Considerations for performing IoMT Risk Assessments

What are Internet of Medical Things (IoMT) products?

Internet of Medical Things (IoMT) products refer to a combination of medical applications and devices connected to healthcare information technology systems through an online computer network or a wireless network. IoMT devices rely heavily on biosensors, critical in detecting an individual's tissue, respiratory, and blood characteristics. Non-bio sensors are also used to measure other patient characteristics such as heart and muscle electrical activity, motion, and body temperature.

IoMT product classifications

One needs to gain insight into what makes a device a medical device. In the U.S., the sale of medical devices is regulated by the Food and Drug Administration (FDA). As required by the FDA, medical devices are classified as being Class I, Class II, or Class III based on the risk posed by the device. Therefore, one must understand the risk level of a medical device and its intended use and indications of use.

IoMT layers and the threat-driven approach to security

Like IoT, IoMT has several layers, including the business, application, application, middleware, network, and perception layers. Notably, the perception layer in IoMT is tasked with the transfer of medical data acquired from sensors to the network layer. Medical things types that fall under the perception layer can be classified as:

• wearable (muscle activity sensors, pressure and temperature sensors, smartwatches);
• implantable (implantable cardioverter defibrillators (ICD);
• swallowable (camera capsule);
• ambient (vibration and motion sensors), and;
• stationary devices (surgical devices, CT scan).

Likewise,  IoMT devices are subject to attacks based on their architecture or application. That is, IoMT devices can suffer layer-specific attacks. While hackers can target any layer for an attack, they typically focus on either the perception or network layer attacks. Perception layer attacks focus on devices that acquire data from sensors.  Hackers use perception layer attacks to defeat the device administrator's ability to track the sensor and discover that it has been cloned or otherwise tampered with.

Conversely, at the network layer, IoMT devices can be subject to DoS attacks, Rogue access, Man-in-the-Middle (MiTM), replay, and Eavesdropping. Common IoMT vulnerabilities arise from the challenges experienced during IoMT device development, such as the lack of a threat-driven approach to security.  The threat-driven approach to security corresponds to modeling the relationship between threats, the risk to the asset, and the security controls that should govern them. For example, Bluetooth Low Energy (BLE) technology, whose applications range from home entertainment to healthcare, is associated with many threats such as network communication decryption, replay attacks, and Man-in-the-Middle attacks.

Primary considerations in performing IoMT Risk Assessments

Threat modeling is the tool best fitted for addressing perception and network-layer threats.  Cybersecurity practitioners commonly use the STRIDE threat modeling technique to help solve IoMT-related security challenges at both layers.  STRIDE is a threat model suitably fitted for helping cybersecurity practitioners identify and analyze threats in an IoMT environment.  More specifically, STRIDE is the most adept tool for answering the question 'what can go wrong in the IoMT environment that can adversely affect patient safety?'  The STRIDE model allows cybersecurity practitioners to determine what threat is a violation of a desirable property for an IoMT system.  Desirable properties preserve privacy, data protection and contribute to the security of an IoMT asset.  Desirable properties align with the STRIDE model as illustrated below:

Once more, primary considerations for performing IoMT Risk Assessments entail appraising user privacy, data protection, and device protection. However, building a perfect risk assessment system for IoMT devices is only possible after identifying inherent threats, potential risk attributes, and attack vectors. The ultimate objective is to evaluate a device's potential to have a catastrophic impact (i.e., death) on a patient.  Cybersecurity practitioners use the STRIDE model to categorize the worst-case potential outcome associated with inherent threats, risk attributes, and potential attack vectors related to using a particular device. For instance, with wearable medical devices, the STRIDE threat model can highlight data flows and subsequently allow the cybersecurity practitioner to generate risk scenarios that distinguish (within reason) all possible outcomes in each of the five attacker objective categories of the STRIDE threat model.  The risk scenarios are then mapped to applicable security control framework requirements, e.g., UL 2900, HIPAA/HiTRUST, FDA Pre-Market & Post-market cybersecurity guidance.  The cybersecurity practitioner investigates and determines whether a gap exists.  Gaps are subsequently categorized in terms of potential severity levels for medical devices as it relates to patient safety:

The final piece entails having the cybersecurity practitioner generate remediation strategies that address each risk or ‘gap’ confirmed to exist and align with one or more of the five attacker objective categories under the STRIDE threat model.

Conclusion

Threat modeling plays a crucial role in the development of medical device design. When used in tandem, threat modeling and risk analysis serve as structured tools for evaluating potential problems encountered in connection with taking a drug or using a medical device. Medical device manufacturers are expected to identify possible hazards associated with the design in both standard and fault conditions. If any risk is judged unacceptable, it should be reduced to acceptable levels by any reasonable and technologically feasible means necessary.