Abstract
The Internet of Medical Things (IoMT) promises to improve patient care and the efficiency of Medical Cyber-Physical Systems (MCPSs). At the same time, the connectivity increases the security risk. We aim to model Self-protective MCPSs to reduce the attack surface during runtime. Even under attack, these systems require to provide clinical function for the patients. Monitoring vulnerabilities and suspicious behavior and sharing attacker information contributes to improved security and can be the foundation for automated actions for healthcare delivery organizations. Switching between context-aware security modes provides a flexible way to protect online and offline IoMT and increase patient safety. This paper presents our ongoing work to make healthcare systems more secure. We show current security and privacy challenges, discuss how self-protective systems can overcome them, and what role IoMT devices play in that context.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ajagbe, S.A., Awotunde, J.B., Adesina, A.O., Achimugu, P., Kumar, T.A.: Internet of Medical Things (IoMT): applications, challenges, and prospects in a data-driven technology. In: Chakraborty, C., Khosravi, M.R. (eds.) Intelligent Healthcare. Springer, Singapore (2022). https://doi.org/10.1007/978-981-16-8150-9_14
Barrett, M.: Framework for Improving Critical Infrastructure Cybersecurity Version 1.1. No. NIST CSWP 04162018, U.S. National Institute of Standards and Technology (NIST), Gaithersburg, MD (2018). https://doi.org/10.6028/NIST.CSWP.04162018
Boughton, C.K., Hovorka, R.: New closed-loop insulin systems. Diabetologia 64(5), 1007ā1015 (2021). https://doi.org/10.1007/s00125-021-05391-w
BSI: Cyber Security Requirements for Network-Connected Medical Devices. German Federal Office for Information Security (BSI) (2018). https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/ICS/Medical_Devices_CS-E_132.html. Accessed 28 Dec 2022
Carreon-Rascon, A.S., Rozenblit, J.W.: Towards requirements for self-healing as a means of mitigating cyber-intrusions in medical devices. In: 2022 IEEE International Conference on Systems, Man, and Cybernetics (SMC), pp. 1500ā1505 (2022). https://doi.org/10.1109/SMC53654.2022.9945507
Chen, T.M., Abu-Nimeh, S.: Lessons from Stuxnet. Computer 44(4), 91ā93 (2011). https://doi.org/10.1109/MC.2011.115
Claroty: State of XIoT Security Report (2022). https://claroty.com/press-releases/iot-vulnerability-disclosures-grew-57-percent-from-2h21-to-1h22. Accessed 28 Dec 2022
Lewis, D., The OpenAPS Community: OpenAPS Outcomes (2022). https://openaps.org/outcomes/. Accessed 10 Jan 2023
Elhoseny, M., et al.: Security and privacy issues in medical internet of things: overview, countermeasures, challenges and future directions. Sustainability 13(2121), 11645 (2021). https://doi.org/10.3390/su132111645
Fagan, M., Megas, K.N., Scarfone, K., Smith, M.: Foundational cybersecurity activities for IoT device manufacturers. No. NIST IR 8259, U.S. National Institute of Standards and Technology (NIST), Gaithersburg, MD (2020). https://doi.org/10.6028/NIST.IR.8259
Fagan, M., Megas, K.N., Scarfone, K., Smith, M.: IoT device cybersecurity capability core baseline. No. NIST IR 8259A, U.S. National Institute of Standards and Technology (NIST), Gaithersburg, MD (2020). https://doi.org/10.6028/NIST.IR.8259a
FBI: Industry Alert: Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities. U.S. Federal Bureau of Investigation (FBI) (2022). https://www.ic3.gov/Media/News/2022/220912.pdf. Accessed 28 Dec 2022
FDA: FDA approves first automated insulin delivery device for type 1 diabetes. U.S. Food and Drug Administration (FDA) (2016). https://www.fda.gov/news-events/press-announcements/fda-approves-first-automated-insulin-delivery-device-type-1-diabetes. Accessed 10 Jan 2023
FDA: Postmarket Management of Cybersecurity in Medical Devices. U.S. Food and Drug Administration (FDA) (2016). https://www.fda.gov/media/95862/download. Accessed 28 Dec 2022
FDA: Class 2 Device Recall Medtronic MiniMed 600 Series Insulin Pump Systems. U.S. Food and Drug Administration (FDA) (2022). https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfRES/res.cfm?id=196205. Accessed 10 Jan 2023
FDA: Class 2 Device Recall Medtronic MiniMed 600 Series Insulin Pump Systems. U.S. Food and Drug Administration (FDA) (2022). https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfRES/res.cfm?id=196183. Accessed 10 Jan 2023
FDA: Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions - Draft Guidance. U.S. Food and Drug Administration (FDA) (2022). https://www.fda.gov/media/119933/download. Accessed 28 Dec 2022
FDA: Cybersecurity Modernization Action Plan. U.S. Food and Drug Administration (FDA) (2022). https://www.fda.gov/media/163086/download. Accessed 28 Dec 2022
Hellerstein, J., Diao, Y., Parekh, S., Tilbury, D.: Feedback Control of Computing Systems. Wiley (2004). https://doi.org/10.1002/047166880X
IMDRF: Principles and Practices for Medical Device Cybersecurity. International Medical Device Regulators Forum (IMDRF) (2020). http://www.imdrf.org/docs/imdrf/final/technical/imdrf-tech-200318-pp-mdc-n60.pdf. Accessed 28 Dec 2022
Kagita, M.K., Thilakarathne, N., Gadekallu, T.R., Maddikunta, P.K.R.: A review on security and privacy of internet of medical things. In: Ghosh, U., Chakraborty, C., Garg, L., Srivastava, G. (eds.) Intelligent Internet of Things for Healthcare and Industry. Internet of Things. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-81473-1_8
Kephart, J., Chess, D.: The vision of autonomic computing. Computer 36(1), 41ā50 (2003). https://doi.org/10.1109/MC.2003.1160055
MDCG: Guidance on Cybersecurity for medical devices. Medical Device Coordination Group (MDCG) (2019). https://ec.europa.eu/docsroom/documents/41863/attachments/1/translations/en/renditions/native. Accessed 28 Dec 2022
Medtronic: Urgent Medical Device Correction: MiniMed\(^{{\rm TM}}\) 600 Series Pump System Communication Issue (2022). https://www.medtronicdiabetes.com/customer-support/product-and-service-updates/notice19-letter. Accessed 10 Jan 2023
Medtronic: MiniMed 670G System Discontinuation of New Sales (2023). https://www.medtronicdiabetes.com/products/minimed-670g-insulin-pump-system. Accessed 10 Jan 2023
Medtronic: The MiniMed 630G and 770G Insulin Pumps (2023). https://www.medtronic.com/us-en/healthcare-professionals/therapies-procedures/diabetes/education/diabetes-digest/minimed-insulin-pumps.html. Accessed 10 Jan 2023
Rao, A., CarreĆ³n, N.A., Lysecky, R., Rozenblit, J.: FIRE: a finely integrated risk evaluation methodology for life-critical embedded systems. Information 13(1010), 487 (2022). https://doi.org/10.3390/info13100487
Rao, A., Rozenblit, J., Lysecky, R., Sametinger, J.: Trustworthy multi-modal framework for life-critical systems security. In: Proceedings of the Annual Simulation Symposium, ANSS 2018, San Diego, CA, USA, pp. 1ā9. Society for Computer Simulation International (2018). https://doi.org/10.5555/3213032.3213049
Reports And Data: Market value of the internet of medical things worldwide in 2019 and 2027 (in billion U.S. dollars). Statista (2021). https://www.statista.com/statistics/1264333/global-iot-in-healthcare-market-size/. Accessed 28 Dec 2022
Rezvy, S., Petridis, M., Lasebae, A., Zebin, T.: Intrusion detection and classification with autoencoded deep neural network. In: Lanet, J.-L., Toma, C. (eds.) SECITC 2018. LNCS, vol. 11359, pp. 142ā156. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12942-2_12
Riegler, M., Sametinger, J., Rozenblit, J.W.: Context-aware security modes for medical devices. In: 2022 Annual Modeling and Simulation Conference (ANNSIM), pp. 372ā382 (2022). https://doi.org/10.23919/ANNSIM55834.2022.9859283
Riegler, M., Sametinger, J., Vierhauser, M.: A distributed MAPE-K framework for self-protective IoT devices. In: 2023 IEEE/ACM 18th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (2023). https://doi.org/10.1109/SEAMS59076.2023.00034
Riegler, M., Sametinger, J., Vierhauser, M., Wimmer, M.: A model-based mode-switching framework based on security vulnerability scores. J. Syst. Softw. 200, 111633 (2023). https://doi.org/10.1016/j.jss.2023.111633
Ross, R., McEvilley, M., Carrier Oren, J.: Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. No. NIST SP 800-160, U.S. National Institute of Standards and Technology (NIST) (2016). https://doi.org/10.6028/NIST.SP.800-160
Sametinger, J., Rozenblit, J., Lysecky, R., Ott, P.: Security challenges for medical devices. Commun. ACM 58(4), 74ā82 (2015). https://doi.org/10.1145/2667218
Stajano, F., Anderson, R.: The grenade timer: fortifying the watchdog timer against malicious mobile code. In: Proceedings of 7th International Workshop on Mobile Multimedia Communications, MoMuC 2000, Waseda, Tokyo, Japan (2000). https://www.cl.cam.ac.uk/~fms27/papers/2000-StajanoAnd-grenade.pdf. Accessed 28 Dec 2022
Sun, Y., Lo, F.P.W., Lo, B.: Security and privacy for the internet of medical things enabled healthcare systems: a survey. IEEE Access 7, 183339ā183355 (2019). https://doi.org/10.1109/ACCESS.2019.2960617
The White House: Executive Order 14028: Improving the Nationās Cybersecurity (2021). https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/. Accessed 27 Dec 2022
Thomasian, N.M., Adashi, E.Y.: Cybersecurity in the Internet of Medical Things. Health Policy Technol. 10(3), 100549 (2021). https://doi.org/10.1016/j.hlpt.2021.100549
Zeadally, S., Das, A.K., Sklavos, N.: Cryptographic technologies and protocol standards for Internet of Things. IoT 14, 100075 (2021). https://doi.org/10.1016/j.iot.2019.100075
Acknowledgement
This work has partially been supported by the LIT Secure and Correct Systems Lab funded by the State of Upper Austria, the Austrian Marshall Plan Foundation, and the National Science Foundation under Grant Number 1622589 āTime-Centric Modeling of Correct Behaviors for Efficient Non-intrusive Runtime Detection of Unauthorized System Actions.ā Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the supporting organizations.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
Ā© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Riegler, M., Sametinger, J., Rozenblit, J.W. (2023). Architecture forĀ Self-protective Medical Cyber-Physical Systems. In: Kotsis, G., et al. Database and Expert Systems Applications - DEXA 2023 Workshops. DEXA 2023. Communications in Computer and Information Science, vol 1872. Springer, Cham. https://doi.org/10.1007/978-3-031-39689-2_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-39689-2_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-39688-5
Online ISBN: 978-3-031-39689-2
eBook Packages: Computer ScienceComputer Science (R0)