Risk assessment of cyber-attacks on telemetry-enabled cardiac implantable electronic devices (CIED)
- PDF / 1,092,430 Bytes
- 25 Pages / 595.276 x 790.866 pts Page_size
- 61 Downloads / 196 Views
REGULAR CONTRIBUTION
Risk assessment of cyber-attacks on telemetry-enabled cardiac implantable electronic devices (CIED) Mikaëla Ngamboé1
· Paul Berthier1 · Nader Ammari1 · Katia Dyrda2 · José M. Fernandez1
© The Author(s) 2020
Abstract Cardiac implantable electronic devices (CIED) are vulnerable to radio frequency (RF) cyber-attacks. Besides, CIED communicate with medical equipment whose telemetry capabilities and IP connectivity are creating new entry points that may be used by attackers. Therefore, it remains crucial to perform a cybersecurity risk assessment of CIED and the systems they rely on to determine the gravity of threats, address the riskiest ones on a priority basis, and develop effective risk management plans. In this study, we carry out such risk assessment according to the ISO/IEC 27005 standard and the NIST SP 800-30 guide. We employed a threat-oriented analytical approach and divided the analysis into three parts, an actor-based analysis to determine the impact of the attacks, a scenario-based analysis to measure the probability of occurrence of threats, and a combined analysis to identify the riskiest attack outcomes. The results show that vulnerabilities on the RF interface of CIED represent an acceptable risk, whereas the network and Internet connectivity of the systems they rely on represent an important potential risk. Further analysis reveals that the damages of these cyber-attacks could spread further to affect manufacturers through intellectual property theft or physicians by affecting their reputation. Keywords Cardiac implantable electronic device · CIED · Cybersecurity · Cyber-attack · Attack vector · Attack scenario · Threat-oriented analysis · Risk assessment
1 Introduction Cardiac implantable electronic devices (CIED) have evolved from single-chamber pacing devices to resynchronization and defibrillation within the same device [1]. Modern CIED now include numerous functionalities being integrated into a single device, which has contributed to an increase in the number of implanted devices [2,3]. Besides, the use of telemetry-enabled CIED is increasing at the detriment of older models with no wireless communication capabilities [4,5], due to the significant advantages it brings to patient care [6,7]. For the remainder of this article, the acronym CIED will refer only to telemetry-enabled CIED. CIED depend on a set of external systems to diagnose, monitor, and adjust patient therapy. These systems are: the External programmer used in the hospital, the Home monitor
B
Mikaëla Ngamboé [email protected]
1
École Polytechnique de Montréal, Montréal, QC, Canada
2
Montréal Heart Institute, Université de Montréal, Montréal, QC, Canada
present at the patient’s home, Databases housed either in the cloud or in servers located in the CIED manufacturer’s network, and medical Web applications. Health professionals rely on the external programmer to obtain the programmed parameters of the patient, to adjust the desired therapies or to check the correct operation
Data Loading...
