Presentation held for FOIT on April, 13th, 2021 on Cybersecurity aspects in connected Medical Devices

1. IoT for healthcare industry
Alessandro Sappia
Ordine degli Ingegneri della Provincia di Torino
Via Giolitti, 1
10123 Torino
TEL: 011 562.24.68
PEC: ordine.torino@ingpec.eu
ordine.ingegneri@ording.torino.it
Visit us on the web:
www.ording.torino.it/professione

2. IoT
• IoT is a combination of hardware and software
technology that produces date through connecting
multiple devices and sensors with the cloud and making
sense of data with intelligent tools.
What is Iot?
• IoT involves extending Internet connectivity beyond
standard devices, such as laptops, smartphones and
tablets, to any range of traditionally dumb or non-internet
enabled physical devices and everyday objects.
• These devices can communicate and interact over the
internet and they can be remotely monitored and
controlled.
How does it work?
Benefits of IoT in healthcare
• Improve diagnosis and treatment.
• The ability to carry out remote monitoring .
• Reducing operating costs to counteract the rising cost of care.

3. IoT for Health Landscape
Glucose meter
App Tracking Food
Calories
Telemedicine
Infusion Pump in
Hospital
Digital Health
Smart Weight Scale
Connected Defibrillator
implant
Connected Blood
Pressure Monitor
Connecter MRI
Connected Hospital
Monitors
Connected Hearing Aid
Wearable tracker
IoT Healthcare
The IoT for health sits within the
broader field of digital health.
Digital health is the merging of
digital technologies with health and
care. The US FDA includes mobile
health (mHealth), health
information technology (IT),
wearable devices, telehealth,
telemedicine, and personal
medicine in this broad category.
For instance, mHealth may include
health services ‘supported by
mobile devices, such as mobile
phones, patient monitoring devices,
personal digital assistants (PDAs),
and other wireless devices’.

4. Security principles
A modest approach to security focuses on the following three key principles:
• Confidentiality
• Integrity
• Availability
ensuring information and systems are protected from unauthorised access
ensuring that information and systems are unaltered and accurate
throughout the lifecycle. For instance, information integrity applies to data
collection, transfer, use and storage
ensuring that information is and services are accessible by users or systems
as and when needed

5. What about the risks?
Date
Disclosed
Device Type
(Manufacturer)
Vulnerability Potential Impact On
Security
19 May 2008 Implantable Defibrillator
(Medtronic)
Remote access Direct impact on the safety
of the device for the user
• Hackers remotely
accessed a heart
defibrillator and
pacemaker
• Hackers shut down the
device
• Hackers made device
deliver electric jolts

6. What about the risks?
Date
Disclosed
Device Type
(Manufacturer)
Vulnerability Potential Impact On
Security
13 June 2013 Medical Devices (multiple) Hard-Coded Passwords Increased vulnerability to
attacks such as command
and control or malware
• Inability of
users/owners to change
passwords manually
• Potential for “mass
hack” of devices with
same or similar
passwords
• Use of connected
environments for
downstream attacks

7. What about the risks?
Date
Disclosed
Device Type
(Manufacturer)
Vulnerability Potential Impact On
Security
10 June 2015 Patient-Controlled Infusion
System
(Hospira LifeCare)
Connected Devices and
Systems
Direct impact on
downstream security and
safety of the device for the
user
• Vulnerability allowed
hackers to remotely
command and control
• Exploitation could
impact delivery of
medication via the
bloodstream

8. What about the risks?
Date
Disclosed
Device Type
(Manufacturer)
Vulnerability Potential Impact On
Security
08 July 2018 Fitness Tracker Data API
(Polar)
Personal Data Collection Direct impact on user
privacy and data
protection as a result of
non-medical uses
• Access user location
data
• Identify names and
addresses of users
• Identify military
personnel and
locations

9. Architecture Use Cases
• Fixed Use Case: Connected MRI scanner
• Portable Local Use Case: Hospital Vital Signs Monitor
• Portable Loaned Use Case: Blood Pressure Monitor
• Personal Device Use Case: Wireless Connected Hearing Aid

10. Connected MRI Scanner
Image
Storage
(Archive)
External
Doctor
System
Request for
scan
Hospital
Information
system
Radiology
Information System
MRI
Scanner
External
cloud backup
System
Patients ID orders
for examination
Diagnosis
Reports &
Images
Legend :
Internal Data Flows External recipient of Data
External Data Flows Device
Systems and / or Data Process of Management
Repository points Interface
The fixed use case example centres on a connected
MRI scanner, a type of connected diagnostic
equipment, to demonstrate the risks and security
considerations for connected health devices.
There are several reasons for wanting to add
network connectivity to devices like MRI scanners,
such as image transfer and storage, remote control
and management, consumable monitoring, and
capacity planning.
For this use case the MRI scanner is considered a permanent fixed
installation that is part of a larger healthcare facility, such as a general
hospital. Such a facility is likely to have its own intranet, but physical
protection of the local area network (LAN) might be poor as many visitors
would have access to the building. Additionally, networks such as intranets
should be configured in a way to protect devices with a variety of security
capabilities, such as legacy devices, from incoming threats such as
malware.

11. Vital Signal monitor
Legend :
Internal Data Flows External recipient of Data
External Data Flows Device
Systems and / or Data Process of Management
Repository points Interface
Nurse Alert
System
Portable
Monitor
Hospital
Information
System
Patient
Information
System
External
Doctor
System
External
Cloud Backup
Archive
Doctor
Information
System
Patient
Information
Request
Device
Configuration
Wired or
Wireless
Connection Periodic
Patient
Information
This use case focuses on monitors that may be
ported with the patient within the health service
environment.
With modern technology, there are several
reasons for wanting to use a portable vital signs
monitor, such as automatic data upload, settings
configuration, time synchronisation and firmware
update.
It is assumed that portable monitors will be owned by the healthcare provider
and generally remain within the vicinity of the healthcare facility. No
assumptions related to connectivity technologies are made. This is because
devices may connect using a variety of network technologies, or via a local IP-
based LAN. As such, no detailed assumptions are made about the
environment in which the portable monitor functions other than the
healthcare environment adopts network and information security best
practices.

12. Blood Pressure Monitor
Legend :
Internal Data Flows External recipient of Data
External Data Flows Device
Systems and / or Data Process of Management
Repository points Interface
Remote
configuration
Patient
informtion &
device
management
Portable
Pressure
Monitor
Hospital
Information
System
Patient
Information
System
External
Doctor
System
External
Cloud Backup
Archive
Doctor
Information
System
Remote
Information
request
Initial device
configuration
Wired or
Wireless
Connection Periodic
Patient
Information
In-home
Nurse user
interface
Patient/
User interface
Controlled
user interface
Loaned portable devices can be conceptualised
as owned by the healthcare provider but used
by the patient. Devices are not constrained to
one dedicated environment and may be ported
with the patient to a single remote location or
be as mobile as the patient. Given the nature of
the device and its integration into the patient’s
daily life, the patient is likely to have more
control over and engagement with this type of
IoT device.
No assumptions are made about the environment in which the loaned device
functions.

13. Wireless connected Hearing Aid
Hospital
Information
System
Patient
Information
System
External
Doctor
System
External
CloudBackup
Archive
Doctor
Information
System
Hearing
Aid
Pushed
Patient
Information
Legend :
Internal Data Flows External recipient of Data
External Data Flows Device
Systems and / or Data
Repository points
Hearing aids are a common personal medical device, and there
has been a continuing trend of miniaturisation to improve
comfort and aesthetics. Modern in-canal hearing aids can be
effectively invisible in normal use. Their very small size means
that it is impractical to have volume controls on the hearing aid
itself. As a connected digital device that is always worn, there is
an inclination to converge functionality with other portable
electronic devices, such as syncing with smartphones or music
and games consoles.
Due to the small size of some connected health devices they exist in an
extremely constrained environment and therefore may require different
security considerations than larger connected health devices with more
computing capacity. From the constrained environment and drive to make
IoT solutions tailored and user-friendly, it is assumed the hearing aid or
similar devices will connect to another mobile device or a personal and/or
health-professional’s computer.

14. Reference Architecture
• Has a defined boundary between
network zones.
Bounded
• Has no defined organizational
intranet or security mechanisms.
Boundaryless
• Include a variety of network
technologies and topologies
including bounded and
boundaryless networks.
Hybrid

15. Bounded Network architecture
Legend :
Internal Data Flows External recipient of Data
External Data Flows Device
Systems and / or Data Process of Management
Repository points Interface
internet Network Name Network Boundary
Security Management Point
Sensitive
data
Workstations
High Integrity
zone
Standard
Intranet
Internet
Critical
Equipment
Trusted
Server
Internal
Gateway
External
Gateway

16. Boundaryless Environment Mapping
Nurse
Mobile Device
Configuration
App
Health
Information
System
Time
Server
Sensors
Laptop or
USB Stick
Barcode
Scanner
Vital Sign
Monitor
Blood Pressure
Temperature
Sp O2 Pulse
Patient ID
Configuration
Firmware Update
Public
Internet
Local Hospital
Network
Local
Wired
Connections
Legend :
Internal Data Flows External recipient of Data
External Data Flows Device
Systems and / or Data Process of Management
Repository points Interface
internet Network Name Network Boundary
Security Management Point

17. Hybrid IoT Environment Mapping
Hearing
Aid
Audio
Streamer
Hearing
Aid App
Audio
Source
Body Area
Network
(NFMI)
Audio
playback
Personal Area
Network
(Bluetooth)
Smart
Phone
Public
Internet
(WI-FI)
Hospital
Information
System
Visitor
Information
System
Local
Hospital
network
Legend :
Internal Data Flows External recipient of Data
External Data Flows Device
Systems and / or Data Process of Management
Repository points Interface
internet Network Name Network Boundary
Security Management Point

18. Time for Questions

19. THANK
YOU…
Alessandro Sappia
Copyright, Trade Marks and Licensing
All product names are trademarks, registered trademarks, or service
marks of their respective owners.
Copyright © 2019, IoTSF. All rights reserved.
Copyright © 2021, Alessandro Sappia. All rights reserved.
This work is licensed under the Creative Commons Attribution 4.0
International License.
Presentation based on «IoT Security Reference Architecture for the
Healthcare Industry»
https://www.iotsecurityfoundation.org/best-practice-guidelines/
Ordine degli Ingegneri della Provincia di Torino
Via Giolitti, 1
10123 Torino
TEL: 011 562.24.68
PEC: ordine.torino@ingpec.eu
ordine.ingegneri@ording.torino.it
Visit us on the web:
www.ording.torino.it/professione