 13th international conference on e-health networking, applications and services, Jun 13 (pp. 150-156). IEEE (2011).
- Sivakorn S, Polakis I, Keromytis AD. The cracked cookie jar: HTTP cookie hijacking and the exposure of private information. In IEEE Symposium on Security and Privacy (SP) May 22 (pp. 724-742). IEEE (2016).
CrossRef - Alabdulkreem E, Alduailij M, Alduailij M, Mansour RF. Optimal weighted fusion-based insider data leakage detection and classification model for Ubiquitous computing systems. Sustainable Energy Technologies and Assessments. Dec 1; 54:102815 (2022).
CrossRef - Zuo C, Lin Z, Zhang Y. Why does your data leak? uncovering the data leakage in cloud from mobile apps. In IEEE Symposium on Security and Privacy (SP) May 19 (pp. 1296-1310). IEEE (2019).
CrossRef - Jin X, Chen PY, Hsu CY, Yu CM, Chen T. CAFE: Catastrophic data leakage in vertical federated learning. Advances in Neural Information Processing Systems. Dec 6;34:994-1006 (2021).
- Fu X, Gao Y, Luo B, Du X, Guizani M. Securi ty threats to Hadoop: data leakage attacks and investigation. IEEE Network. Jan 20;31(2):67-71 (2017).
CrossRef - Fu X, Gao Y, Luo B, Du X, Guizani M. Security threats to Hadoop: data leakage attacks and investigation. IEEE Network. Jan 20;31(2):67-71 (2017).
CrossRef - Bosu A, Liu F, Yao D, Wang G. Collusive data leak and more: Large-scale threat analysis of inter-app communications. In Proceedings of the ACM on Asia Conference on Computer and Communications Security Apr 2 (pp. 71-85) (2017).
CrossRef - Alabdulkreem E, Alduailij M, Alduailij M, Mansour RF. Optimal weighted fusion based insider data leakage detection and classification model for Ubiquitous computing systems. Sustainable Energy Technologies and Assessments. Dec 1;54:102815 (2022).
CrossRef - Palit T, Monrose F, Polychronakis M. Mitigating data leakage by protecting memory-resident sensitive data. In Proceedings of the 35th Annual Computer Security Applications Conference Dec 9 (pp. 598-611) (2019).
CrossRef - Flynn T, Grispos G, Glisson W, Mahoney W. Knock! knock! who is there? investigating data leakage from a medical internet of things hijacking attack.