Share these talks and lectures with your colleagues
Invite colleaguesCase study
Hacking humans: A case study and analysis of vulnerabilities in the advancing medical device landscape
Cyber Security: A Peer-Reviewed Journal,
3
(4),
351-362
(2020)
Abstract
This paper analyses the findings and trends of discovered vulnerabilities in medical devices enabled with ‘smart’ technology. With today’s medical devices often being connected to the Internet or to an external monitoring source, the risks to people’s health increase. This paper suggests a path to mitigating known vulnerabilities to enable better informed healthcare decisions. The paper will first set the landscape discussing medical devices which enable connectivity and incorporate software, which causes increased cyber vulnerability. Secondly, it details how medical device recalls increased, due to software issues and vulnerabilities, which recalls were based on weaknesses discovered by government security entities and academic institutions. Third, the paper highlights the devices most at risk, which include implantable cardioverter defibrillators (ICDs)/pacemakers, infusion pumps, and magnetic resonance imaging (MRI) machines. Fourth, the cyber security vulnerabilities trends will be discussed with the corresponding health safety concerns. Finally, the government response in terms of risk mitigation guidance will be identified, to include a vulnerability scoring system which assesses impact and risk of exposure. The paper concludes with supporting a broader adoption of the health risk mitigation scoring system to achieve a diminished health risk of utilising connected medical devices.
Keywords: medical device; healthcare; cyber security; Internet of Things (IoT); vulnerabilities; data breach
The full article is available to subscribers to the journal.
Author's Biography
Gabrielle Hempel Gabrielle E. Hempel is a graduate of the University of Cincinnati, where she studied neuroscience and psychology. She started her career in regulatory compliance, and led specialised committees targeting Phase I and emergency research. Although she still serves on a board as a regulatory/genetic science consultant, she moved to cyber security in 2018 and works full-time as a senior security analyst with Accenture. She also serves as an instructor for Cybrary, a cyber security education provider. She continues to pursue education through a graduate programme in advanced computer security at Stanford and has recently obtained her Certified Human Trafficking Investigator designation through the McAfee Institute. She collaborates with a variety of law enforcement entities and task forces in order to use digital forensics and offensive security to combat trafficking. She has spoken at numerous national conferences on medical device security. Her continued areas of research include embedded/vehicle security, Internet of Things (IoT) vulnerabilities and medical device security.
Diane Brady Janosek Diane Janosek is a member of the Defense Intelligence Senior Executive Service (SES) and currently serves as the National Security Agency’s commandant and training director for the National Cryptologic School, which is comprised of five colleges, including Cyber and Cryptology. In her role, she manages and oversees the delivery of unique courses for the US intelligence workforce, both civilian and military, in the areas of cyber, network security, cyber resilience and encryption, ensuring a strong federal workforce to defend critical national security networks. Diane is an attorney, whose areas of expertise include academic leadership, privacy and technology, governance and data policy, export control, defence acquisition, information and cyber security. In her current role, she is committed to the educational, leadership, professional and practical learning needs of the United States’ cyber workforce in today’s dynamic threat environment. Prior to leading the NCS, Diane served in leadership roles in the National Security Agency’s Directorate of Technology, including deputy chief information security officer. In the US Government’s judicial and executive branches, she has served in a variety of attorney/legal, policy and executive management positions, including chief legal officer to the Privacy and Civil Liberties Oversight Board and legal counsel at both the White House and the Pentagon. She is admitted to the Supreme Court of the United States and is certified in information and network security (CISSP). Diane’s credibility and expertise have allowed her to publish numerous articles in various cyber security and legal publications. She serves as an adjunct professor for the National Intelligence University’s Master of Science in Strategic Intelligence/Technical Intelligence programme. As an advocate for women working or aspiring to work in the dynamic field of cyber security, Diane is the president of the Women in Cybersecurity’s (WiCyS) Mid-Atlantic Regional Affiliate and has served as the keynote speaker at a number of cyber events.
Donna Brady Raziano Donna Raziano, MD, MBA, is the chief medical officer of Mercy LIFE. Donna’s credentials include ABIM board certifications in Geriatric Medicine and Hospice & Palliative Care as well as an MBA in Health Care Management from the Wharton School of the University of Pennsylvania. She has over 20 years’ experience in practising medicine and healthcare leadership roles. Donna and Diane are identical twin sisters who collaborate to improve the lives of Americans.
