Division of Information Technology, Engineering and the Environment

University of South Australia

Division of Information Technology, Engineering and the Environment

School of Information Technology & Mathematical Sciences

Medical device vulnerability mitigation efforts

Jay Holdsworth

A thesis submitted to

University of South Australia

in partial fulfilment of the requirements for the degree of

Master of Science (Cyber Security and Forensic Computing)

Supervisor: Dr. Kim-Kwang Raymond Choo

Contents

List of Figures

List of Tables

List Of Abbreviations

Declaration

Abstract

Acknowledgement

Chapter 1

1.Introduction

1.1Problem Definition

1.2Research Motivations

1.3Research Questions:

1.4Research aims and objectives

1.5Expected Outcomes

1.6Thesis Structure

Chapter 2

2.Literature Review

2.1 Definitions

2.2Methodology

2.2.1Search Strategy

2.2.2Search Criteria

2.2.3Key Word Examples

2.2.4.Data Source

2.2.6.Data Collation/Presentation

2.3Review of Literature

2.3.1Authorities

2.3.2Device Manufacturers

2.3.3Healthcare Facilities / Services Organisations

2.3.4Standards Organisations & Professional Bodies

2.3.5Academia

2.3.6Frameworks

2.3.7Taxonomies/ Classifications

2.3.8Case Studies

2.3.9Designs

2.4Findings

2.4.1Research Trends

2.3.2 Effort Trends

2.3.3MDV-MEGA

Chapter 3

3.Survey & Questionnaire

3.1Methodology

3.1.1 Sample

3.1.2 Facilities

3.1.3 Respondents

3.1.4 Data Collection

3.1.5 Interview Design & Administration

3.1.6 Response Scoring

3.2 Results

3.2.1 Hospital A: South Australia

3.2.2 Hospital B: Western Australia

3.2.3 Hospital C: Tasmania

3.2.4 Hospital D: Queensland

3.3. Findings

3.4 Analysis

3.5 Maturity Scores

3.6 Trends

Chapter 4

4.Conclusions, Limitation & Further Work

4.1Literature Review

4.1.1 Literature Review Limitations

4.2Survey & Questionnaire

4.2.1 Survey Limitations

4.3 Future Works

References

List of Figures

Figure 1: Research trends in the last 5 years

Figure 2: MDV-MEGA Toolset

Figure 3: Survey Questions

Figure 4: Maturity Assessment Matrix

Figure 5: Maturity Matrix

1

List of Tables

Table 1: Percentage of Contributed Effort by Associated Party

1

List Of Abbreviations

LOMLevel of Maturity

IMSInitial Maturity Score

MDASMedical Device Awareness Score

MDV-MEGAMedical Device Vulnerability Mitigation Effort Gap Analysis

WHOWorld Health Organisation

FDAFood and Drug Administration (US)

TGATherapeutic Goods Administration (Aus)

EMAEuropean Medicines Agency

MIFAMedical Identity Fraud Alliance (US)

AHAAmerican Hospital Association (US)

NHSNational Health Service (UK)

NH-ISACNational Health Information Sharing & Analysis Centre (US)

HL7Health Level 7 International

MAUDEManufacturer & User Facility Device Experience (US)

MhealthMobile Health

BYODBring Your Own Device

NHQHSNational Safety & Quality Health Service Standards (Aus)

ACSQHCAustralian Commission on Safety & Quality in Health Care (Aus)

ACHSAustralian Council on Healthcare Standards (Aus)

1

Declaration

I declare that this thesis does not incorporate without acknowledgment any material previously submitted for a degree or diploma in any university; and that to the best of my knowledge it does not contain any materials previously published or written by another person except where due reference is made in the text.

Jay Holdsworth

24th October 2016

1

Abstract

The use of medical devices in healthcare networks is increasing as governments and private entities look to improve clinical outcomes while reducing overall costs associated with healthcare service delivery. These devices which used to be stand-alone, are now becoming more integrated with corporate and clinical networks, sharing data between devices and other data information systems. As a result, healthcare networks are being targeted by hackers and malicious users and there is increasing concern about the possible risks that medical devices pose to both the security of patient data and the physical safety of patients. What seems to be unclear is what effort has been made by relevant associated parties to tackle the medical device cybersecurity problem. This paper therefore aims to explore that level of effort and understand what has been done to tackle the problem. This paper does this in two ways, firstly a Medical Device Vulnerability Mitigation Effort Gap Analysis Taxonomy (MDV-MEGA) toolset is proposed which allows the contribution efforts to be measured against a set of reviewed literature. Secondly, a survey is conducted against a sample of Australian private hospitals to understand why according to the applied toolset, they were one of the lowest scoring parties in terms of effort contributed. The literature review in this paper reviews literature over the last 6 years and focusses on 5 specific associated parties: Authority, Device Manufacturers, Healthcare Facilities, Standards Organisations and Academia. In the accompanying survey, we interview participants from four Australian private hospitals, representing South Australia, Western Australia, Tasmaina and Queensland. The resulting study suggests that while the importance of ensuring the cybersecurity of medical devices is increasingly recognised by Australian healthcare facilities, there are significant gaps in terms of guidance and the technical know-how (e.g. not provided with clear directions about how to protect against device vulnerabilities).

1

Acknowledgement

I would like to thank my academic supervisor, Raymond Choo, for all of his help, encouragement and patience throughout this work. His expert knowledge in the field of cybersecurity has been extremely helpful and his input very much appreciated. I would also like to thank my Employer (The Burnside War Memorial Hospital) for their generosity in allowing me time to conduct my studies alongside my professional working role.

Outside of the university and my employer, I would like to thank my partner and family for their support, not only during the writing of this thesis, but during the years of study leading up to it.

1

Chapter 1

1.Introduction

1.1Problem Definition

Modern medicine and medical practice adopt an evidenced based approach to healthcare, and this evidence-based care has become the de facto standard of health service delivery across the developed world (HeneganGodlee, 2013). Indeed, the World Healthcare Organization (WHO) suggests that Information Systems and Technology are key to modern evidence based health practices, and evidence shows that increasingly, technology is becoming an important tool for delivering modern evidence based clinical care (Rodrigues, 2000).

The push to adopt evidence based care has, therefore, seen an increase in the proliferation of medical technology, particularly in the form of medical devices where they have now become ubiquitous, providing large scale healthcare gains (McGee, Webster, Rogerson & Craig, 2012). While there are many different definitions of a medical device, such as that by the US Food and Drug Administration (FDA) (2015a) or the European Medicines Agency (EMA) (2015), this paper will use the Australian definition, where a medical device will be taken to mean:

any instrument, apparatus, appliance, material or other article (whether used alone or in combination, and including the software necessary for its proper application) intended, by the person under whose name it is or is to be supplied, to be used for human beings for the purpose of one or more of the following:

1. diagnosis, prevention, monitoring, treatment or alleviation of disease;
2. diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap;
3. investigation, replacement or modification of the anatomy or of a physiological process;
4. control of conception;

and that does not achieve its principal intended action in or on the human body by pharmacological, immunological or metabolic means, but that may be assisted in its function by such means; or

1. an accessory to such an instrument, apparatus, appliance, material or other article. (Australian Government, 2016b)

The earlier observation made by McGee, Webster, Rogerson & Craig (2012) seems to have general consensus as medical devices are shown to help in a number of healthcare factors such as the facilitation of more efficient work flows through automation (Zhang, Cocosila & Archer, 2010), improving surgical accuracy, patient recovery times and reducing overall lengths of stay (Mihailidis, KronesBoger, 2006). Further, some authors suggest better detection rates and improved monitoring and treatment of diseases as a result of introducing medical devices (Lanterman, 2015), while others suggest a reduction in fragmented primary care services and reduced cost associated with clinical provision (DePhillips, 2007).

Given the overall gains and potential advantages provided by medical devices, it is of no surprise that technologically advanced countries, such as USA and China, are investing heavily in medical technology with an aim to increase its overall adoption. It has been suggested that as of 2015, 55% of medical professionals in USA are using medical devices due largely to increased government funding (Silva et al, 2015), and in China whose government is poised to invest some AUD $1.78billion on medical device and drug research throughout 2012-2017 (Stoner, 2012). Closer to home here in Australia, the State of New South Wales reported an annual export of AUD $1.12 billion worth of medical device technology in 2012, with this figure set to increase into the future (Stoner, 2012).

Clearly then, the use of medical device technology is on the rise. However, this increase in use brings with it a number of concerns. While these concerns are many and varied (Standing and Standing, 2008, p. 225), the principle interest for the scope of this paper is that of cybersecurity.

The Australian government defines cybersecurity as 'Measures relating to the confidentiality, availability and integrity of information that is processed, stored and communicated by electronic or similar means' (Australian Government, Attorney Generals Department, 2015). Australia pays particular attention to cybersecurity concerns, noting that cybersecurity is one of Australia's national security priorities due to the risk it poses on economic prosperity and social well being (Australian Government, Attorney General's Department, 2015). There is good evidence as to why this is the case, according to a SANS Institute report on traffic analysed and captured between September 2012 and October 2013, Health care providers accounted for 72% of overall malicious traffic indicating that their networks had been compromised in some fashion (Filkins, 2014, p. 3). Further to this, an independent study conducted by the Ponemon Institute in March 2014 concluded, that between 2013 and 2014, healthcare companies saw a 72% increase in cyber attacks with the healthcare industry accounting for 24% of all breaches which occurred in 2014 (Gomez &Konschak 2015, p.1). This issue has certainty raised the heads of the Australian Therapeutic goods Administration who now class medical device cybersecurity as a key issue to address for 2016 (Australian Government, 2016e).

1.2Research Motivations

Vulnerabilities associated with medical devices are well known, we saw in the introduction that the SANS Institute reported a high percentage of malicious traffic originating from healthcare networks, but digging deeper, the problem appears to be broader than this, indeed the InfoSec Institute reports that health related data is now worth 10 times more than credit card data on the black market selling for up to USD$500 per patient (Ja 2015). With values this high healthcare records have become an attractive target for organised crime gangs, the FBI for example reported theft of some 4.5 million patient records in 2014 after one of the largest U.S. Hospital operators fell victim to attack (HumerFinkle 2014). The problem is becoming such a concern that regulatory bodies such as the Food and Drug Administration in the U.S. and the Therapeutic Good Administration (TGA) here in Australia have both issued recommendations to medical device manufactures to incorporate vulnerability mitigation in their product designs (US Department of Health and Human Services 2013; Australian Government 2016e). It is not immediately clear why healthcare data makes a lucrative target, however some researchers such as IBM and the Medical Identity Fraud Alliance suggests that the stolen data helps to facilitate fraud against medical insurers where scammers effectively pose as the patient of the stolen data and submit claims against the health insurers to receive reimbursements for expensive surgery that they have not actually received (Rodionova 2016). The same report lists Healthcare entities as the current number one target for hackers and predicts that the number of hacks against healthcare entities will continue to rise as long as healthcare data retains its value (Rodiovova 2016).

The risk to healthcare data then is clearly understood and seems to get broad coverage in the media, yet, we continue to see Hospitals and healthcare facilities falling victim to these attacks, the U.S. Department of Health and Human services for example report that the healthcare industry currently averages some 4 data breaches per week (Akpan 2016).

1.3Research QuestionsThat being said, the reasons for conducting this research are to investigate in depth what is being done to tackle the medical device cybersecurity vulnerability problem. More specifically, the research conducted in this paper aims to discover:

1. What level of effort has been contributed by different associated parties to mitigate against vulnerabilities associated with medical devices

1. Why the level of effort contributed by Australian Private Hospitals appears to be low

1.4Research aims and objectivesThis researchincludes a number of different approaches to identify and determine the levels of effort contributed to tackling the medical device cybersecurity problem and as such the following research objectives aim to be met:

1. conduct a comprehensive review on available literature to identify which areas of medical device vulnerability mitigation have received attention from security researchers and other relevant stakeholders (we referred to this as “Efforts” in the remainder of this paper).

2. Design and construct a tool set in order to calculate a ‘level of effort’ based on evidence gathered in the literature review, (we refer to this as the Medical Device Vulnerability Mitigation Effort Gap Analysis (MDV-MEGA) toolset in the remainder of this paper).

3. Measure the resulting evidence against the constructed MDV-MEGA toolset

4. Survey a number of Australian private hospital facilities to determine the factors which lead to an apparent low level of effort in tackling the medical device cyber security problem

1.5Expected Outcomes

The expected outcomes of this research are twofold, firstly the researchaims to provide a better understanding of the effort gaps which exist in the way the medical device cybersecurity problem has been tackled. A better understanding and identification of existing gaps will allow any relevant stakeholders to concentrate their focus onto the areas which lack effort. Secondly, byanalysing the approach that Australian medical facilities apply in tackling the problem will help identify any areas for improvement. These areas, once identified, can help healthcare facilities move forward and reduce exposure to vulnerabilities.

1.6Thesis Structure

The first question is essentially explored in Chapter 2 in which a literature review is presented. This literature review should be viewed as the precursor to a future study, a future study which aims to determine a method to plug a specific gap relating to medical device cybersecurity mitigation strategies. The first section of Chapter 2 exhibits theMethodology applied to the literature review, including the Search Strategy used to locate items of evidence and the qualification criteria applied to any literature for inclusion in the review. Following this is the literature review narration and the Discussion in which general trends, effort gaps and the MDV-MEGA toolset is presented. The final section of Chapter 2 presents a resulting Effort Level score Matrix which illustrates the calculated level of effort contributed by each relevant party when the evidence was assessed against the MDV-MEGA toolset. Material presented in this chapter was submitted for publication and is currently under peer review - Holdsworth J and Choo KKR. Medical Device Vulnerability Mitigation Effort Gap Analysis Taxonomy. [Under peer review]

The second question in this research will be addressed in Chapter 3 in which a survey involving a number of Australian private hospital facilities is presented. The first section of Chapter 3 presents the Methodology of the survey and its design including explanation and justification of each survey question. The second section presents the Results of the responses to the survey questions and following this is the narration and discussion of the findings in which an analysis and general survey trends will be discussed. Material presented in this chapter was submitted for publication and is currently under peer review – Holdsworth J and Choo KKR. What efforts have Australian private hospitals contributed to address the vulnerabilities associated with medical devices?.[Under peer review].

Chapter 4 is the final chapter of this thesis, and this section presents the overall conclusions of the study including any limitations and recommendations for improvements for future works.

Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing)1

Chapter 2

2.Literature Review

This literature review will only focus on the last six years, the period from 1 Jan 2011 to 31 March 2016. The reason for this is to ensure that the Effort Gaps identified in this research remain current. Cybersecurity threats are an ever evolving landscape, with new methods, attacks and vulnerability vectors changing rapidly (Choo, 2011) so it makes sense to ensure that the research remains relevant by restricting the research to a recent period in history. It is also important that this study presents a holistic view of Effort and as such, the focus for the review will be on 5 parties who are directly associated with Medical Device security, namely: Authority, Medical Device Manufacturers, Healthcare Facilities, Standards Organisations (including professional bodies and associations)) and Academia. To better understand the relevance of each of these parties in relation to medical device vulnerabilities, each party is defined below.

2.1 Definitions

The associated parties referred to in this study are parties which related to medical device vulnerabilities in some shape or form, but more specifically they include: Authority, Device Manufacturers, Healthcare Facilities, Standards Organisations (including professional bodies and associations and Academia. To better understand the relevance of each of these parties in relation to medical device vulnerabilities, each party is defined as follows:

Authority - ‘people with official legal power to make decisions or make people obey the laws in a particular area, such as the police or a local government department’ (Cambridge University Press 2016). Examples in this category would include, but is not limited to bodies such as The Therapeutic Goods Administration or the Australian Government.

Medical Device Manufacturers - referred to in this study as an entity that produces designs or manufactures medical device goods as defined earlier by the Australian Government (2016b). This is a fairly broad ranging definition and as such, it is not just limited to physical device manufacturers but also software developers for medical applications, such as software based patient administration systems or medication management software for example.