Chapter I

INTRODUCTION

Innovation in healthcare systems such as wearable or implantable
devices has brought positive effects on the diagnosis and treatment for a range of medical
conditions. Devices such as fertility monitor and reader, glucose monitoring and drug
infusion can now be accessed remotely via the internet. Since there is a network of
communication between these medical devices, there is a possibility that an attack may
happen like altering data on the device. To prevent such incident, we propose a way to
protect patients safety by our Medical Guard (MediGuard).
According to Scott Armitage in October 2011, some of the network
attacks include jamming and authentication / association flooding. Jamming works by
generation RF noise in the frequency range used by wireless networking equipment.
Particularly in the 2.4GHz range such as microwaves, baby monitors radar etc. Through
their everyday use, these devices can disrupt wireless networks operating nearby. In
Authentication / association flooding, the attacker tries to flood the Access Point (AP) with
authentication and association frames. To flood, the attacking device will spoof its wireless
MAC address then, rapidly and repeatedly, try associating to the AP. This has the effect of
consuming the APs memory and processing ability, denying service to legitimate clients.
There is a need to research about the different cyber/wireless attacks
on data and operation of devices and the necessary actions to counter attack them to protect
the device integrity.
The objective of the study is to develop a monitoring system that
would determine and prevent any wireless attacks that can affect the data and operation of
the medical devices.
Due to the absence of right protection of these medical systems, the
wireless channel is identified to be prone to network attacks. Having said, the integrity of
these systems and the life of the patients are at risk. To better understand the threats, for
example, in glucose monitoring and insulin delivery system, the attacker can interfere
between the controller and the device to edit / configure the intended therapy such as
increasing/decreasing the prescribe dosage and editing on the data sent by the device to the
server. Hence, there is a need for a security monitor that snoops on all RF wireless
communications and use detection to identify malicious attacks.
The scope of the study is to only provide a security monitor with
regards to the device integrity. Meaning, it only provides a layer or security that the devices
in the network will produce the real data and in proper operation. Thus, it does not cover the
attacks on the communication channel like an interruption or etc.








Chapter 2
REVIEW OF RELATED LITERATURE

CYBER-ATTACK has always been a problem in medical systems.
According to the US Food and Drug Administration (FDA) in June 2013, most medical
devices today contain embedded computer systems that are configurable, meaning they can
be altered or tweaked, making them vulnerable to cyber-security breaches. The threat has
become more serious over the last fifteen years as medical devices are interconnected
through hospital networks and each type of connection increases their vulnerability to
malicious attacks. FDA has become aware of the cyber-security vulnerabilities such as
medical devices that are configured or connected to a network being disabled by malware,
malware penetrating hospital smartphones, tablets and other mobile devices that use Wi-Fi
technology to access patient information and lack of proper security regarding passwords,
disabled passwords and hard-coded passwords.
MEDICAL devices sold in America (The worlds largest health-care
market) rely on software. A pacemaker may depend on more than 80,000 lines of code to
keep it going and a magnetic-resonance imaging (MRI) scanner more than 7m lines. That
makes bugs and security flaws inevitable. In 2008, a paper published by a team led by Kevin
Fu, a computer scientist now at the University of Michigan, showed how an implantable
defribrillator could be remotely reprogrammed to withhold therapy or to deliver unnecessary
shocks. The underlying problem, according to Dr Fu, is that when it comes to testing their
software, device manufacturers lack the safety culture found in other high-risk industries
such as avionics (The Economist, June 2013).

Chapter 3
MEDIGUARD: SECURING MEDICAL DEVICES THROUGH MONITORING AND
DETECTION

Abstract
Throughout the years, there have been technological advances in
healthcare systems that are implantable and wearable. These advances improved the
quality of diagnosis and treatment for different medical conditions. However, wireless
connectivity of these devices are vulnerable to malicious cyber-attacks. We propose a
system to secure these medical devices based on wireless channel monitoring and threat
detection. Our proposal is a security monitor that snoops on wireless communications
and uses layered anomaly detection to identify malicious transactions. Once there is a
detection of a malicious transaction, MediGuard will take appropriate actions such as
notifying the user or interfering with the packets so that it will not hack the device. The
feasibility of our proposal is demonstrated by developing a monitor for insulin delivery
system. Its effectiveness is evaluated under several attack scenarios.


Keywords: Security Monitor, Medical Devices, Wireless, Cyber-
Attacks, Medical Systems.

INTRODUCTION
Innovation in healthcare systems such as wearable or implantable
devices has brought positive effects on the diagnosis and treatment for a range of medical
conditions. Devices such as fertility monitor and reader, glucose monitoring and drug
infusion can now be accessed remotely via the internet. Since there is a network of
communication between these medical devices, there is a possibility that an attack may
happen like altering data on the device. To prevent such incident, we propose a way to
protect patients safety by our Medical Guard (MediGuard).
According to Scott Armitage in October 2011, some of the network
attacks include jamming and authentication / association flooding. Jamming works by
generation RF noise in the frequency range used by wireless networking equipment.
Particularly in the 2.4GHz range such as microwaves, baby monitors radar etc. Through
their everyday use, these devices can disrupt wireless networks operating nearby. In
Authentication / association flooding, the attacker tries to flood the Access Point (AP) with
authentication and association frames. To flood, the attacking device will spoof its wireless
MAC address then, rapidly and repeatedly, try associating to the AP. This has the effect of
consuming the APs memory and processing ability, denying service to legitimate clients.
There is a need to research about the different cyber/wireless attacks
on data and operation of devices and the necessary actions to counter attack them to protect
the device integrity.
The objective of the study is to develop a monitoring system that
would determine and prevent any wireless attacks that can affect the data and operation of
the medical devices.
Due to the absence of right protection of these medical systems, the
wireless channel is identified to be prone to network attacks. Having said, the integrity of
these systems and the life of the patients are at risk. To better understand the threats, for
example, in glucose monitoring and insulin delivery system, the attacker can interfere
between the controller and the device to edit / configure the intended therapy such as
increasing/decreasing the prescribe dosage and editing on the data sent by the device to the
server. Hence, there is a need for a security monitor that snoops on all RF wireless
communications and use detection to identify malicious attacks.
The scope of the study is to only provide a security monitor with
regards to the device integrity. Meaning, it only provides a layer or security that the devices
in the network will produce the real data and in proper operation. Thus, it does not cover the
attacks on the communication channel like an interruption or etc.

Methodology

In this section, the implementation of medical monitoring for a glucose monitoring
and insulin delivery system. This section will provide the experimental setup and
scenarios for attack.


(a) Experimental setup. (b) Intercepted wireless signal.

A.) Setup
Figure (a) above shows the glucose monitoring and insulin delivery system. It consist
of the following components:
A glucose sensor, which samples blood glucose levels on a continuous basis,
typically every few minutes.
A manual glucose meter, which is used to manually measure blood glucose
levels.
An insulin pump, which performs autonomous administration of insulin
through subcutaneous infusion.
A remote control, which is used to program the insulin pump to reconfigure
parameters or to cause the pump to inject a bolus dose (e.g., in advance of an
event that will cause a surge in blood glucose levels, such as a meal).
Two Universal Software Radio Peripheral (USRP) boards, which can
intercept radio communications within a frequency band and generate wireless
signals with different frequency, modulation and power configuration
The first USRP will simulate the attacker while the other one will implement the
medical monitoring. Each USRP has two transmit/ receive paths that can be used
independently. The passive mode can be implemented using only one path of USRP
configured as a receiver. The active mode requires both paths, where one acts as a
receiver and the other one as a transmitter to send jamming signals. For the
monitoring USRP, the RF signal is down-converted to the baseband and then sampled
at 64MS/s. The sample will be decimated to 320 kS/s before being transferred to
computer via USB in the form of stream and floats.
Figure (b) contains the intercepted and down-converted wireless signal sent by the
remote. A data packet contains a synchronizing sequence of 0s and 1 s, device
type, device PIN, command, cyclic redundancy check (CRC).
B.) Attack Scenarios
There are two classification of potential attacks on the insulin delivery system which
is based on the wireless links being exploited and nature of the security breach.

1) Classification Based on Exploited Links: In the insulin delivery system, there exist
several wireless links: the link from the sensor to the pump to continuously transmit
glucose data, the link from the manual meter to the pump to transmit glucose
data (the messages on this link are manually triggered), and the link from the remote
control to the pump to transmit control commands. All three links can be exploited by
an attacker.
2) Classification Based on Security Breaches: By exploiting a particular wireless link,
the following attacks can be launched. If the attacker does not know the device PIN of
the remote control or glucose meter/sensor, some of the possible attacks are:
Privacy attacks: Eavesdropping on any wireless link in the insulin delivery system
exposes: 1) the existence of the therapy and the glucose level, and thus the medical
condition of the patient, 2) the device type, and 3) the device PIN, which gives the
attacker an open door to launch all the attacks discussed in the next group.
Integrity attacks: Even without the knowledge of the device PIN, by relaying
transmission signals (intercepting and replaying later), the attacker can still control
the insulin pump or report an incorrect (past) glucose reading to
the insulin pump.
Availability attacks: Attackers can simply jam the communication channel, causing
incorrect operation.
If the PIN of the remote control, manual glucose meter or sensor is known by the
attacker, attacks can be launched by impersonating the respective device. The
consequences of such attack could include: 1) the attacker can stop the insulin
injection into the human body, 2) the attacker can resume insulin injection into the
human body, if it is currently stopped, and 3) the attacker can inject different dose
into the human body, which may lead to hypoglycaemia and, hence, endanger the
patients life.
C.) Security Policies
The signal transmitted to glucose meter and the remote control should be coming
from the patient. Commands allegedly sent by the remote control or data allegedly
sent by the manual glucose meter, which are not authorized by the patient must have
been sent by an attacker. The monitor will jam any command signal by default and
gives off a warning for any meter or remote transmission by default. However,
commands coming from the patient are jammed too, making the remote control and
glucose meter useless. To solve this, the patient should just manually turn off the
jamming or the medical monitoring device before initiating transmission to allow the
command to pass. The patient can enable the jamming or the device right after the
transmission if completed. If the attacker continuously transmit forged messages, the
patient should not turn off the medical monitoring device while the warnings are still
present. If continuous malicious signal interfere with normal signals causing the
insulin pump to stop responding to normal commands, the patient should immediately
turn on the medical monitoring device.
The monitor raises warnings when data transmissions from the manual
glucose meter or remote control are detected. If a warning arrives when the patient is
not using the glucose meter, the patient will know that an attack is taking place. The
warnings also ensure that the patient forgot to turn off the jamming before
transmitting a legitimate command. Finally, the small window of vulnerability, when
the monitor is disabled, can be eliminated by operating the monitor in passive mode
and report only successful data transmission to the user. If the user receives different
transmission report, the user should reset the pump and its parameters.






TABLE I
IMPLEMENTED SECURITY POLICIES FOR THE INSULIN DELIVERY
SYSTEM

References
Food and Drug administration. FDA Safety Communication: Cybersecurity for Medical
Devices and Hospital Networks.
Intel Architecture Processors. Increasing Medical Device Security with Mainstream IT
platforms and Technologies.
Talbot, D. (2013). Encrypted Heartbeats Keep Hackers from Medical Implants.