The Medical Device Security testbed in the Electrical and Computer Engineering Department of Virginia Commonwealth University is a blend between computational lab and mock hospital room. As hospitals and home healthcare environments are an integral part of every community in the developed world, it becomes advantageous to explore how this operational technology impacts the larger community and how it could be integrated with opencybercity technologies in a productive fashion. It is also important to investigate how to mitigate risk associated with the increased threat profile that comes with doing so.
This testbed allows for research that adds value to the security of operational technology as it applies to the healthcare industry, both in commercial/inpatient environments as well as home healthcare, by focusing on:
Offensive security and penetration testing commercial medical devices to locate and provide suggestions for the mitigation of vulnerabilities through detailed analysis of protocols and adherence to standards.
Secure by design device analysis to include mission aware, multi-level safety and monitoring.
AI in Medical Devices
Applying machine learning in medical devices and medicine to tune hyperparameters to customize device operation for specific users based on their baseline biometrics and medical needs, and potentially identify abnormal operation through data analysis.
Offensive security research in the Medical Device Security testbed is focused on testing commercial medical devices to locate and provide suggestions for the mitigation of vulnerabilities through detailed analysis of protocols and adherence to standards.
Commercial network medical devices are tested for common security vulnerabilities before undergoing a detailed analysis of protocols they are using and their conformance to the standards. Any vulnerabilities found will be published after a responsible disclosure period. Current devices undergoing testing include an ultrasound, several patient monitors, two electrocardiographs, a ventilator, and several wearables. Networked medical devices designed at VCU will also be pen tested at the discretion of the researcher that developed the device.
PhD students conducting research at the Medical Device Security testbed located at VCU.
Addressing device insecurity needs to happen at every level of operation, not only during user interaction and data management.
This team will focus on Cyber Resilience to include mission aware, multi-level safety and monitoring.
One aspect of this is FPGA circuit specific OT devices that are used to perform the specific necessary tasks and communicate in a way that doesn’t allow the device to be used for purposes other than intended. These devices are intended to operate in critical portions of the network where device failure may impact patient health or cause a more significant safety and security issue.
A high level network diagram of the Medical Device Security testbed.
Artificial Intelligence in Medical Devices
Artificial Intelligence (AI) and Machine Learning (ML) have direct applications for all levels of medical device functionality, security, and patient care. With the increased move to long-distance healthcare comes the opportunity for customized care via data collection over time and electronic medical records available to a primary care physician. Applying machine learning to collected data can be used to create a profile with a customized baseline for physicians to review and makes it possible to look for patient-specific anomalies or concerns.
The same methodology can be used to create specific device profiles and analyze incoming data to determine if there are issues with sensor placement, device degradation, or other maintenance related needs. At all levels, when paired with traditional security practices, machine learning can bolster responses to common, recognized attacks based on the unique ‘fingerprint’ of system interaction.
The devices in the Medical Device Security testbed can be used to create a network of stationary and wearable devices for collecting human data that than can be stored in a database and 1) analyzed locally for anomalies that may indicate sudden medical emergencies such as dangerous glucose spikes or heart attacks, 2) compiled for review by a physician during consultation for a more complete picture of health issues, and
3) used as part of the OpenCyberCity testbed to simulate environmental interaction with occupants, specifically, simulated telehealth or long-term care scenarios. Collected ‘patient’ data can also be used for analytics purposes to create programs for increasing the veracity of electronic medical records.