Capstone Concept

Problem

Medical devices are black boxes to end users when it comes to cybersecurity. People are trusting these devices to keep them alive with no information about their security, which can be a major concern. It has been revealed that there is a surprising lack of security in medical devices, especially older device models(1, 2). This is mostly because they are built with ease of access as the focus rather than security, which is understandable considering that patients and doctors must be able to easily use a device as the patient's life/wellbeing can depend on it. There have been numerous vulnerabilities found in different currently used medical devices, and these vulnerabilities put a lot of people relying on medical devices at risk. People deserve transparency and peace of mind regarding their medical devices’ security. For many people using these devices, they are diagnosed young. Two of our project members were given medical devices at 11 years old. For children and guardians, this is an uncertain time, and they deserve to know that their devices are secure, but these discovered vulnerabilities revoke that trust.

Proposed Solution

We will be testing the hardware and software security of various medical devices for vulnerabilities, which we can then use to develop a compliance framework for medical devices. Similar to frameworks like NIST 800-53 and ISO-27001, the developed framework would outline proper security practices for medical devices in development and usage. These practices would be determined based on the results of the testing performed on medical devices, as well as extensive research. The framework will be broken up into sections to provide guidance in all areas of medical device cybersecurity: hardware protection, firmware and software protection, data transmission detection and interactions with other devices, and communications and policies for users. Each section will contain specific practices to implement, like proper data encryption when communicating with auxiliary devices.

References

1. Minimed Hacks

https://nvd.nist.gov/vuln/detail/CVE-2019-10964

2. Various Medical Device Vulnerabilities

https://www.gao.gov/assets/d24106683.pdf

3. FDA Guidance on Medical Device Cybersecurity

https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity#safety -4.Legacy Medical Device Cybersecurity - MITRE https://www.mitre.org/sites/default/files/2023-11/PR-23-3695-Managing-Legacy-Medical-Device%20Cybersecurity-Risks.pdf

5. FDA Rundown of Medical Device Cybersecurity

https://www.fda.gov/consumers/consumer-updates/medical-device-cybersecurity-what-you-need-know

6. International Medical Device Regulators Forum

https://www.imdrf.org/working-groups/medical-device-cybersecurity-guide

7. FDA Warns of Bluetooth Low Energy Vulnerability Affecting Connected Medical Devices - MobiHealthNews

https://www.mobihealthnews.com/news/fda-warns-bluetooth-low-energy-vulnerability-affecting-connected-medical-devices

8. Bluetooth-Related Flaws Threaten Dozens of Medical Devices - Wired

https://www.wired.com/story/bluetooth-flaws-ble-internet-of-things-pacemakers/

9. Hospital Cyber Resiliency Initiative

https://405d.hhs.gov/Documents/405d-hospital-resiliency-analysis.pdf

10. Cobalt Medical Device Cybersecurity Risk Assessment Overview

https://www.cobalt.io/blog/medical-device-security-risk-assessment

11. Importance of Security Testing for Medical Devices

https://www.beyondsecurity.com/resources/guides/security-testing-for-networked-medical-devices

12. Threats Facing Medical Devices and Necessity of Medical Device Cybersecurity Operations

https://www.sensato.co/post/endless-terrifying-possibilities-call-for-a-good-medical-device-cop

13. Medical Device Vulnerabilities

https://www.informationweek.com/cyber-resilience/the-unique-cyber-vulnerabilities-of-medical-devices#close-modal

14. FBI Vulnerability Report on Medical Devices

https://www.ic3.gov/Media/News/2022/220912.pdf

Capstone Project

• Analyze existing medical devices for vulnerabilities and document
• Perform exploitation of medical devices and document
• Categorize all vulnerabilities found and exploited
• Propose standards that would remediate the vulnerabilities found and exploited
• Perform additional research to find vulnerabilities for other categories of medical devices
• Propose additional standards that would remediate other vulnerabilities
• Organize standards into a compliance framework

Scope

MiniMed 530G (Focusing on hardware hacking)

Hardware Dissection: Dismantling device to remove PCBs [DONE]

Chip analysis: Identify all possible microchips on PCBs and research for potential vulnerabilities [DONE]

Perform chip-off analysis of static RAM chip (remove chip, solder chip, pull data from chip using Arduino programming, analyze data) [IN PROGRESS]

Perform analysis of CPU (connect chip to power, test for vulnerable UART output) [IN PROGRESS]

OmniPod Dash (Focusing on Hardware Hacking or Exploiting a Backdoor)

Hardware Dissection: Dismantling device to remove PCBs [Done]

Perform chip-off analysis of any relevant chips and accessing any and all data available [IN PROGRESS]

Perform analysis of CPU [IN PROGRESS]

Attempt to access data by exploiting update vulnerabilities [IN PROGRESS]

Philips Intellivue MP5

Dismantle device to find PCBs [In Progress]

Analysis of CPU [In Progress]

Analysis of software and firmware for vulnerabilities [In Progress]

Attempt further exploitation on any found vulnerabilities [In Progress]

Compliance Framework

Document all findings from research [IN PROGRESS]

Document all findings from exploitation [IN PROGRESS]

Propose standards for findings from research [IN PROGRESS]

Propose standards for findings from exploitation [IN PROGRESS]

Perform additional research to identify gaps in framework [NOT STARTED]

Organize standards into categories in a framework [NOT STARTED]