University of South Australia
Division of Information Technology, Engineering and the Environment
School of Information Technology & Mathematical Sciences
Medical device vulnerability
mitigation efforts
Jay Holdsworth
A thesis submitted to
University of South Australia
in partial fulfilment of the requirements for the degree of
Master of Science (Cyber Security and Forensic Computing)
Supervisor: Dr. Kim-Kwang Raymond Choo
Contents
List of Figures.....................................................................................................................ii
List of Tables.....................................................................................................................iii
List Of Abbreviations.........................................................................................................iv
Declaration.........................................................................................................................v
Abstract.............................................................................................................................vi
Acknowledgement............................................................................................................vii
Chapter 1...........................................................................................................................1
1. Introduction................................................................................................................1
1.1 Problem Definition.....................................................................................................1
1.2 Research Motivations.............................................................................................3
1.3 Research Questions:..................................................................................................4
1.4 Research aims and objectives....................................................................................4
1.5 Expected Outcomes...................................................................................................5
1.6 Thesis Structure.........................................................................................................5
Chapter 2...........................................................................................................................1
2. Literature Review........................................................................................................1
2.1 Definitions...................................................................................................................... 1
2.2 Methodology.............................................................................................................2
2.2.1 Search Strategy...................................................................................................3
2.2.2 Search Criteria....................................................................................................3
2.2.3 Key Word Examples............................................................................................3
2.2.4. Data Source........................................................................................................4
2.2.6. Data Collation/Presentation...............................................................................1
2.3 Review of Literature..................................................................................................1
2.3.1 Authorities..........................................................................................................1
2.3.2 Device Manufacturers........................................................................................5
2.3.3 Healthcare Facilities / Services Organisations....................................................7
2.3.4 Standards Organisations & Professional Bodies...............................................10
2.3.5 Academia..........................................................................................................14
2.3.6 Frameworks......................................................................................................14
2.3.7 Taxonomies/ Classifications..............................................................................15
2.3.8 Case Studies......................................................................................................18
2.3.9 Designs............................................................................................................. 19
2.4 Findings....................................................................................................................20
2.4.1 Research Trends...............................................................................................21
2.3.2 Effort Trends.....................................................................................................22
2.3.3 MDV-MEGA......................................................................................................24
Chapter 3.........................................................................................................................27
3. Survey & Questionnaire.............................................................................................27
3.1 Methodology........................................................................................................... 28
3.1.1 Sample...................................................................................................................29
3.1.2 Facilities.................................................................................................................29
3.1.3 Respondents..........................................................................................................30
3.1.4 Data Collection......................................................................................................30
3.1.5 Interview Design & Administration........................................................................33
3.1.6 Response Scoring...................................................................................................33
3.2 Results..........................................................................................................................35
3.2.1 Hospital A: South Australia....................................................................................35
3.2.2 Hospital B: Western Australia................................................................................37
3.2.3 Hospital C: Tasmania.............................................................................................40
3.2.4 Hospital D: Queensland.........................................................................................43
3.3. Findings....................................................................................................................... 47
3.4 Analysis.........................................................................................................................47
3.5 Maturity Scores............................................................................................................49
3.6 Trends...........................................................................................................................50
Chapter 4.........................................................................................................................53
4. Conclusions, Limitation & Further Work....................................................................53
4.1 Literature Review.....................................................................................................53
4.1.1 Literature Review Limitations................................................................................54
4.2 Survey & Questionnaire...........................................................................................55
4.2.1 Survey Limitations................................................................................................57
4.3 Future Works................................................................................................................57
References.......................................................................................................................59
List of Figures
Figure 1: Research trends in the last 5 years..........................................................................21Figure 2: MDV-MEGA Toolset.................................................................................................26Figure 3: Survey Questions.....................................................................................................32Figure 4: Maturity Assessment Matrix...................................................................................34Figure 5: Maturity Matrix.......................................................................................................50
List of Tables
Table 1: Percentage of Contributed Effort by Associated Party.............................................22
List Of Abbreviations
LOM Level of Maturity
IMS Initial Maturity Score
MDAS Medical Device Awareness Score
MDV-MEGA Medical Device Vulnerability Mitigation Effort Gap Analysis
WHO World Health Organisation
FDA Food and Drug Administration (US)
TGA Therapeutic Goods Administration (Aus)
EMA European Medicines Agency
MIFA Medical Identity Fraud Alliance (US)
AHA American Hospital Association (US)
NHS National Health Service (UK)
NH-ISAC National Health Information Sharing & Analysis Centre (US)
HL7 Health Level 7 International
MAUDE Manufacturer & User Facility Device Experience (US)
Mhealth Mobile Health
BYOD Bring Your Own Device
NHQHS National Safety & Quality Health Service Standards (Aus)
ACSQHC Australian Commission on Safety & Quality in Health Care (Aus)
ACHS Australian Council on Healthcare Standards (Aus)
Declaration
I declare that this thesis does not incorporate without acknowledgment any material
previously submitted for a degree or diploma in any university; and that to the best of my
knowledge it does not contain any materials previously published or written by another
person except where due reference is made in the text.
Jay Holdsworth
24th October 2016
Abstract
The use of medical devices in healthcare networks is increasing as governments and private
entities look to improve clinical outcomes while reducing overall costs associated with
healthcare service delivery. These devices which used to be stand-alone, are now becoming
more integrated with corporate and clinical networks, sharing data between devices and
other data information systems. As a result, healthcare networks are being targeted by
hackers and malicious users and there is increasing concern about the possible risks that
medical devices pose to both the security of patient data and the physical safety of patients.
What seems to be unclear is what effort has been made by relevant associated parties to
tackle the medical device cybersecurity problem. This paper therefore aims to explore that
level of effort and understand what has been done to tackle the problem. This paper does
this in two ways, firstly a Medical Device Vulnerability Mitigation Effort Gap Analysis
Taxonomy (MDV-MEGA) toolset is proposed which allows the contribution efforts to be
measured against a set of reviewed literature. Secondly, a survey is conducted against a
sample of Australian private hospitals to understand why according to the applied toolset,
they were one of the lowest scoring parties in terms of effort contributed. The literature
review in this paper reviews literature over the last 6 years and focusses on 5 specific
associated parties: Authority, Device Manufacturers, Healthcare Facilities, Standards
Organisations and Academia. In the accompanying survey, we interview participants from
four Australian private hospitals, representing South Australia, Western Australia, Tasmaina
and Queensland. The resulting study suggests that while the importance of ensuring the
cybersecurity of medical devices is increasingly recognised by Australian healthcare
facilities, there are significant gaps in terms of guidance and the technical know-how (e.g.
not provided with clear directions about how to protect against device vulnerabilities).
Acknowledgement
I would like to thank my academic supervisor, Raymond Choo, for all of his help,
encouragement and patience throughout this work. His expert knowledge in the field of
cybersecurity has been extremely helpful and his input very much appreciated. I would also
like to thank my Employer (The Burnside War Memorial Hospital) for their generosity in
allowing me time to conduct my studies alongside my professional working role.
Outside of the university and my employer, I would like to thank my partner and family for
their support, not only during the writing of this thesis, but during the years of study leading
up to it.
Chapter 1
1. Introduction
1.1 Problem Definition
Modern medicine and medical practice adopt an evidenced based approach to healthcare,
and this evidence-based care has become the de facto standard of health service delivery
across the developed world (Henegan & Godlee, 2013). Indeed, the World Healthcare
Organization (WHO) suggests that Information Systems and Technology are key to modern
evidence based health practices, and evidence shows that increasingly, technology is
becoming an important tool for delivering modern evidence based clinical care (Rodrigues,
2000).
The push to adopt evidence based care has, therefore, seen an increase in the proliferation
of medical technology, particularly in the form of medical devices where they have now
become ubiquitous, providing large scale healthcare gains (McGee, Webster, Rogerson &
Craig, 2012). While there are many different definitions of a medical device, such as that by
the US Food and Drug Administration (FDA) (2015a) or the European Medicines Agency
(EMA) (2015), this paper will use the Australian definition, where a medical device will be
taken to mean:
any instrument, apparatus, appliance, material or other article (whether used alone or
in combination, and including the software necessary for its proper application)
intended, by the person under whose name it is or is to be supplied, to be used for
human beings for the purpose of one or more of the following:
i. diagnosis, prevention, monitoring, treatment or alleviation of disease;
ii. diagnosis, monitoring, treatment, alleviation of or compensation for an injury or
handicap;
iii. investigation, replacement or modification of the anatomy or of a physiological process;
iv. control of conception;
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 1
and that does not achieve its principal intended action in or on the human body by
pharmacological, immunological or metabolic means, but that may be assisted in its
function by such means; or
b. an accessory to such an instrument, apparatus, appliance, material or other article.
(Australian Government, 2016b)
The earlier observation made by McGee, Webster, Rogerson & Craig (2012) seems to have
general consensus as medical devices are shown to help in a number of healthcare factors
such as the facilitation of more efficient work flows through automation (Zhang, Cocosila &
Archer, 2010), improving surgical accuracy, patient recovery times and reducing overall
lengths of stay (Mihailidis, Krones & Boger, 2006). Further, some authors suggest better
detection rates and improved monitoring and treatment of diseases as a result of
introducing medical devices (Lanterman, 2015), while others suggest a reduction in
fragmented primary care services and reduced cost associated with clinical provision
(DePhillips, 2007).
Given the overall gains and potential advantages provided by medical devices, it is of no
surprise that technologically advanced countries, such as USA and China, are investing
heavily in medical technology with an aim to increase its overall adoption. It has been
suggested that as of 2015, 55% of medical professionals in USA are using medical devices
due largely to increased government funding (Silva et al, 2015), and in China whose
government is poised to invest some AUD $1.78billion on medical device and drug research
throughout 2012-2017 (Stoner, 2012). Closer to home here in Australia, the State of New
South Wales reported an annual export of AUD $1.12 billion worth of medical device
technology in 2012, with this figure set to increase into the future (Stoner, 2012).
Clearly then, the use of medical device technology is on the rise. However, this increase in
use brings with it a number of concerns. While these concerns are many and varied
(Standing and Standing, 2008, p. 225), the principle interest for the scope of this paper is
that of cybersecurity.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 2
The Australian government defines cybersecurity as 'Measures relating to the
confidentiality, availability and integrity of information that is processed, stored and
communicated by electronic or similar means' (Australian Government, Attorney Generals
Department, 2015). Australia pays particular attention to cybersecurity concerns, noting
that cybersecurity is one of Australia's national security priorities due to the risk it poses on
economic prosperity and social well being (Australian Government, Attorney General's
Department, 2015). There is good evidence as to why this is the case, according to a SANS
Institute report on traffic analysed and captured between September 2012 and October
2013, Health care providers accounted for 72% of overall malicious traffic indicating that
their networks had been compromised in some fashion (Filkins, 2014, p. 3). Further to this,
an independent study conducted by the Ponemon Institute in March 2014 concluded, that
between 2013 and 2014, healthcare companies saw a 72% increase in cyber attacks with the
healthcare industry accounting for 24% of all breaches which occurred in 2014 (Gomez &
Konschak 2015, p.1). This issue has certainty raised the heads of the Australian Therapeutic
goods Administration who now class medical device cybersecurity as a key issue to address
for 2016 (Australian Government, 2016e).
1.2 Research Motivations
Vulnerabilities associated with medical devices are well known, we saw in the introduction
that the SANS Institute reported a high percentage of malicious traffic originating from
healthcare networks, but digging deeper, the problem appears to be broader than this,
indeed the InfoSec Institute reports that health related data is now worth 10 times more
than credit card data on the black market selling for up to USD$500 per patient (Ja 2015).
With values this high healthcare records have become an attractive target for organised
crime gangs, the FBI for example reported theft of some 4.5 million patient records in 2014
after one of the largest U.S. Hospital operators fell victim to attack (Humer & Finkle 2014).
The problem is becoming such a concern that regulatory bodies such as the Food and Drug
Administration in the U.S. and the Therapeutic Good Administration (TGA) here in Australia
have both issued recommendations to medical device manufactures to incorporate
vulnerability mitigation in their product designs (US Department of Health and Human
Services 2013; Australian Government 2016e). It is not immediately clear why healthcare
data makes a lucrative target, however some researchers such as IBM and the Medical
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 3
Identity Fraud Alliance suggests that the stolen data helps to facilitate fraud against medical
insurers where scammers effectively pose as the patient of the stolen data and submit
claims against the health insurers to receive reimbursements for expensive surgery that
they have not actually received (Rodionova 2016). The same report lists Healthcare entities
as the current number one target for hackers and predicts that the number of hacks against
healthcare entities will continue to rise as long as healthcare data retains its value
(Rodiovova 2016).
The risk to healthcare data then is clearly understood and seems to get broad coverage in
the media, yet, we continue to see Hospitals and healthcare facilities falling victim to these
attacks, the U.S. Department of Health and Human services for example report that the
healthcare industry currently averages some 4 data breaches per week (Akpan 2016).
1.3 Research Questions
That being said, the reasons for conducting this research are to investigate in depth what is
being done to tackle the medical device cybersecurity vulnerability problem. More
specifically, the research conducted in this paper aims to discover:
1. What level of effort has been contributed by different associated parties to mitigate
against vulnerabilities associated with medical devices
2. Why the level of effort contributed by Australian Private Hospitals appears to be low
1.4 Research aims and objectives
This research includes a number of different approaches to identify and determine
the levels of effort contributed to tackling the medical device cybersecurity problem
and as such the following research objectives aim to be met:
1. conduct a comprehensive review on available literature to identify which areas of medical
device vulnerability mitigation have received attention from security researchers and other
relevant stakeholders (we referred to this as “Efforts” in the remainder of this paper).
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 4
2. Design and construct a tool set in order to calculate a ‘level of effort’ based on evidence
gathered in the literature review, (we refer to this as the Medical Device Vulnerability
Mitigation Effort Gap Analysis (MDV-MEGA) toolset in the remainder of this paper).
3. Measure the resulting evidence against the constructed MDV-MEGA toolset
4. Survey a number of Australian private hospital facilities to determine the factors which
lead to an apparent low level of effort in tackling the medical device cyber security problem
1.5 Expected Outcomes
The expected outcomes of this research are twofold, firstly the research aims to provide a
better understanding of the effort gaps which exist in the way the medical device
cybersecurity problem has been tackled. A better understanding and identification of
existing gaps will allow any relevant stakeholders to concentrate their focus onto the areas
which lack effort. Secondly, by analysing the approach that Australian medical facilities
apply in tackling the problem will help identify any areas for improvement. These areas,
once identified, can help healthcare facilities move forward and reduce exposure to
vulnerabilities.
1.6 Thesis Structure
The first question is essentially explored in Chapter 2 in which a literature review is
presented. This literature review should be viewed as the precursor to a future study, a
future study which aims to determine a method to plug a specific gap relating to medical
device cybersecurity mitigation strategies. The first section of Chapter 2 exhibits the
Methodology applied to the literature review, including the Search Strategy used to locate
items of evidence and the qualification criteria applied to any literature for inclusion in the
review. Following this is the literature review narration and the Discussion in which general
trends, effort gaps and the MDV-MEGA toolset is presented. The final section of Chapter 2
presents a resulting Effort Level score Matrix which illustrates the calculated level of effort
contributed by each relevant party when the evidence was assessed against the MDV-MEGA
toolset. Material presented in this chapter was submitted for publication and is currently
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 5
under peer review - Holdsworth J and Choo KKR. Medical Device Vulnerability Mitigation
Effort Gap Analysis Taxonomy . [Under peer review]
The second question in this research will be addressed in Chapter 3 in which a survey
involving a number of Australian private hospital facilities is presented. The first section of
Chapter 3 presents the Methodology of the survey and its design including explanation and
justification of each survey question. The second section presents the Results of the
responses to the survey questions and following this is the narration and discussion of the
findings in which an analysis and general survey trends will be discussed. Material
presented in this chapter was submitted for publication and is currently under peer review –
Holdsworth J and Choo KKR. What efforts have Australian private hospitals contributed to
address the vulnerabilities associated with medical devices?. [Under peer review].
Chapter 4 is the final chapter of this thesis, and this section presents the overall conclusions
of the study including any limitations and recommendations for improvements for future
works.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 6
Chapter 2
2. Literature Review
This literature review will only focus on the last six years, the period from 1 Jan 2011 to 31
March 2016. The reason for this is to ensure that the Effort Gaps identified in this research
remain current. Cybersecurity threats are an ever evolving landscape, with new methods,
attacks and vulnerability vectors changing rapidly (Choo, 2011) so it makes sense to ensure
that the research remains relevant by restricting the research to a recent period in history.
It is also important that this study presents a holistic view of Effort and as such, the focus for
the review will be on 5 parties who are directly associated with Medical Device security,
namely: Authority, Medical Device Manufacturers, Healthcare Facilities, Standards
Organisations (including professional bodies and associations)) and Academia. To better
understand the relevance of each of these parties in relation to medical device
vulnerabilities, each party is defined below.
2.1 Definitions
The associated parties referred to in this study are parties which related to medical device
vulnerabilities in some shape or form, but more specifically they include: Authority, Device
Manufacturers, Healthcare Facilities, Standards Organisations (including professional bodies
and associations and Academia. To better understand the relevance of each of these parties
in relation to medical device vulnerabilities, each party is defined as follows:
Authority - ‘people with official legal power to make decisions or make people obey the
laws in a particular area, such as the police or a local government department’ (Cambridge
University Press 2016). Examples in this category would include, but is not limited to bodies
such as The Therapeutic Goods Administration or the Australian Government.
Medical Device Manufacturers - referred to in this study as an entity that produces designs
or manufactures medical device goods as defined earlier by the Australian Government
(2016b). This is a fairly broad ranging definition and as such, it is not just limited to physical
device manufacturers but also software developers for medical applications, such as
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 7
software based patient administration systems or medication management software for
example.
Healthcare Facilities – in this review Healthcare Facilities are taken to mean the ‘buildings,
equipment and services provided for the purpose of healthcare’ (Cambridge University Press
2016). Examples of this kind may include Hospitals, Nursing Homes, clinics etc.
Standards Organisations - Standards Organisations can be public or private organisations
and are typically independent bodies who aim to assist with the standardisation of
processes, policies and initiatives (Orviska, Nemec, & Hudson 2014). These organisations,
typically through consensus and discussion help to establish uniform and defacto standards
that interested parties can follow to achieve a set standard. Examples of this type might
include The Institute of Electrical and Electronics Engineers (IEEE) or the International
Organisation for Standardisation (ISO).
Academia – in this review, Academia refers to any ‘part of society, especially universities,
that is connected with studying and thinking, or the activity or job of studying’ (Cambridge
University Press 2016). In this case we are searching for evidence of any form of
contribution from Academic entities which have contributed something to the field of
medical device cybersecurity. Examples of which might include a thesis on a new cyber
protection mechanism for medical devices or a taxonomy of medical device cyber attack
techniques for example.
2.2 Methodology
The process of research conducted for this study draws inspiration and methods from a
number of other studies, namely Holdsworth & Kerslake (2015), Sackett & Wennberg (1997)
and Handoll & Smith (2003). The approaches from three studies were favoured because
Holdsworth & Kerslake (2015) performed a systematic review and presented a classification
taxonomy, albeit their focus was on barriers to mobile health (mHealth) device adoption
rather than progress made against device vulnerabilities. However, the process was
considered to be highly transferable to this study. Both Sacket & Wennberg (1997) and the
Handoll & Smith (2003) were written specifically to provide guidance for research relating to
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 8
the medical field and were also considered directly transferable to this study. The strategies
utilised for this research are explained in the following section.
2.2.1 Search Strategy
Data from different sources including journals, articles, reports, studies and legislation were
searched and analysed. During the review, we paid particular attention to any mitigation
strategies that were suggested as part of specific or general medical device vulnerability
assessment. The finding was briefly summarised and tagged with an associated party
classification. For example, if a piece of legislation mandated the reporting of any security
breach to a government entity, then this was classed as an item of effort from an
“Authority” and would be tagged with an associated party type of “Authority”. An ongoing
tally of the number of effort items made for each associated party type was made. At the
end of the review a compilation of the tally score for each of the different strategies and
associated party types aimed to determine which parties had contributed effort. The
highest scoring party would be deemed to have contributed the most effort, the lowest
scoring party would be considered to have contributed the least amount of effort, and this
area would be flagged as an area needing further work. In other words, the lowest scoring
avenue is the identified gap in the overall study.
For this study, the data was searched for and analysed by applying specific criteria as
defined in the following sections.
2.2.2 Search Criteria
Prior to beginning the search for data, the search criteria needed to be determined.
Therefore, for this piece of work, logical search strings were made by using words taken
from the topic question. These words then became ‘keywords’ which were put into a
search phrase to be entered as a search string. Throughout the research, keywords were
substituted with synonyms in an attempt to broaden the search. Examples of a search string
using this method are as follows: “mitigations against medical device vulnerabilities” or
“improving medical device security” when a synonym is used.
2.2.3 Key Word Examples
The keywords used throughout the data search were derived from words in the topic
question and their associated synonyms. Examples include mitigation, medical devices,
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 9
security, taxonomy, effort, privacy, vulnerabilities, patient safety, framework, risks, and
categorisation.
2.2.4. Data Source
While planning for this phase of the research, a decision was made to use data sources
relating specifically to medicine and technology, as such, individual data sources such as
Cochrane and PubMed (Healthcare) and ACM, IEEEXplore and Springer were selected.
However, this quickly became unsuitable for two reasons, firstly, a pilot search proved that
the results were not broad enough to satisfy the requirements of a systematic review and
secondly, an assumption has been made that the only valid data sources are those of
Healthcare and Technology. This assumption also failed to satisfy the requirement of a
systematic review as it does not cater for unexpected results. To correct this, a different
decision was made to search as many data sources as possible; however, a concern with this
approach was the in-efficiency of conducting such a review. Take for example, the difficulty
associated with typing one search string repeatedly into multiple databases. To overcome
this problem, broad search tools were used, in this case, Google Scholar and the university
library’s search tool. Utilising these tools enabled the researchers to return results from
multiple databases for each individual search string resulting in a much more efficient
search. These tools also overcame the earlier assumption regarding valid data sources as it
catered for the collection of valid results from unexpected and much wider ranging data
sources.
2.2.5 Data Collection Qualification
During the search for data, decisions need to be made to determine whether a result is valid
for inclusion in the research. To help achieve this, a validation tool was used. The validation
tool in this case is a set of qualifying questions. These qualifying questions were run in 2
rounds against each set of data obtained from a keyword search result. Each round aimed
to narrow down the results so that only data worth including in the study remained.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 10
The qualifier is a set of 4 questions which split into 2 rounds. Each round consists of 2
questions:
1. Are medical devices mentioned in the reading?
2. Is cybersecurity mentioned in the reading?
These first 2 questions were designed to be fairly broad and the reason for this is because
any papers that mention medical devices or cybersecurity are likely to add some weight to
the overall context of the study.
When the answer to both of these questions was “Yes”, the item was set aside for initial
reading, otherwise it was discarded.
Round 2 ran a second set of qualifying questions against the papers that successfully made it
through Round 1. The round 2 questions were designed to be more focussed questions
aimed at finding data specifically relating directly to the research question.
Round 2 consists of 2 questions:
1. Are medical devices given importance in the reading?
2. Is Cybersecurity given importance in the reading?
When the answer to any of the Round 2 questions was “Yes”, the item was retained for
inclusion in the study.
The search terms and analysis questions were of designed to assist with the discovery of
relevant research material; however, other qualifying logic was applied to each data piece
before it was included in the study. This additional logic is explained in the following
section.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 11
2.2.6. Data Collation/PresentationOnce the search for data had been completed and all qualified evidence retained, each
literature was analysed, paying particular attention to any mitigation efforts that were
mentioned regarding the vulnerabilities of a medical device. A brief summary of each effort
was recorded along with the type of associated party contributing the effort and a reference
indicator showing which piece of literature it appeared in. This method allowed the number
of effort items for each associated party type to be counted. The higher the number of
times an effort item appears across the literature for a particular associated party type, the
more effort that party type has contributed, and conversely, the lower number of times an
effort item appears for a particular party, the least amount of effort that party has
contributed. In this format, the lowest scoring party type will be the once that needs future
work and increased focus.
2.3 Review of Literature
Any vulnerability present in a medical device has the potential to result in a serious health
hazard to patients. Such an event seen in 1993 where an incident involving radiotherapy
devices and faulty software resulted in overexposure of high levels of radiation to patients
(Leveson & Turner, 1993). To avoid a repeat of similar incidents, it is important to better
understand how to prevent further adverse events occurring and how to mitigate as much
as possible, the associated consequence of a vulnerability. As of today, authorities seem to
be aware that this is the case and advise generally that action in some form should be taken
(FBI 2014; Australian Government 2016e; US Department of Health and Human Services
2013a). However, this is only a fairly recent development because even in 2012, concerns
were being raised about the lack of power that regulatory bodies had when evaluating
medical devices before they entered the market (Anonymous 2012). While progress has at
least been made today, it is not necessarily clear exactly what this progress is, or specifically
what action has been taken.
2.3.1 Authorities
Evidence indicates that Authorities have made a substantial effort to provide guidance
around what should be done, firstly, be examining the FDA regulations from 1976 we can
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 12
see that for a medical device to be approved, it must satisfy 4 steps involving, a
determination as to whether the product is actually a medical device according to the FDA
definition, a classification of the device according to the established FDA device classes, a
Premarket pathway must be identified and finally in step 4, apply for a device exemption
application if clinical data needs to be collected using the device before it is approved (Jarow
and Baxley 2015, p.129). An observation here of course is that this 4 step process and
device classification scheme does not cater well for today's modern medical devices which
integrate heavily onto third party networks such as those of a healthcare provider. This
observation seems to meet some consensus with one author suggesting that a device
classed by the FDA as a class 3 device when plugged into a data network, makes the data
networks itself a class 3 device (Vasserman et al. 2011, p.72). Regardless of this, the 1976 4-
step process does not allow for cyber vulnerability assessments as part of the approval
process. The FDA seems to have realised this is the case and in 2013, released a new set of
recommendations that state 'medical device manufacturers and healthcare facilities take
steps to assure that appropriate safeguards are in place to reduce the risk of failure due to
cyberattack' (US Department of Health and Human Services, Food and Drug Administration
2013a). Some authors note that the advice specifically recommends that manufacturers
should review their cybersecurity practice and that healthcare facilities should evaluate
their network security and review access controls to guard against unauthorised entry
(Anonymous 2013). In the specifics, FDA guidelines list 6 already established and recognised
standards which device manufacturers should follow to reduce device vulnerabilities and
further, that documentation of vulnerabilities by way of a Disclosure Statement should be
provided by manufacturers to the FDA and healthcare entities to assist them with making
device approval and deployments decisions (US Department of Health and Human Services,
Food and Drug Administration 2014, pp. 4-6).
Recommendations are not just being put forward in the US, but also at home here in
Australia with the Therapeutic Goods Administration (TGA) following closely in the footsteps
of the FDA. In the Australian example, the TGA released a similar advisory in 2016 advising
'medical device sponsors and asset owners to perform risk assessments by examining the
specific clinical use of potentially affected products in the host environment' (Australian
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 13
Government 2016b). A notable difference in the global perspective is that the European
Union does not seem to have made as much progress as the USA and Australia. One
observation is that currently the only cyber security regulation around medical devices in
the Euporean Union (EU) is that regarding Software Development Lifecycle of the software
that drives a medical device (Klumper & Vollebregt 2015). The author suggests that this lack
of development on regulation as a whole is a surprise given the EU's push to adopt eHealth,
however, given the size of the EU's membership and the sheer number of different member
states, it could be argued that speed in which policy decisions can be made will be much
slower than the like likes of the single membership entities like the US and Australia. That
being said, while there seems to be no published recommendation from a similar TGA or
FDA body in the EU, Legislation does provide some guidance. EU Directive 93/42 EEC,
mandates that for any device which falls under its definition of a medical device must
ensure that the
device may not compromise the clinical condition of the safety of patients when used in
the intended way... and that... risks have to be minimized (elimination of risks through
security by design, alerts have to warn about dangerous conditions, users have to be
informed about residual risks) (Neuhaus, Polze & Chowduryy 2011, pp. 17-18).
Authorities, whether though published recommendations or legislation are clearly making
an effort, however there is concern that the effort is not enough. Shortly after the FDA
recommendations were published, The American Hospital Association (AHA) suggested that
the FDA could be doing more, particularly making medical device manufacturers
accountable for cybersecurity and forcing them to participate in information sharing
activities with healthcare entities regarding vulnerabilities in devices (Anonymous 2014).
This suggestion was seconded by the likes of US Senators with one example showing a letter
that was written to the 5 top medical device manufacturers a month after the FDA
recommendations urging them to take action against cyber security threats (Boxer 2016).
That being said, it is not completely clear why the AHA and Boxer think that the FDA general
guidance is not enough, but one observation could be because the exact number of
incidents relating to medical device vulnerabilities is unclear. Indeed, taking a closer look at
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 14
the specific detail in the 2013 FDA Communication, the FDA advise that they are
not aware of any patient injuries or deaths associated with these incidents nor do we
have any indication that any specific devices or systems in clinical use have been
purposely targeted
(US Department of Health and Human Services 2013b).
Interestingly the TGA in Australia advise the same, making a statement in their medical
Devices Safety Update bulletin that
Although there have been no reports of hacking attacks on medical devices in Australia,
there have been reports on such attacks overseas. Cybersecurity experts in Australia
have demonstrated a wide range of potential vulnerabilities in simulated attacks
(Australian Government 2016e).
While this might be the official stance, there does seem to be some confusion over the
matter because in 2016 it was revealed that since 2009, the Department of Veterans Affairs
(VA) reported at least 327 malware infected devices and more than 40 other viruses
infecting xray machines and laboratory devices across different VA hospitals (Weaver 2016).
No recorded deaths occurred as a result of the incidents reported by Weaver, but his finding
is in contrast at least partially to the statements made by both US and Australian Authorities
because it could be difficult to suggest that a device infected with malware has not been the
target of a malicious attack.
Incidents relating to medical device vulnerabilities then are still occurring despite the
recommendations made by the Authorities. Further, the Authorities do not seem to have a
clear grasp on the number of incidents occurring and perhaps this forms the basis of the
AHA's earlier concerns. Digging further into the literature, we start to see some reasons
which shed some light onto why the new recommendations might be ineffective. Indeed,
regarding the frameworks set by both the FDA and the TGA, any requirements for
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 15
mandatory reporting of cybersecurity vulnerabilities seems to be unclear; both frameworks
give specific examples of what constitutes an adverse event yet none of the examples
mention cyber related incidents (Australian Government 2013; US Department of Health
and Human Services 2015). In the same legislation, financial or legal penalties associated
with failure to report also seem to be unclear and this had perhaps lead to a lukewarm
response from medical device manufacturers to address cybersecurity issues when notified
(Weaver, 2016).
So far then, we have discussed the Legislative efforts made by Authorities to address the
medical device cybersecurity problem and discussed some of the challenges associated with
this approach, including suggestions that Authorities blame medical devices manufactures
for apparent lack of effort. According to the literature however, this is not necessarily the
case.
2.3.2 Device Manufacturers
Medical device manufacturers do have an active role to play in cybersecurity efforts under
the new TGA and FDA requirements and some manufacturers recognise this. Koninklijke
Philips (Philips) for example report that they utilise and adhere to a well developed
cybersecurity framework throughout the development of a Medical Device (Hsu &
Marinucci, 2013 p. 176). However, upon closer inspection, even as of 2013, it seemed that
the framework utilised was the 1991 US Federal Sentencing Guidelines for Organisations, a
framework of some 25 years old and inadequate for the types of cyber threats that exist
today (Hsu & Marinucci, 2013 p. 177). The same author provides some insight as to why a
more updated framework has not been introduced, suggesting that device manufacturers
have a tendency to focus on new product enhancements, functions and features in order to
improve clinical speed, accuracy and ultimately, sales volumes which often results in the
cyber security aspects from being overlooked. Philips are clearly aware of the medical
device cyber security problem because evidence suggests that they are actively applying
efforts to make devices more secure particularly in the area of Wireless Body Sensor
Networks (Patel & Wang 2011). Philips are not the only manufacturers making an effort
however, shortly after the FDA published their Recommendation in 2013, Philips, including 6
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 16
other of the world’s largest healthcare device manufacturers (i.e. General Electric (GE)
Healthcare, Abbott Laboratories, Medtronic, Boston Scientific, St Jude and Siemens
Healthcare) came together as a consortium and discussed in detail a collaborative approach
to device vulnerability mitigation (Medical Device Privacy Consortium 2013). During the
discussion, the consortium was of the opinion that the majority of problems related to
device vulnerabilities were created because of a lack of understanding about the entirety of
risks associated with the device, often because different parties have a different risk focus
and do not necessarily have a mechanism by which those risks can be shared. This opinion
seems to find general consensus in the industry with other parties suggesting similar.
Indeed, legal hurdles, lack of common vocabulary and lean resources are some of the
reasons why healthcare facilities and device manufacturers struggle to share information
relating to vulnerabilities which typically results in facilities working quietly with
manufacturers to find a solution without raising public panic (Homa 2014).
To overcome this, the consortium proposed a holistic risk analysis framework which was
designed to enable both manufacturers and healthcare facilities better assess cyber risks
associated with the devices that were being designed and deployed (Medical Device Privacy
Consortium 2013). An interesting observation with the proposed framework is that it seems
to follow the principles set out in published standards such as the ISO 14971, NIST 800-30
and 800-53, IEC 80001 standards which will be covered later in this paper. The practice of
applying risk management strategies to reduce device vulnerabilities seems to be where
medical device manufacturers are focussing their efforts (Wu & Eagles 2016). The authors
suggest a couple of reasons as to why this is the case, one being that the new FDA guidance
requires manufacturers to provide a Disclosure Statements of risks (including cyber)
associated with their devices, and secondly, because manufacturers are historically good at
conducting clinical risk assessments on their devises and so are more inclined to utilise a
similar approach for cyber risk assessments (Wu & Eagles, 2016 p. 23).
Philips seem to be very aware of their Disclosure Statement and documentation
requirements under the new FDA guidelines as they provide access online to a fairly mature
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 17
database called the MDS2. The MDS2which supplies Philips customers with information to
help address vulnerabilities and risks associated with their products (Koninklijke Philips N.V.
2016). In addition, the database also contains specific security information regarding
maintaining, storing and transmitting data, backup capabilities, patch management and
patch installation guides and best practice installation and configuration approaches. In
contrast to the approach by Philips, it seems the information provided by GH Healthcare is
somewhat limited, and perhaps more focussed on clinical risks rather than cyber security
risks (General Electric Company 2015, p. 12).
The MDS2 process is a useful tool for healthcare entities to use as it allows them to assess
the suitability of the device during the procurement process, however observations have
been made by some device manufacturers that even when the MDS2 information is made
available, healthcare facilities rarely utilise it, indeed, only 5% of healthcare organisations
reported considering cybersecurity as part of the procurement process (Coronado & Wong
2014, p. 27). This observation of device manufacturers pointing the finger at healthcare
organisations for lack of effort seems to have general consensus (Holden 2015; Hsu &
Marinucci 2013). Authors in this case suggest that this is typically a result of cyber security
and infrastructure decisions being made by clinical departments rather than ICT
departments (Hsu & Marinucci, 2013 p.178).
2.3.3 Healthcare Facilities / Services Organisations
Some device manufacturers then think that healthcare organisations should be doing more
to tackle the device vulnerability problem and this could be considered to be an accurate
suggestion. In 2012, the healthcare sector was said to be responsible for 20% of all
information security incidents reported involving healthcare entities such as Sutter,
HealthNet and Tricare, all suffering loss and theft of sensitive data due to poor data
management practices (Vockley 2012, p.166). Taking this further in an example from KPMG
where a survey was conducted against executives from 223 US based healthcare facilities,
the survey found that generally 87% of the respondents showed evidence of a lack of
understanding of cyber threats and failed to manage a cyber incident effectively (KPMG
2015, p. 3). Additionally, the report shows that although 1 hospital was making an effort to
better assess and respond to cyber threats, 25% of the respondents did not know their
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 18
cyber threat response capabilities, nor how to detect an event if one actually occurred. The
suggestions made by KPMG that healthcare facilities are not prepared to deal with device
vulnerabilities seems to hold general consensus, the SANS Institute (2014) report shows that
out of the top three entities that were examined in the study, all three were unaware of
malware infections across their networks (Filkins 2014, p. 16-18). The general findings in
the report were said to be an 'alarming illustration of how far behind the healthcare
industry has fallen in terms of cybersecurity' (Wiltz 2014).
That being said, healthcare providers and facilities do seem to be making some sort of effort
to address their current situation. The Methodist Hospital of Southern California in the US
for example, has introduced a three step Integrated Systems Management (ISM) program
which involves, risk assessment, risk mitigation and continual management of every medical
device that is in use throughout the hospital (Coronado & Wong 2014, p. 27). This program
aims to define each vulnerability related to each device and enables the hospital to develop
a plan to address the vulnerabilities. This proactive approach to vulnerability mitigation was
also taken by another US healthcare group Essentia. In this case however, the group
undertook a 2-year study of its in house security measures to determine its state of play
regarding medical device management and vulnerability mitigation. Some of the issues
identified related to xray and medication infusion equipment being assessable across the
network, and the ability for non authorised staff to amend medical records and associated
data (Semples 2014, p. 100). Interestingly, Essentia decided to make the findings of the
review publicly available in an effort to assist other healthcare facilities address their own
vulnerabilities. This collaborative approach seems to be somewhat effective, using an
Australian example, researchers recently notified Sydney North Shore Hospital of the
likelihood that its building management system could be vulnerable to attack and as a
result, the hospital conducted a risk assessment and decided to upgrade the system
(Mackay, Sturmer, Macgibbon & McCorkle 2013). The collaborative approach to medical
device security seems to be a popular approach among healthcare providers, Sentara
Healthcare for example partnered with a large network security firm in an attempt to
identify and address existing security holes in their corporate and clinical networks. The
review found that parts of the hospital network were not adequately segmented creating a
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 19
risk of unauthorised access to medical devices and patient data. The hospital worked with
the security firm to develop a solution to segment the networks appropriately and mitigate
the risks (Cisco 2012). While these examples relate to a handful of specific healthcare
entities, a recent survey by the American Hospital Association (AHA) which covered 39% of
all US hospitals shows that as of 2015 more than 90% have already taken steps to
strengthen resilience against cyber security incidents (AHA 2015).
Some hospitals seem to point the finger back to the medical device manufactures,
effectively holding them to account for devices that fail to meet a required standard. Using
an example from Franciscan Alliance Healthcare, policies are in place which mandate that
during the contract negotiation phase of an engagement, vendors must be able to
demonstrate the security of their devices and systems and demonstrate the type and
quantity of data that can be accessed by the devices or systems (Taylor 2015).
So far the literature has turned up a lot of US based examples, but examples from other
countries do exist. Take the UK for example where there is evidence that the NHS is taking
steps to mitigate vulnerabilities, Solent NHS Trust and Plymouth Hospitals NHS Trust for
example, have both implemented a range of measures to improve information governance
across their hospitals. In this case, the data management was around printing. Both
hospitals identified incidents where sensitive data including imagery from devices in Theatre
was being accidentally sent to the wrong printers potentially allowing unauthorised staff to
view the data. The migration to a centralised managed print service involving key fob and
PIN's significant reduced the frequency of misdirected prints (Mathieson 2015). In addition
to this, Solent have implemented organisation wide information governance training
courses which are compulsory for all staff, these courses remind employees about the
Trust's information governance policies and how staff can remain compliant (Mathieson
2015).
So far we have seen examples of what effort Authorities, device manufacturers and
healthcare organisations are making in an attempt to tackle medical device vulnerabilities.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 20
During the review of device manufacturer effort, literature revealed that in some instances
device manufacturers are utilising already established standards and frameworks as a
means to address the medical device cyber problem. That being the case, it makes sense to
review the effort that Standards Organisations and associated professional bodies have
contributed to tackle the problem.
2.3.4 Standards Organisations & Professional Bodies
Standards Organisations can be public or private organisations and are typically
independent bodies who aim to assist with the standardisation of processes, policies and
initiatives (Orviska, Nemec, & Hudson 2014). These organisations, typically through
consensus and discussion help to establish uniform and defacto standards that interested
parties can follow to achieve a set standard. Following agreed standards set by these
organisations allows industry to all head in a uniform direction to achieve a goal (Orviska,
Nemec, & Hudson 2014). In our case, standards can be used by healthcare organisations to
better mitigate against cyber threats.
Two well-known information technology standards organisations are the National Institute
of Standards and Technology (NIST) and The SANS Institute (SANS). Starting with NIST, in
response to the US governments Executive Order 13636, NIST were tasked with establishing
a cyber security framework for the healthcare sector. The framework was released in
September 2014 and provides a clear direction for healthcare entities on the steps they
need to take to mitigate against vulnerabilities (Finkins 2014). In addition to this, the
institute in conjunction with the National Cybersecurity Centre of Excellence, have recently
embarked on a project aimed specifically at medical devices which will invite healthcare
entities and device manufacturers to participate in developing a practice guide for deploying
and configuring devices on hospital networks, the overall goal of which is to
help health care providers secure their medical devices on an enterprise network, with
a specific focus on wireless infusion pumps. This use case begins the process to identify
the actors interacting with infusion pumps, define the interactions between the actors
and the system, perform a risk assessment, identify mitigating security technologies,
and provide an example implementation (O'Brien 2015 p. 2).
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 21
In a similar vein, SANS recently released a Healthcare cybersecurity white paper which was
written to assist healthcare organisations identify and respond to threats. Specifically the
paper illustrates a 3 step process that entities can apply to their organisation to:
1.Understand What Healthcare data is targeted
2.Understand where healthcare data is stored
3.Understand how healthcare data is secured
(Tarala & Tarala 2015 p. 3-4).
In addition to providing governance advice, SANS have developed partnerships with
government agencies such as the US Department of Health and Human Services, the US
Department of Homeland Security, National Security Agency and the Federal Bureau of
Investigation with whom they work collaboratively to share information regarding all
aspects of information security. More recently, SANS, along with the different government
agencies have established annual information sharing workshops with the National Health
Information Sharing & Analysis Centre (NH-ISAC) the aim of which is to bring 150 member
firms sharing cyber security information exclusive to the healthcare industry (SANS 2015).
The NH-ISAC was established in 2012 to 'advance health sector cybersecurity protection and
enhance the ability to prepare and respond to threats and vulnerabilities' (NI-ISAC 2016).
This nationally recognised information sharing centre is membership based with its 150
members typically representing public and private healthcare institutions. Through this
centre members can share information on all aspects relating to cyber security. One
seeming useful initiative by the NH-ISAC is the hosting of annual Medical Device Security
Workshops whose topics typically include
current threats in the medical device landscape, role of manufacturers, strategies to
maintain cybersecurity of medical devices, Medical Device Risk Assessment Platform
(MDRAP) and Medical Device Vulnerability Information Sharing Initiative (MDVISI) for
example (NI-ISAC 2016).
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 22
A seemly common theme between NIST, SANS and the NI-ISAC is that they aim to increase
general awareness of medical cyber threats through education and information sharing.
This educational angle seems to be popular among other professional bodies, take for
instance the California Medical Instrumentation Association who have provided low level
educational opportunities at chapter meetings using industry experts and equipment
manufacturers as guest speakers in an effort to raise awareness (Association Roundtable
2013). The same paper notes that both the Healthcare Technology Management
Association of the Mid-West and the New England Society of Clinical Engineering use the
same method of education with their own user groups.
The examples exhibited so far are US based, but international organisations also exist. Using
the Information Systems Audit and Control Association (ISACA) as an example, this
organisation is an independent not-for profit with a goal of encouraging the use of globally
accepted practices for information security. ISACA is also actively involved in the healthcare
sector, producing publications and journal articles on best practice approaches to
information security in healthcare networks. One particularly interesting piece of work by
ISACA is an article regarding controls of information flow and information monitoring in
healthcare networks. The article illustrates best practice concepts for high level holistic
information governance, including medical devices for healthcare entities (Patil 2013).
Another well known international standards organisation is the International Organisation
for Standardisation (ISO). ISO has developed a specific set of standards, IEC 80001, relating
to medical devices that are incorporated in healthcare provider networks. This particular
standard along with ISO general information security standard ISO 27000 is held in such high
regard that the new FDA guidelines regarding cybersecurity and medical devices that were
introduced earlier in this paper notes them as approved recognised standards and
recommends that healthcare organisations try to align their cyber capabilities with these
standards (US Department of Health and Human Services, Food and Drug Administration
2013). This recognition of the ISO 80001 and ISO 27000 standards being the defacto on
medical device and cyber security seems to meet general consensus (Mankovich &
Fitzgerald 2011; Cooper & Eagles 2011; Hampton 2014). Additionally, the National
Cybersecurity Institute makes reference to the ISO standard in their recommendation for
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 23
mitigating medical device vulnerabilities, interestingly however, they suggest that rather
than following the set standard, a hybrid approach is preferred because the established
standards often do not reflect clinical workflows which results in the framework not working
when introduced into clinical environments (Murphy 2015, p. 56).
Another key player in the arena of healthcare standards seems to be Health Level 7
International (HL7). HL7 was established in 1987 and is a not for profit accredited standards
organisation dedicated to providing a framework specifically for the exchange, integration,
sharing and retrieval of health information (HL7 2016a). HL7 seem to recognise ISO as a
leading defacto because they have taken steps to integrate their own standards with ISO
standards. More specifically however, HL7 Version 2 and Version 3 messaging standard is
the primary standard for data exchange in the healthcare industry, it allows for the
exchange of health related data between different systems and devices it and is said to be
the most widely deployed standard for healthcare in the world (HL7 2016b). Yuksel & Dogac
(2011, p. 557) agree noting that a wide range of clinical applications and devices including
electronic health record and devices such as insulin pumps and heart monitors have been
mapped to HL7 standards to allow them to share clinical data.
Clearly then, a lot of work has been done by the standards organisation, but other
professional bodies also seem to have made an effort. Price Waterhouse Coopers (PWC) for
example have established a National Health Practice here in Australia which aims to assist
healthcare facilities develop strategies and policies. PWC often work with industry sectors
to perform analysis and determine trends in the industry which are then reported back to
industry members. This helps industry members get a snapshot of not only the industry as a
whole, but how they each sit in comparison to their peers. An interesting piece of work that
PWC undertake annually is the Global State of Information Security Survey for Healthcare,
last undertaken in 2016, provided a good summary about the different cyber vulnerabilities
and how different healthcare facilities were responding to those threats (PWC 2016).
KPMG, a similar entity to PWC also seem to be active in the healthcare advisory space,
providing guidance to federal, state government, not-for profit and private healthcare
entities on issues relating to eHealth, clinical systems implementation and business analysis
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 24
(KPMG 2016). More specifically, relating to medical devices, KMPG undertook a piece of
work in 2015 in conjunction with Forbes. In this work 55 executives in the global medical
device industry were surveyed. The survey was designed to assess the priorities that
medical device manufacturers have set in order to compete in future markets. The survey
revealed that interestingly, less than a quarter of the respondents reported improving
device security through risk control as a strategic priority (Stirling & Shehata 2015, p. 6).
We can see then that Standards Organisations are contributing to the overall medical device
vulnerability Effort and that the Professional Bodies in particular have produced good
informative material on the problem. However in a practical sense is where the Standards
Organisations and associations have really contributed, offering particular guidance and
frameworks around how to achieve best practice outcomes and educating members so that
they are better informed about the problem and can make better mitigation decisions as a
result. This educational and practical guidance approach seems to be popular in other
associated parties, particularly in Academia.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 25
2.3.5 Academia
Initial findings indicate that academia has in fact made a lot of effort regarding medical
device vulnerabilities (Finnegan, McCaffery & Coleman 2013; Knackmuß, Pommerien,
Creutzburg & Moller 2015; Camara, Peris-Lopez & Tapiador 2015; Darij & Trivedi 2014) are
just a few examples. The medical device vulnerability literature relating to academia
covered a lot of different areas, ranging from the development of new frameworks to new
secure technical designs to vulnerability classification system and taxonomies, etc. Due to
this, each area will be covered separately and arranged into groups to assist this paper flow
more logically.
2.3.6 Frameworks
The first area this section will introduce is that of frameworks. Frameworks seem to be a
popular mechanism in academia for illustrating how a concept or method can be applied in
order to achieve a certain goal, certainty In terms of this literature review, a number of
different conceptual frameworks for securing medical devices or mitigating device
vulnerabilities were present in the data search results. Starting with Finnegan, McCaffery
and Coleman (2013), this piece of work introduces a framework which aims to help both
healthcare organisations and medical device manufacturers establish some level of security
assurance for medical devices. The approach taken by this work was to begin with a set of
already established process models, in this case ISO/IEC 15026-4, ISO/IEC 15504-6 and
ISO/IEC 15504-2, all of which relate to software process improvement and system life cycle
processes, and then enhancing these to address any gaps identified. The end result of this
work is a combination of 'an array of international standards, guidance documents and
processes to create a step by step process for Medical Device Manufacturers' (Finnegan,
McCaffrey and Coleman 2013, p.321) which can be followed during the development phase
of a medical device, to better reduce the the risk of vulnerabilities present in the device.
Just as frameworks help give some guidance towards achieving a particular outcome, so too
do taxonomies and classifications.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 26
2.3.7 Taxonomies/ Classifications
In the Camara, Peris-Lopez and Tapiador (2015) example, a comprehensive survey was
undertaken against available literature in which security and privacy of implantable medical
devices were discussed. The survey aimed to show the most relevant suggestions to
address the security and privacy challenges, analysing the suitability, advantages and
disadvantages of each approach, and ultimately to determine the best method out of those
reviewed (Camara, Peris-Lopez and Tapiador 2015, p. 273). After reviewing the surveyed
literature, 4 different classification systems were presented which summarised the findings
across the literature, Table 1 showed the STRIDE category system of 6 attacks types,
(Camara, Peris-Lopez and Tapiador 2015, p. 277), Figure 4 showed a classification of
Attacker types (Camara, Peris-Lopez and Tapiador 2015, p. 278), Figure 5 illustrates the
different proposed protection mechanisms (Camara, Peris-Lopez and Tapiador 2015, p. 280)
and finally, Table 2 shows a classification system of different security solutions for the
implantable medical devices (Camara, Peris-Lopez and Tapiador 2015, p. 286). Interestingly,
this paper concluded with findings that even after the review, it was still unclear what the
best proposed approach was to tackling the medical device cyber security problem due
essentially to differing viewpoints by the different parties involved.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 27
A second example of a similar approach is the work by Vasserman et al. (2011) in which an
implantable medical device failure model is proposed. This failure model is designed to
illustrate how a medical device might fail when attacked. The work details 5 different kinds
of attacks relating to implantable medical devices along with 4 different types of device fail
modes. These 2 metrics are then blended together to form an attack consequences model
in Figure 1 (Vasserman et al. 2011, p. 72). The outcomes of this is that the 4 failure modes
can be mapped to each or a combination of each of the different attack types. This is a
particularly interesting piece of work because by using the attack consequences model, a
healthcare facility could predict the outcome of an attack type and therefore put the
appropriate mitigation controls in place. The conclusions of this work suggest that the
current FDA categorisation system relating to medical devices is insufficient, using the
example of a class 3 device being plugged into a hospital data network, suggesting that this
action then effectively makes the hospital network a class 3 device under the current FDA
classification system. To improve on this the work suggests a revised FDA classification
scheme adding 1 new device class (Vasserman et al. 2011, p.72).
Finally in a third example, in 2015 a medical device security classification system is
proposed which is designed to classify medical devices according to whether they have the
ability to process or communicate sensitive safety critical information. In this classification
system, 4 levels of security are described along with a description example of the security
level and and example of the device (Sametinger et al. 2015).
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 28
A number of studies focussing on data obtained from the FDA databases were present in
the data search results (Magrabi et al. 2011; Myers, Jones and Sittig 2011; Kramer et al.
2012) for example. In each of these studies data from the FDA's Manufacturer and User
Facility Device Experience (MAUDE) database was gathered and the results investigated.
The work involved a search of approximately 900000 reports with 1100 of those relating to
medical devices (Magrabi et al. 2011, p. 853). According to the authors, some manufactures
have listed their devices due to patient safety events, citing such examples as infusion
pumps and pacemakers. In this work the authors focus on the types of consequences that
were reported in MAUDE when a medical device failed. In this case, a classification system
of 4 problem types is introduced including the number of times each problem was reported
and the overall percentage of the total reports that each problem accounts for (Magrabi et
al. 2011, p.854).
In a similar study by Myers, Jones and Sittig (2011, p.63), on the same MAUDE database, 121
unique reports relating to 32 device manufacturers were found. In this study the authors
focus on the different causes of each event that lead to a device malfunction. Again, as per
the Magrabi et al. (2011) study, a classification system is presented, however in this case it
illustrates the different cause types, along with a brief explanation of each type (Myers,
Jones and Sittig 2011, p. 71).
Finally, in a third review conducted by Kramer et al. (2012), looked at the number of recalls
that had been issued on medical devices according to the MAUDE database. In this review,
a number of classification tables are shown, Table 1 illustrates the overall characteristics of
the reports by device type (Kramer et al. p. 3), while Table 2 shows reports relating to either
device security or security of data on the device (Kramer et al. 2012,p. 5).
These 3 examples are particularly useful in that that they allow healthcare organisations to
potentially assess the number of reported incidents relating to a specific device before
introducing that device into service.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 29
The examples exhibited so far in this group have been classification based, however
taxonomy focussed literature does exist. Hansen and Hansen (2010) introduce a Taxonomy
of vulnerabilities relating to implantable medical devices in their work. In this work the
specific focus is on the design of countermeasures that could be applied to better improve
the security of implantable medical devices. The aim of the taxonomy is show which areas
the countermeasures should be applied (Hansen and Hansen 2012, p. 13). A vulnerability
category is firstly presented which is followed by the potential adverse events related to
specific devices. The potential adverse events and devices are then mapped to the
vulnerability categories. Following this, the authors describe in detail the various
countermeasures that can be applied to each of the vulnerability categories in order to
mitigate the adverse effect of a device incident (Hansen and Hansen, 2012. pp. 17-18).
In a second taxonomy dataset, Kotz (2011) exhibits a threat taxonom taxonomy for mobile
health (mhealth) privacy. This work specifically investigates mhealth, but medical devices
are included in the form of mobile devices. In his taxonomy, Kotz displays a threat matrix
which considers 3 types of attack adversary, patient, insiders (staff, medical practitioners etc
) and outsiders, which are organised by threat type whether these be identity threats,
access threats or disclosure threats (Kotz, 2011, p. 3).
Providing an overview of attack types relating to medical devices seems to be a common
trend in academia because Darij and Trivedi (2014) take a similar approach to illustrate
different types of possible attacks. Their work focuses on attacks specific to devices capable
of transmitting data via wireless, none the less, a condensed list of attack types are provided
(Darij and Trivedi 2014, p. 355).
In the examples shown, some authors such as Kotz (2011) suggest that because of various
factors, studies conducted are not necessarily comprehensive, and may not show the whole
picture, however, tools such his threat matrix and other taxonomies are useful to
healthcare organisations because, like category tools in the previous section, they provide
the potential, to asses risks associated with medical devices on their networks.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 30
2.3.8 Case Studies
Another popular approach found in the resulting literature was the demonstration of
vulnerabilities by way of case study. In the Knackmuß, Moller, Pommerien & Creutzburg
(2015) paper for example, a simulated attack was carried out on an infusion syringe pump
with an aim to access any sensitive data contained on the device. The researchers carried
out a 4 step attack process consisting of packet sniffing, port scanning, brute force hacking
and analysis of web server vulnerabilities associated with the device with detail about how
this was achieved. Following this, the researchers present a summary of measures that can
be taken to defend against the type of attacks carried out during the simulation, measures
such as strong encryption, alert mechanisms and a range of security policies (Knackmuß,
Moller, Pommerien & Creutzburg 2015. p. 5).
In earlier works also involving an insulin infusion syringe pump, Jerome Radcliffe presented
findings at the 2011 Black Hat Technical Security Conference which demonstrated how he
was able to hack into his own insulin pump and effectively alter the device to give false
readings and provide incorrect insulin doses (Peck 2011). Insulin pumps in particular do
seem to have been an area of focussed effort in the academic space because later in the
same year Paul, Kohno and Klonoff (2011) released a piece of work which reviewed more
holistically the security of insulin pump infusion systems. In this work, the authors note that
in 2010 they had already identified a separate vulnerability relating to specific insulin pump
types which was not related to the vulnerabilities discovered by Radcliff and as a result,
wanted to better understand other vulnerabilities associated with insulin pump designs
(Paul, Kohno and Klonoff 2011, p. 1558). As a result of the review, the authors exhibit a
matrix of insulin pump key security properties, along with a list of mitigation controls (Paul,
Kohno and Klonoff 2011, p. 1559 -1561).
A similar approach to the previous example was undertaken by Hanna et al. (2011) in which
the application layer of a popular automated defibrillator was assessed in order to
determine any vulnerabilities. This work specifically focuses on software and associated
software design techniques. In this work, 4 vulnerabilities are illustrated, along with the
resulting potential impact of exploiting these vulnerabilities. The last section of the paper
provides general guidance around how the exposed vulnerabilities could be mitigated.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 31
2.3.9 Designs
To avoid the list in this group becoming overly cumbersome, this is a broad category group
which shows a range of different examples across many facets, examples which include new
systems design, mechanisms, protocols etc. and essentially is a catch all group for examples
that do not fit logically into any of the previous groups.
Darij and Trivedi (2014) present a paper which proposes a new mechanism for securing
communications between certain medical devices. In this work, the authors focus on
specific attack types such as man in the middle and replay and message injection attacks and
as such propose a new security design which mitigates against these specific attacks. The
design illustrated in the work is essentially an authentication mechanism which utilises
localisation information in order to remain secure. Essentially, the authors propose that by
making an assessment of information such as distance, attenuation, obstacles and
interference etc, a proxy system could generate a unique authentication value based on
these parameters which would be difficult for an attacker to spoof, therefore validating the
authenticity of communicating devices (Darij and Trivedi 2014, p. 357).
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 32
We saw in the example by Hanna et al. (2011) that the software of a medical device was
tested. The literature did reveal a number of articles which focussed on the software layer
of a medical device, or software itself as a medical device and the associated vulnerabilities.
The work by Thompson (2011) is another such example. Rather than attempt to break the
software, this work suggests a best practice approach to the development of medical device
software. Indeed, the work identified that practically, the regulations covering medical
device software in the US (21 CFR 820) only outlines good manufacturing practices that
govern software development but does not provide good solid guidance or examples on
how to apply these practices (Thompson 2011, p.2). The author attempts to fill this gap by
illustrating best practice approaches which should be applied.
Software vulnerabilities in medical devices seems to be well studied in literature (Allen
2014; Thibault 2015; Anderson 2014; Fu 2011), this is not surprising given that more than
50% of deployed medical devices use software (Allen 2014, p.11). Taking a well known
device as an example the Philips OB TraceVue System allows for web access to the system to
allow remote monitoring of any patients connected to it (Koninklijke Philips Electronics
2006, p. 7) and vulnerabilities associated with web applications have been well documented
(Prokhorenko, Choo & Ashman 2015) so it makes sense that web applications vulnerabilities
have received so much attention.
The idea that individual components of a medical device, in this case software, can
contribute to overall vulnerabilities is an interesting thought and seems to meet some
consensus in the literature. Indeed, Williams and Woodward (2015) published a fairly
comprehensive study on all the different factors that contribute to cyber security
vulnerabilities. In this work, the authors provided an in depth summary of the factors,
which included elements such as technical, managerial and human and discussed measures
which could be taken to address each element (Williams & Woodward 2015, pp. 311-314).
This paper concluded that in order for medical device vulnerabilities to be effectively
mitigated, contributing factors need to be included holistically and that achievement is only
likely if involved parties, medical device manufacturers, clinicians, healthcare facilities, legal
bodies and cyber security experts all collaborate and work more closely together (Williams
& Woodward 2015, pp. 314).
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 33
2.4 Findings
In this review, we investigated the level of effort that 5 specific associated parties had
invested in tackling the medical device cyber security problem. The 5 associated parties in
this case were Authority, Device Manufacturers, Healthcare Facilities and Standards
Organisations (including Professional Bodies and Associations) and Academia. The first
stage of the search for revealed a total of 87 articles of interest in the initial search results.
Of these 87 articles, 55 successfully qualified after further analysis and were therefore
included in the review. The remaining 32 were discarded as they failed to meet qualification
criteria and were therefore not included in the review.
2.4.1 Research Trends
Analysis of the 55 articles across the research found that the number of articles relating to a
particular effort changed throughout the six-year period – see Figure 1.
Figure 1: Research trends in the last 5 years
Based on this analysis, it is fairly clear that in the years prior to the recommendations made
by the FDA and the TGA in 2013, academic articles were most prominent in the literature.
This could suggest that Academia was certainly aware of the medical device vulnerability
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 34
problem much earlier than the other associated parties. We see the biggest change to this
trend in 2013 when the number of articles relating to Device Manufacturers and Standards
Organisations appeared the most often. This change is interesting as it occurs in the same
year that the FDA recommendations regarding cyber security were made perhaps causing
this surge in effort by Device Manufacturers and Standards Organisations. As we head
closer to 2016, we can see that the number of articles by Standards Organisations stays
fairly constant; however, years 2014 and 2015 see the largest change in articles relating to
the Healthcare Facilities. This spike could perhaps be explained by the publication of the
results of the SANS Health Care Cyberthreat Report in 2014 which might have scared the
healthcare facilities into taking action and contributing more effort.
2.3.2 Effort Trends
If we look at the effort trends as a whole, of the 55 articles reviewed, there were 10
instances of effort by Authorities, 5 instances of effort by Device Manufacturers, 8 instances
of effort by Healthcare Facilities, 15 instances by Standards Organisations (including
professional bodies and associations) and 17 instances of effort by Academia. In order to
calculate the level of effort that each associated party has contributed to tacking the
medical device cyber security problem, the number of instances that appear for each
associated party was counted. This tally was calculated as a percentage of the total 55
articles. For Instance, using Authorities as an example, the analysis reveals 10 instances,
equating to 18.18% of the total 55 instances. The level of contribution by Authorities in this
case then is 18.18%. Table 1, shows the calculation of results across all 5 associated parties.
Table 1: Percentage of Contributed Effort by Associated Party
Associated
Party Authority Manufacturer
Healthcare
Facility
Standards
Orgs Academia Total
No.
Articles 10 5 8 15 17 55
% of Effort 18.18% 9.09% 14.54% 27.27% 30.90% 100.00%
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 35
We can see from Table 1 that according to the reviewed literature, device manufacturers
are the worst performers, contributing only 9.09% of total effort. This level was fairly close
to the contribution made by healthcare facilities who show a slight improvement at 14.54%.
Academia seems to be the best performer according to the reviewed literature, showing an
effort contribution of 30.90%, with standards organisations (including professional bodies
and associations) coming a close second, contributing 27.27% of the effort.
It appears that less than half of the effort, a combined 41.81% is contributed by device
manufacturers, healthcare facilities and Authorities, this is an interesting observation
because these entities are the entities that in practical terms, could be considered the
parties that have the most to lose in the event of a cyber security incident. Indeed, data
breaches occurring in healthcare networks costs the medical device industry and regulators
more than US$6 Million annually (AHC Media, 2011). The reviewed literature does give us
some clues as to why the effort contribution for these entities appears to be so low and
these clues can be split into two general themes.
Theme 1: Insufficient time frames
New cyber security recommendations introduced by Authorities (e.g. FDA and TGA) in 2013
were only a couple of years ago, arguably not long enough for these entities to introduce
the recommendations into their processes. In fact, the examples of device vulnerabilities
exhibited in this review were prior to the 2013 recommendations, it could be suggested that
should this same review be conducted again a couple of years into the future, the effort
count contributed by these entities might increase as they would have more time to
introduce the cyber security recommendations into their processes.
Theme 2: Lack of visibility
Although there were 3 different studies relating to product recalls and reported adverse
events, there seemed to be some confusion over the exact number of incidents reported
relating to medical device vulnerabilities. Both the FDA and the TGA reported no patient
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 36
injuries or deaths relating to these vulnerabilities and that they did not have clear evidence
of any active attacks having taken place. Perhaps reports such as this by the Authorities is
providing the healthcare facilities, and device manufacturers with a false sense of security
that their devices and networks are in fact safe and free of vulnerabilities. The literature did
illustrate that mandatory reporting requirements are unclear, and that no financial or legal
penalties were apparent, this, in conjunction with assurances from the Authorities certainty
inhibits the capacity for manufacturers and healthcare facilities to tackle the vulnerability
issues effectively.
Clearer visibility into the efforts contributed by all associated parties could assist with this
problem of clarity. Providing a tool which helps the associated parties view the effort gaps
might allow them to collaborate more closely to focus on the areas which need more
attention. The Medical Device Vulnerability Effort Gap Assessment (MDV-MEGA) Toolset
proposed in this paper aims to be that tool.
2.3.3 MDV-MEGA
The MDV-MEGA toolset is effectively an effort gap analysis matrix designed to show
apparent gaps of efforts in a particular application. In this case, medical device
vulnerabilities and the 5 associated parties. The MDV-MEGA for this study is presented in
Figure 2.
Figure 2 in this case presents a matrix of each effort. The first column describes the effort,
column 2 shows the article in which the effort appears, the remaining columns show the
associated party type, namely: Authority, Device Manufacturer, Healthcare Facility,
Standards Organisation (including professional bodies and Associations) and Academia.
It is anticipated that conducting a similar study such as this review on a regular cycle, say
once every 12 months, correlating the results in the same format as this matrix, and
presenting the results to the associated parties, will provide the parties the visibility with
which to work together to concentrate on the areas of least effort.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 37
Description Literature AU MF HF SO AC
FDA introduces classification scheme and definition for medical devices in 1976 Jarow & Baxley 2015 X
FDA introduces new recommendations for medical device manufacturers US Department of Health and Human Services 2013, Anonymous 2013 XTGA releases new recommendation advising manufacturers and asset owners to perform risk assessments Australian Government, 2015 XEuropean union regulations regarding cyber vulnerability considerations in software development life cycles Vollebregt 2015 X
European union legislation directive 93/42 EEC mandates risk minimisation through design Neuhaus, Polze & Chowdurry, 2011 X
American Hospital Association Anonymous, 2014 x
US Senator Boxer writes to top 5 device manufacturers urging them to take action on cybersecurity Boxer, 2016 X
cybersecurity incident not listed as an example of an adverse event by TGA Australian Government, 2015 xunclear financial or legal penalties associated with failure to report adverse event caused by cyber incident Weavey, 2016 x
Philips report use of well developed cybersecurity framework when developing medical devices Hsu & Marinucci, 2013 x
Philips framework reportedly 25 years old and not sufficient for cybersecurity Hsu & Marinucci, 2013 x
assessment of protocols used in wireless body networks by Philips Patel & Wang, 2011 x
Medical Device Privacy Consortium met to establish and propose risk analysis framework Medical Device Privacy Consortium, 2013 xPhilips add their devices to MDS2 database and publish known vulnerabilities associated with their products Koninklijke Philips, 2016 xMethodist Hospital of Southern California introduces 3 step integrated systems management program for medical devices Coronado & Wong, 2014 xEssentia conducts 2 year assessment program of in house security measures and publishes findings relating to vulnerabilities Semples, 2014 xSydney North Shore conducts risk assessment of building management system and upgraded the software in response to exposures found Mackay et al. 2013 xSentara Healthcare reviewed corporate and clinical networks with a view of finding and mitigating vulnerabilities Cisco, 2012 xAmerican Hospital Association reports that 90% of 40% of us hospitals have taken measure to improve cybersecurity resilience AHA, 2015 xFranciskan Alliance Healthcare introduces policies to mandate that vendors demonstrate security of their devices during contraction negotiations to purchase the device Taylor, 2015 x
Solent and Plymouth NHS trusts implemented information governance improvement programs Mathieson, 2015 x
Solent NHS trust introduces organisation wide information governance training Mathieson, 2015 xUS government signs executive order 13636 improving critical infrastructure cyber security which includes healthcare facilities NIST, 2013 x
NIST releases cyber security framework in response to Executive order 13636 NIST, 2013 xNIST and Cybersecurity Centre of Excellence develop practice guide for deploying and configuring medical devices on hospital networks O'Brein, 2015 xSANS releases healthcare security whitepaper to help healthcare organisations identify and respond to threats SANS, 2015 xSANS and government agencies establish annual cyber security information sharing workshops under the National Health Information Sharing & Analysis Centre (NI-ISAC) SANS, 2015 x
NI-ISAC hosts a specific medical device security annual workshop NI-ISAC, 2016 xCalifornia Medical Instrumentation Association provides low level educational session to improve medical device cyber security awareness Association Roundtable, 2013 xHealthcare Technology Management Association of the midwest run cyber awareness sessions to their members Association Roundtable, 2013 x
New England Society of Clinical Engineering educate chapter members in cyber security awareness Association Roundtable, 2013 xISACA publishes best practice governance controls for information flow and monitoring in healthcare networks and medical devices Patil, 2013 x
ISO develops IEC 80001 relating to medical devices incorporated into healthcarre networks ISO 2016 x
FDA suggests organisations follow the ISO 80001 standards in the 2013 recommendation US Department of Health and Human Services 2013 xNational Cyber Security Institute makes reference to the ISO standards in their recommendation for improving medical device security Murphy, 2015 x
HL7 Established in 1987 providing framework for the sharing and transmission of health information HL7, 2016 xPrice Waterhouse Coopers Australia National Health Practice publishes annual Global State of Information Security in the healthcare sector PWC, 2016 xKPMG and Forbes release results of global healthcare executive survey showing that less than a quarter of medical device manufactures are prioritising cyber security as a strategic priority Stirling & Shehata, 2015 xFinnegan, McCaffery & Coleman publish a framework for establishing security assurance of medical devices in healthcare networks Finnegan, McCaffery & Coleman, 2013 xCamara, Peris-Lopez & Tapiador publish a 4 step classification on the results of a large scale survey to determine the best approach for mitigating medical device security Camara, Peris-Lopez & Tapiador x
Implantable medical device failure model is proposed to illustrate how a device might fail if attacked. Vasseman et al., 2012 x
Medical device security classification scheme proposed Sametinger et al. 2015 xClassification system of problem types and consequences associated with medical device vulnerabilites from MAUDE Magrabi et al., 2011 x
Classification system of medical device vulnerability cause types from MAUDE Myers, Jones & Sitti g, 2011 xClassification system of medical device recalls due to problems with security of the device of data on the device Kramer et al., 2011 xTaxonomy of vulnerabilities associated with implantable medical devices and countermeasures is published Hansen & Hansen, 2010 x
Threat taxonomy for mobile health devices including attack and threat types is published Kotz, 2011 x
Darij & Trivedi publish a list of attack types specifically on wireless medical devices Darij & Trivedi, 2014 xsimulated attack carried out on infusion syringe pump, results were published along with suggested mitigation techniques Knackmus et al., 2015 x
Demonstrated hack on insulin pump Peck, 2011 xHolistic review on insulin pump security results published as matrix of insulin pump security properties and mitigation controls Paul, Kohno & Klonoff, 2011 xExploit of application layer of popular defibrillator was demonstrated, potential impact of hacks and mitigation controls were published Hanna et al., 2011 xProposal for new secure communications mechanism using localisation data for medical devices published Darij & Trivedi, 2014 x
Best practice approach to medical device software development is proposed Thompson, 2011 xComprehensive study undertaken to assess the factors which contribute to medical device cyber vulnerabilities Williams & Woodward, 2015 x
Total Occurences 55 10 5 8 15 17
Figure 2: MDV-MEGA Toolset
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 38
Chapter 3
3. Survey & Questionnaire
While the literature review illustrated the level of effort contributed by the five associated
parties, what it did not explore was the why the level of effort in two of the parties was low.
This section then aims to continue the research by focusing on one of the lower scoring
associated parties, in this case, Healthcare Facilities. More specifically, this chapter will
present an exploitative case study based on Australian healthcare facilities, aiming to
explore the factors which explain why the effort contributions made by healthcare facilities
regarding medical device vulnerabilities are low. The results of the survey will attempt to
make an assessment of the maturity of each facilities cyber governance framework, a key
metric in combatting the medical device cybersecurity problem as identified by Lewis,
Orbinati & Paladino (2014).
In this chapter, each facility will be surveyed via questionnaire or interviewed to better
explore the factors which influence the ability of each facility to mitigate against medical
device cybersecurity vulnerabilities. Each respondent will then be scored based on their
answers, to determine the overall level of cyber governance maturity for each facility.
For the purpose of this study, the healthcare facilities that were chosen are Private Hospital
entities. The reason for this is twofold; firstly, Australia’s Healthcare system is very complex
and can be described as
…a multi-faceted web of public and private providers, settings, participants and
supporting mechanisms. Health providers include medical practitioners, nurses,
allied and other health professionals, hospitals, clinics and government and non-
government agencies. These providers deliver a plethora of services across many
levels, from public health and preventive services in the community, to primary
health care, emergency health services, hospital-based treatment, and
rehabilitation and palliative care. (Australian Government, 2014a)
Therefore, choosing to focus only on private hospital facilities simplifies the scope of the
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 39
research. Secondly, private hospitals account for two out of three hospitalisations involving
elective surgery in Australia and of the 9.3 million hospitalisations in 2012, 3.7 million (40%)
were in in private hospitals (Australian Government, 2014). The Australian Government
(2014) also noted that private hospital entities are the fastest growing hospital sector in
Australia, with annual growth rates of some 4.6% vs public facilities with a growth rate at
3.8%. This being the case, private hospitals are considered an appropriate and valid
representation of the current state of play regarding medical device vulnerability mitigation
effort contributions and therefore suitable as case studies in this research.
The first section of this chapter presents the Methodology of the survey and its design
including explanation and justification of each survey question. The following sections
presents the Results of the responses to the survey questions and presents the narration
and discussion of the findings. An analysis and general trends will be discussed along with
this.
3.1 Methodology
Bryson, Turgeon & Choi (2012, p.736) define a survey as 'an investigation about the
characteristics of a given population by means of collecting data from a sample of that
population' and they make a suggestion that surveys are a good analytical technique for the
purposes of answering a specific question (Bryson, Turgeon & Choi 2012, p. 736). This
analytical approach seemed to work well in other works such as that by Jahanbakhsh, Sharifi
& Ayat (2014) in which a case study exhibited the status of information systems in Iranian
hospitals. There is some evidence available that helps to explain why the case study
method in particular may have been favoured by the researchers. Dubé & Paré (2003, p.
598), for example, suggest that case studies are particularly useful when 'a phenomenon is
broad an complex and a holistic in-depth investigation is needed'. The approach by
Jahanbakhsh, Sharifi and Ayat therefore is directly transferable to this paper and it is their
approach which essentially sets the framework for the methodology used throughout this
new study. That being said, there are a number of specific techniques used in this new
study which drew inspiration from other works, namely those by Adamson et al. (2004) and
Michaelidou & Dibb (2006). In their work, Adamson et al. (2004) describe a method of using
questionnaires and interviews for gathering qualitative and quantitative data specifically in
healthcare settings while Michaelidou & Dibb (2006) detail work relating to good practice
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 40
when using email based questionnaires.
This being the case then, this work sets out to be an explorative case study utilising 2
specific data collection techniques: an email based questionnaire and a follow up virtual
face to face (Skype) or Telephone interview. This explorative case study approach, using
both qualitative and quantitative sampling methods allows us to obtain a holistic
understanding of the efforts made by healthcare facilities against the mitigation of
cybersecurity vulnerabilities associated with medical devices (Adamson, et al. 2004, p. 139).
3.1.1 Sample
Choosing an appropriate target on which to conduct the study is an important first step in a
survey and case study based approach (Suresh, Thomas, & Suresh 2011, p. 287), therefore,
at least 1 private hospital facility in each state and Territory of Australia was targeted for
this study. The advantage of targeting a respondent from each state and territory is that the
results are likely to be a better representation of Australia as a whole in comparison to
samples taken only from the eastern seaboard for example. Suresh, Thomas & Suresh
(2011, p. 287) also suggest that the sample must be chosen in such a way as to specifically
focus upon the research question and as this study focuses on cybersecurity it was
appropriate to target respondents that had knowledge of the technical aspects of
cybersecurity, such as information technology staff rather than choosing clinical or non-
technical staff. The samples chosen for this study then were either ICT Managers, ICT
Executives, Network Administrators or similar technical based staff within each facility.
3.1.2 Facilities
Australian private hospital facilities tend to be very diverse in terms of size, type of services
offered and patient demographic (Australian Government 2014b), as such, in order to
obtain the most accurate representation of mitigation effort in the private sector, the
facilities targeted for this study are not overly specific. The facilities have between 40 and
1500 patient beds, which represents small through to large private facilities and include
community focussed, not for profit entities as well as corporate profit based entities. Each
hospital is known for particular specialities in the area in which it serves, and each facility
services a different demographic of patient. To ensure anonymity, the case studies will be
assigned a letter, for example Hospital A, Hospital B, Hospital C etc.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 41
3.1.3 Respondents
The survey sought just one respondent from each target facility. There were a number of
reasons for this, firstly, each facility was relatively small and contained small internal ICT
teams which were typically stewarded by a single Manager or Executive so the potential
target pool was small. Secondly, given the limited resources and time constraints around
this piece of research, the researchers wanted to avoid a situation whereby differing
viewpoints and answers could be submitted by different respondents relating to the same
facility. Should this have happened, the researchers would have to conduct a second and
possibly 3 round of interviews in order to consolidate the different viewpoints towards a
single representative viewpoint and this was not considered an efficient method of
research. For consistency, each respondent will be assigned the same anonymiser letter as
the Hospital; therefore, the respondent from Hospital A will be referred to as Respondent A.
3.1.4 Data Collection
The collection of data for this research was conducted in two rounds. Firstly, a web based
questionnaire consisting of 11 questions was distributed to each respondent. This aims to
satisfy the qualitative data aspect of this study. Secondly, a short 15-minute interview was
conducted with each respondent post questionnaire, to further explore their submitted
answers in more detail. This aims to satisfy the quantitative element of this research works.
The questionnaire in this case has been developed based on methods by Foddy (1993) and
Schuman & Presser (1981) in that each question has been specifically designed towards the
type of answers being sought and in a way which allows the recipient to explain and expand
on an answer. As such, to avoid YES/NO answers, the survey questions include a helper
description for each question to assist the reader with context of the question. Question 3
listed as an example below, demonstrates this.
Question:Do you have formal information security frameworks in place within your
organisation?
Help:Please describe what you currently have in place regarding information security
governance, for example: policies, procedures, standards certification etc.
In this format, the respondent is being guided by the help as to what information the
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 42
researchers are trying to gain from the question.
In addition to this, the survey questions while presented as a single set of questions are
actually a combination of 2 question groups. Question group 1, numbered 1 through to 6 is
a set of questions which aims to explore the level of cyber governance maturity in each
organisation and the second set of questions, numbered 7 through to 11, are designed to
explore each facilities level of knowledge and understanding of various factors such as risks
posed by medicals devices and the recommendations made by the TGA etc. The complete
set of questions can be found in Figure 3.
The delivery of this survey was done electronically using the web based survey tool
LimeSurvey. This method provides many advantages such as cost effectiveness because the
survey is effectively free to the researcher as it is provided by the University for use in
research, and ease of distribution as a URL to the survey can be published allowing the
respondent to access the survey from any location in which they can access the Internet.
Arleck & Settle (2004) note that this approach not only helps to facilitate a good level of
response by making access to the survey convenient for the respondent, but it also
eliminates costs to the researcher such as postage and packaging associated with
distributing surveys using more traditional paper based methods.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 43
Figure 3: Survey Questions
3.1.5 Interview Design & Administration
Polkinghorne (2005) notes that an interview conducted in order to answer a research
question is one of the most popular methods of collecting qualitative research data and this
suggestion seems to meet with general consensus (Myers & Newman 2007; Talja 1999).
Further, evidence suggests that surveys are generally regarded as a provider of credible data
and add persuasive strength to a given study (Schultze & Avital 2011). This being the case, it
makes sense to utilise the interview method for this piece of research.
The interview for this study was conducted either via telephone or via Skype. Skype was the
preferred method as it helps to establish rapport with the respondent which results in
better quality, more in-depth answers and a better response rate (Michaelidou & Dibb
2006). Skype in this case helps to retain the advantages of traditional face to face interview
techniques, such as more open and spontaneous answers by the interviewee, but without
the overheads of cost associated with travel (Opdenakker 2006). According to the same
author, the Telephone interview technique still retains the advantages relating to travel cost
and geographical access, however, it does not offer the same level of spontaneity for the
interviewee. As a result, in this study, the telephone technique will only be used as a
secondary method when the Skype method is unsuitable.
3.1.6 Response Scoring
For the purpose of scoring, each question in the survey will become an assessment type and
each hospital will be scored against assessment types based on its answers to each of the
two question groups. For example, if the hospital demonstrates that it does have formal
information security frameworks in place, then this will be marked as a plus 1 score against
the assessment type “Formal Frameworks”. Conversely, if the organisation does not have
Formal Frameworks in place, the score against this assessment type would be zero.
Each of the questions in the question groups carry a score rating of 1. The first question
group, measuring the facilities cyber security maturity, carries a total of 6 points. The
second question group, designed to measure Medical Device vulnerability awareness level,
carries a total of 5 points. The overall cyber security maturity level of each hospital will be
determined by combining the score from each question group. The maximum score a
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 45
facility can obtain is 11, the total score from each question in the group. Therefore:
Level of maturity (LOM) = Initial maturity score (IMS) + Medical Device awareness
score (MDAS)
LOM = IMS + MDAS
The hospital with the highest scoring OLM will be said to have the most mature cyber
governance framework in place and should in theory, be the most responsive in terms of
mitigating medical device vulnerabilities. The scoring matrix used for both sets of questions
can be found in Figure 4.
Figure 4: Maturity Assessment Matrix
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 46
3.2 Results
3.2.1 Hospital A: South Australia
In terms of number of beds, this hospital was the second smallest in our survey with a total
of 75 beds. While this hospital is mostly recognised for its maternity and obstetrics work, it
does offer a varied selection of services for the wider South Australian community. This
case study is one of 3 registered not for profit entities in our survey.
In terms of the overall responses, this hospital seemed to be making a fair amount of effort
in terms of getting its information security posture to a state of maturity. The respondent in
this case advised that ICT governance has recently been given strategic priority within the
organisation and that key policies and procedures relating to information security are
currently being developed. Expanding on this response during the interview, it became
clear that the recent employment of the respondent came about because of the results of a
recent independent information security review that the hospital voluntarily undertook.
The hospital had realised that it needed to get up to speed with its information security
governance and shift from a tactical approach to a more strategic approach to ICT.
Interestingly this organisation now publishes key ICT achievements in its Annual Review
publications alongside its overall organisational strategic goals.
The current cyber security challenge reported by this respondent was that shared log on
accounts are being used in some applications throughout the hospital and that this does
make it difficult to ensure that appropriate users are accessing sensitive information. Plans
are currently in place to phase out these accounts and to provide each user with an
individual login account. The new information security policy which is still under
development, mandates user’s responsibility for actions that happen under their log on
accounts.
It was noted that in some instances there was confusion around ownership of some medical
device assets. A specific example provided in the second phase interview was the patient
monitoring system in the hospitals high dependency ward. This particular system does not
integrate with the rest of the hospital network; however, it contains components managed
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 47
by several parties. The monitors themselves are managed by the facilities manager, who
subcontracts this work to the Bio-medical engineering department. However, the network
switching equipment that the monitors are plugged into are configured and managed by the
ICT department with assistance from the patient monitor vendor. This situation has caused
delays in the past when system has faulted as each party was unsure of their
responsibilities. This confusion also leads to the ongoing maintenance and warranty
contracts expiring and not being renewed.
When asked to expand on the response regarding the capability to detect and respond to
intrusions and malware infections, Hospital A noted that while network perimeter defence
hardware was deployed with inbuilt intrusion prevention software, the logs generated by
the device were not regularly reviewed. The hospital was confident however, that the
central reporting offered by the deployed antivirus solution would alert them to a malware
outbreak as it had done this in the past allowing the hospital to control the spread of the
infection.
Hospital A did show some knowledge of the potential for cybersecurity vulnerabilities
associated with medical devices particularly in the operating system layer with those devices
still running end of life operating systems such as Microsoft Windows XP, as they had taken
some measures to restrict the and isolate these devices by way of VLANS and access control
lists when integrated with the hospital network. The recipient in this case however
explained that this was not done because of known specific vulnerabilities, but more so
because of the unknowns. Indeed, the hospital does not have a lot of visibility into the
configuration of medical devices given that they are typically installed and configured by the
manufacturer/vendor so they take a 'better safe than sorry approach' and isolate the
devices from the rest of the network. When questioned about data storage across medical
devices, Hospital A reported that as far as they were aware, only certain elements of data
relating to patients were stored on medical devices. An example relating to imaging devices
in theatre was provided where images of a patient are taken during a procedure, and that
these images are printed off, annotated and stored with the physical patient record. The
respondent was unable to clarify whether the electronic data captured during the
procedure was deleted from the device once the record was printed or whether the data
remained on the device. It seems that the records in this case are managed by the theatre
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 48
coordinator and clinical staff rather than the ICT Department.
This facility reported that it was not aware of any recommendations made by the TGA
regarding medical device cyber security.
When questioned about the procurement process of medical devices, Hospital A reported
that purchasing decisions were always handled by the clinical departments and that ICT
involvement was usually fairly late in the process, and typically only involved at the time of
installation and integration. During the interview, the respondent expanded on this and
provided a specific example where two new high dependency patient stats monitor devices
which relied on wireless communications were purchased by the clinical department. At the
time of installation it was identified that the hospital did not have a wireless network in
place to support the devices.
Generally then, Hospital A seems to have a good level of knowledge on what its information
security challenges are and evidence shows that they are taking steps toward improving on
their current state. Indeed, Hospital A showed evidence during the interview of a 3rd party
information security audit in which current state was measured against ISO27001 standards.
The report identified gaps and provided recommendations on how to improve moving
forward. The hospital has responded formally to the findings in the report and are actively
working on addressing the recommendations, in fact, the resolution of the identified
findings is one of the key initiatives in the facilities new ICT Strategic Plan, which is currently
being developed and is in draft.
3.2.2 Hospital B: Western Australia
Case study B was the second largest facility surveyed in this study in terms of number of
beds with 88 beds in total. This hospital services the Western Perth community providing a
range of different surgical specialities and a particular speciality in palliative care. Like case
study A, facility B is also a registered not for profit organisation.
The respondent in this case study was somewhat unique among the other respondents in
that his role encompassed both business analysis functions and ICT Governance functions
and his time was fairly evenly split between the two. The hospital does have a small internal
IT support team but does rely heavily on 3rd party suppliers and vendors for support.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 49
Similarly to Case studies C and D, this facility did not seem to have an overall strategic focus
on ICT, although a corporate strategic plan was in place, and the overall plan has a small IT
element. The respondent did carry out an internal IT assessment in 2014 in which a new IT
support role was created. Further to this, the survey hinted at the focus of the corporate
strategic plan generally being reactive to issues, given that an insurance package of some
sort regarding cyber security was currently under consideration. To explore this further, the
answer was expanded upon during the interview and the respondent provided a couple of
examples of current strategic initiatives that were sponsored by the executive team. Both
of the examples did contain an element of information security, however, they were mainly
focussed on accuracy of information and identification for the purposes of business
intelligence and self-service reporting, rather than that of cybersecurity.
When asked what the organisation considers to be the main cybersecurity challenge, this
facility provided an almost identical answer to case study C, showing concern over targeted
threats. This answer was discussed in further detail during the stage 2 interview where the
recipient explained that the concern was due to the facility being the target of a phishing
campaign. In this example, the finance director received an email requesting money
transfer and the email was made to look like it came from the chief executive officer.
Luckily the email was questioned and the scam was uncovered. The respondent also felt
that there would be little that the organisation could do to prevent a targeted hack attempt.
A formalised holistic ICT governance framework did not seem to be in place at case study B,
although some level of governance was apparent, indeed, the recipient explained that
password policies and regular documented procedures are in place which ensures that
passwords are complex, stored appropriately and change regularly. The documented
procedures detailed daily checks such as anti-virus status, network health checks and
daily/weekly backup status etc. Some further details regarding occasional audits were
mentioned in the questionnaire. When explored further in the interview, the respondent
explained that the audits were carried out every 3 years by PriceWaterhouseCoopers (PwC)
and the purpose of the audit was to ensure that the policies and processes in place were
actually being followed. This element was particularly interesting as it was the only facility
in the survey to undergo such an audit.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 50
Case study B seems to show some consistency with A and C regarding the ability to detect
intrusions, again relying on antivirus technologies to detect outbreaks of malware. The
respondent also explained in follow up that 3rd party support vendors typically notify the
hospital of any issues encountered on the network as part of the managed support
agreement in place. An example provided was that he occasionally receives notifications
about malware and viruses that have affected other customers of the vendor.
When questioned about certification against standards, this case study reported that they
are not certified against any standards. This was discussed in more detail during the
interview and the respondent explained that while the facility is accredited against
EQuIPNational, he did not consider this standard to be relevant in terms of information and
medical device cyber security and therefore not certified in the context of the survey.
This facility did show some knowledge regarding the potential for vulnerabilities associated
with medical devices, or at least had informal policies in places to isolate medical devices
from the network. The respondent further explained that the devices that are connected to
the network are segmented and sit in a separate virtual local area network (VLAN) in an
internet only network. This is to allow vendors and manufactures to connect remotely for
support and troubleshooting. The potential for the vendors and manufactures to get access
to any data stored on the device was discussed, however the respondent explained that he
was of the understanding that while the devices do transfer patient details to other systems,
this information is limited and does not contain identifying details, only containing details
such as internal patient reference numbers. The recipient in this case believes the medical
devices used throughout the facility are configured to not store patient information, and
that information of this kind is all stored within the hospitals patient administration system.
The respondent indicated in the questionnaire that the organisation was not aware of the
TGA 2016 recommendation regarding medical device cyber security. This response was
entirely consistent with case studies A, C and D. Interestingly, and again, in a similar fashion
to Case study C, when discussed further in the interview, the respondent explained that to
his knowledge, the facility does not keep track of bulletin releases from the TGA.
Finally, the facility did answer Yes to the survey question regarding the consideration of
cybersecurity capabilities as part of the device procurement process. Given the shortness of
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 51
this answer, the actual procurement process was explored further in the follow up
interview. The respondent explained that he is typically involved in any medical device
procurement decision, often being the liaison and the project manager between vendors
and the clinical teams and this provides him with the opportunity to consider the possible
cybersecurity issues present in any device during the process. The respondent also provided
an example where he worked with a vendor during an installation to ensure a device was
configured appropriately to work within the technical configuration of the hospitals isolated
VLAN segments.
3.2.3 Hospital C: Tasmania
Hospital C was the smallest hospital that responded to our survey. The hospital has 48 beds
with particular specialities around psychiatric and obstetric practice and serves the
community of Northern Tasmania. This was the only for profit facility that responded to this
study.
Of all the respondents, this respondent was the only one not directly in an ICT role of sorts,
there were some similarities with facility B given that the respondent primarily works in a
business analyst role; however, IT was seen as an additional burden rather than an evenly
split responsibility or key deliverable of the role. It was clear in this case that ICT
governance was not a key component within the whole of business strategy, indeed during
the second phase interview, the respondent indicated that the hospital has no internal ICT
staff and all coordination of service requests and project works with third-party vendors and
suppliers is initiated through the respondent. The hospital relies wholly on third parties for
ICT advice, configuration and management. In fact, this was the only hospital in our survey
which did not have an internal IT team.
When questioned about current cybersecurity concerns the response by case study C was
consistent with those of case study B in that a targeted attack or “hacking” attempt seemed
to be the main concern. When this response was explored further, respondent C explained
that a hack resulting in stolen data would really be the concern as this is likely to result in
reputational damage and significant financial cost to the hospital.
Hospital C had some ICT security controls in place such as password policies and Acceptable
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 52
Use Policies but there is no technical or configuration documentation regarding the
network, however, the respondent did mention that the 3rd party support vendor is likely to
have documentation in this regard. Similarly to Hospital A, Hospital C also uses a number of
shared and generic logon accounts, particularly for third-party support staff and contractors
who use a single account for multiple employees. The respondent in this case said that
there were no plans to move away from this arrangement as it was cost effective from a
licensing perspective and catered particularly well to agency staff of which there is a high
turnover. The respondent also explained that due to the small nature of the business the
number of staff is relatively small and they all effectively have the same level of access to
data across the organisation. One particular example of this was the Director of Nursing
using the same logon account as a onetime agency nurse, and hence the same level of
access to data in the hospitals patient management system.
When asked about the ability to detect and respond to threats, this hospital was consistent
with both A and B in the fact that anti-virus tends to the be primary method of detecting
malware and in this case, the hospital relies on its third-party ICT provider to report any
issues or intrusions and assist with preventing these. The respondent did mention that
firewalls are in place but could not really comment on how these were configured and any
specific technology behind them.
The NHQHS EquipNational standards were mentioned by this Hospital when responding to
the question regarding accreditation against standards, with the respondent stating that the
hospital is fully accredited against these standards. This is again fairly consistent with case
studies A and B however one notable difference is that this hospital is also an accredited
Baby Friendly Hospital. The respondent reported a lack of understanding of the ISO
standards. When this question was investigated further during the interview, a short
discussion was around auditing, and that the hospital typically undergoes three different
audits, one of these being a financial audit annually to ensure the general ledger and
associated processes are appropriate, and the other two audits relating to the
EquipNational and Baby Friendly accreditations. It was suggested by the recipient that that
these audits do not really focus on cybersecurity.
Respondent C reported that cybersecurity is not an apparent strategic priority for the
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 53
organisation. However, the organisation does tend to have a reactive approach to issues. It
was suggested that if an event was to occur, the organisation would then properly
investigate the cause and develop a plan to prevent the issue from reoccurring. Examples of
a similar approach were given in a clinical context where if clinical risks or incidents occur,
the causes and effects are investigated with a plan developed to reduce the likelihood or
impact of the same issue in future. The respondent demonstrated the hospitals risk
management software and upon visual inspection it was apparent that no risks or incidents
relating to cybersecurity have ever been recorded into the system.
When questioned about cyber risks associated specifically with medical devices, Hospital C
seemed to demonstrate a lack of understanding regarding these risks, indeed, the
responded reported that while the hospital had not had any cyber security incidents related
to medical devices, there was uncertainty about the damage that could be done if this were
to occur in any event. When this response was clarified in the following interview the
respondent suggested that the resulting impact of any device being attacked would likely to
be limited given that the devices are typically stand alone and not integrated with the
hospitals network. This response, however, was in contrast to the reply given regarding the
integration of medical devices into the hospitals network. The example given here was the
imaging devices in theatre which, during a procedure, automatically attach the captured
images to the patient record contained within in the hospitals patient administration
system. This was somewhat clarified however, with the recipient explaining that the
information captured by the imaging systems is limited in regards to personally identifiable
information, indeed, in this case, the system only records the patient ID, and time and date
the procedure was performed.
Case study C responded in a similar fashion to B when asked about knowledge of the TGA
cybersecurity recommendations for medical devices, and interestingly, when explored
further the recipient showed some uncertainty around the role of the TGA suggesting that
the TGA has responsibility for the safety of medication rather than physical appliances such
as medical devices. Respondent C further suggested that it was his understanding that that
medical device manufacturers are responsible for the safety of their devices rather than the
TGA.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 54
Case Study C showed a similar approach to case study A with the medical device
procurement process, reporting that at this facility the clinical director makes all the
decisions regarding medical device purchases. The respondent suggested that cybersecurity
was not considered as part of this process, and that device implementations and
deployments in the facility were usually managed by device vendors.
3.2.4 Hospital D: Queensland
This was the largest private facility included in the survey with 265 patient beds, servicing
patients and the community of central Queensland and is one of the 3 not for profit entities
surveyed in this study. This was also the only facility in the survey with an emergency
services department. This facility provides a range of specialties to patients, although it is
particularly well known for its advanced cardiac services.
On the face of it, Case study D seemed to have the most mature ICT governance platform
out of all of the entities surveyed. Similarly to case study A, this facility has a member of the
management team leading the ICT function and the recipient did mention in interviews that
a key part of his role is the development of the ICT strategy. However, there is no formal
published document regarding the hospital’s ICT strategy. Like facility A, this hospital also
had a small internal ICT support team but like facility B, relied on third-party contractors for
larger scale project work and specific skill sets.
In terms of current cybersecurity challenges, this organisation had a couple specific
concerns, one regarding the ability to survive and recover from an incident if one was to
occur and the other regarding the potential for vulnerabilities associated with patients and
doctors bringing in their own devices for use on the network. When each issue was
explored further in the follow-up interview, the respondent provided a specific example
regarding the organisation’s resilience explaining that the Hospital is a single site facility and
has no cost effective method of duplicating network hardware for redundancy and
continuity. The facility currently relies on backup tape media to restore from in the event of
a wide scale malware infection or disaster. The respondent noted that while he was
confident data could be restored, he was worried about the time frames involved restoring
from tape. The second example described the potential for malware or virus infections to
occur due to doctors and patients bringing in their own devices. The main concern was that
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 55
the demand for “bring your own device” (BYOD) has grown so quickly that the organisation
has not had time to implement effective or appropriate management tools to deal with
potential cybersecurity risks associated with BYOD.
When asked whether formal information security frameworks were in place at this case
study, the respondent listed a number of example policies and procedures ranging from
information management policies, acceptable usage policies and documented on boarding,
off boarding procedures for staff. When this response was discussed further in phase 2, the
respondent explained that the information management plan was the primary document
for the way in which information security is treated in the facility. However, it was
explained that the policy was originally written a number of years ago with paper based
patient records in mind and does not cater very well for digital information. The example
given was a fairly thorough approval process for requesting access to view the details of a
paper based patient record, yet no such process existed for elements of the same
information stored digitally on the network.
In a somewhat similar response to the other case studies, this facility seemed to rely on
firewall devices to detect and respond to threats. In this particular case, the facility utilised
a Unified Threat Management technology which provides a dashboard view of any threats
detected by the system. The respondent explained that the device reports incidents such as
potential port scans, denial of service attempts and spoofed IP addresses quite regularly. It
does have the ability to detect irregular network patterns internally but the facility had not
configured the heuristics for this option. The respondent also explained that the device
does output all findings to log files and has the ability to produce reports; however, he was
unable to confirm how long the log files were kept and how far back in time the activity
reports could be produced.
The respondent reported that the hospital was not certified against any information security
standards, but did explain that all in house ICT support staff have attained ITIL Foundation
certification and that they do have knowledge of the ISO27001 standards and apply these to
processes and procedures where they can. During the interview, it was further discussed
that the hospital was accredited to the EquipNational standards and achieved certification in
2014. Similarly to case study B, this respondent also did not consider the EquipNational
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 56
Standards appropriate in terms of information and medical device security.
Case study D seemed to have some focus, or at least acknowledge information security as
part of its overall strategic plan, according to the answer provided in the survey, the
respondent mentioned that there is a general initiative in the corporate strategic plan to
improve the security of patient information. During the interview however, it became
apparent that while there was a general initiative in the strategy, there was no real defined
plan as to how this would be achieved.
The answer regarding awareness of the potential for vulnerabilities in medical devices
showed similarities with that of case study B, with the survey response demonstrating that
the respondent knows that a number of devices run legacy operating systems and as a
result, they are treated with caution. Specific examples were given during the interview
such as the baby monitoring system which runs in its own isolated network segment but is
accessible for management purposes from the management network segments. This
cautious treatment via isolation is almost identical to the approached used by both facility A
and B.
The answer given regarding the storage of data on medical devices showed consistency with
all the other case studies in this review, the recipient in this case did not think data was
stored locally, and even where it is, the respondent indicated that this was only temporary
or transient, with an example of the x-ray devices being given. In this case, the device
obviously captures an image during the process; however, the image is provided to the
patient and stored physically on the patient record. The recipient could not explicitly
confirm that the imaging data did not remain on the device.
This facility did not seem to be aware of the 2016 TGA recommendations regarding Medical
device cyber security. This is unsurprising when explored in more detail because during
phase 2, the respondent reported that to his knowledge, the hospital does not subscribe to,
or receive regular update bulletins from the TGA on any aspect, let alone medical devices in
particular. That being said, the respondent did mention that there have been a small
number of occasions where the hospital have received update bulletins from the
manufacturer for their portable blood sampling machines. Unfortunately the respondent
could not recall if the updates addressed any specific cyber vulnerabilities.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 57
Finally, when questioned about whether or not the Hospital considered cyber security
capabilities as part of the device procurement process, this facility seemed to follow the
same trend in comparison with case studies A and C, reporting that medical device purchase
decisions are usually made by the clinical departments. In this particular case, the
respondent is sometimes involved in the decision making process, and does chat to the
vendor regarding network and security configurations when given the opportunity.
However, it was reported that in the past, as long as the device meets the desired clinical
requirements, even if it did not meet a specific security or technical requirement, the
purchase would more than likely go ahead and the ICT department would need to “just
make it work”.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 58
3.3. Findings
Of the eight private hospital facilities invited to contribute, only four responses were
received (i.e. 50% response rate). The states who did respond in this study are South
Australia, Western Australia, Queensland and Tasmania. Therefore, The Northern Territory,
Victoria, New South Wales and the Australian Capital Territory have not been represented in
this study. Of the four private hospitals that responded, three were registered not for profit
entities and one was a private for profit entity. The smallest facility surveyed had 45 patient
beds, and the largest had 265.
In all four participating facilities, the respondents were male and had all been with the
facilities for at least 1 year. The job roles for each respondent did show some variation,
indeed two were in direct strategic ICT roles and two were in associated coordination roles.
Three of the four facilities had internal ICT teams, with one facility relying on external ICT
support services for all IT works.
3.4 Analysis
The job positions of the respondents seemed to play some part in the overall cybersecurity
posture of each facility. Facilities A and D for example, are the two hospitals in the study
where the respondents perform directly in ICT management roles and both of these
organisations have cybersecurity listed as strategic priority. This is a particularly interesting
observation as academia suggests that organisations with a strategic rather than tactical
approach to cybersecurity tend to see better resilience and recovery rates in the event of a
cyber incident (Von Solms 2001; Posthumus & Von Solms 2004). Further, having cyber
security as a strategic priority, facilitates senior management involvement in cybersecurity
planning which not only ensures that appropriate resources and funding for cybersecurity
projects are adequately sponsored but also assists with driving the organisations security
culture (Helle 2005). Both of these factors are considered crucial to the success of a
cybersecurity management framework for an organisation (Narain, Gupta & Ojha 2014, p.
655). Further evidence of the strategic approach with these two organisations is that that
they both have formal frameworks in one form or another that deal with aspects of
cybersecurity. Change management policies, acceptable usage polices, or documented
operational procedures were just some examples provided, and the existence of formally
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 59
documented security policies is regarded as one of the nine critical success factors for the
overall success of an organisational security system (Kohnke & Shoemaker 2015, p.10).
Half of the case studies reported the use of shared and generic logon accounts.
Interestingly, this finding was reported by the smaller hospitals in the study and evidence
suggests that this approach is taken in order to reduce cost associated with software
licensing. The security implications relating to the use of shared and generic logon accounts
are well known and they reduce the ability for user actions to be accounted for should a
malicious information security event take place (Bardram 2005, p.363).
A result which showed a high degree of consistency across the survey was the reliance upon
anti-virus applications for detecting and managing malware and virus outbreaks. Of course,
anti-virus and anti-malware capability is considered an important factor in reducing
exposure to vulnerabilities (Al-Saleh, Abuhjeela, & Al-Sharif 2015, p.88). However,
organisations that fare better against cyber threats are those with a holistic defence
strategy rather than relying in one particular mechanism of defence (Palmer 2016, p.17).
This strategy seems to be somewhat recognised by the facilities though because the
majority seem to be taking measures to isolate medical devices from their networks, either
by way of VLAN segmentation or physical segmentation in order to reduce the effect of
associated vulnerabilities. That being said, the reasons for isolating the devices seem to be
due to a lack of knowledge about the specific vulnerabilities introduced by the devices
rather than because of specific vulnerabilities in the devices. A similar result was seen
regarding IT involvement during the medical device procurement process where 75% of the
respondents reported no involvement during the process. This is an interesting finding as it
suggests that there might be some confusion as to where the responsibility of managing
medical devices from a cybersecurity perspective lies. Looking further into this confusion,
we can see that it is generally accepted that clinical engineering departments have
responsibility over the management of medical devices (World Health Organisation 2011, p.
21); yet, it is IT departments which have the fundamental knowledge to effectively deal with
cybersecurity issues (Hanada, Tsumoto & Kobayashi 2010). It is recognised, however, that a
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 60
collaborative approach to the medical device cyber security issue by both parties will likely
result in more effective outcomes (US Department of Health and Human Services 2013a).
A clear standout across all the case studies was the apparent lack of awareness regarding
the TGA 2016 cyber security recommendations for medical devices. What was surprising
about this particular finding was that the facilities were not only unaware of specific
recommendations by the TGA, but also did not subscribe to or actively review official
publications and recommendations made by the TGA. Further, in some cases, such as
hospital C, there was even confusion about the role and purpose of the TGA regarding
cybersecurity. The second unanimous finding was that of certification against formal
information security standards such as ISO27001. In this case, each facility showed
certification against the NSQHS EQuIPNational standards, yet, interestingly, 75% of the
respondents did not consider the EQuIPNational Standards to be relevant in terms of
cybersecurity.
3.5 Maturity Scores
On completion of the scoring of the question groups, two of the survey facilities, A & D,
appear to be doing relatively well in terms of providing a mature medical device
vulnerability mitigation framework. Both A & D scored relatively well in response to
question group 1 which essentially shows a good level of initial maturity, based on factors
such as senior management fulfilling a dedicated ICT Management role, formal information
security frameworks in place and information security being a strategic priority, all factors
which lead to more successfully information security governance. In addition to this, both
facilities scored well in the Medical device vulnerability awareness assessment however, this
was largely due to how any potential risks were managed using network isolation
techniques for example, rather than because of knowledge relating to specific medical
device vulnerabilities.
On the other hand, facilities B and C scored much lower in terms of information security
governance maturity showing a lack of formalised policies and no strategic focus on tackling
the medical device vulnerability problem. Interestingly both facilities received scores almost
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 61
comparable with A & D in terms of medical device vulnerability awareness, however, they
lacked the knowledge to put effective measures in place to mitigate any associated risks,
resulting in an overall lower maturity score.
In terms of formal results, Hospital D was the highest scoring facility with an assessed
maturity rating of 81.81%. This was followed by Hospital A with a 72.72% rating. Hospital B
scored third with a rating of 45.45% with Hospital C having the lowest apparent maturity
score at 36%. The scoring for each facility can be seen in Maturity Martix in Figure 5.
Figure 5: Maturity Matrix
3.6 Trends
What the analysis of the findings generally presents is not only a general lack of
understanding about the vulnerabilities associated with medical devices, but also a lack of
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 62
understanding about how these vulnerabilities should be mitigated. Investigating the
following findings from the survey gives us some insight as to why this might be the case.
Finding 1: Regulation: Confusion over the role of the TGA regarding cybersecurity was
expressed during the survey. However, the TGA does clearly define its role as the governing
body for medical devices (Australian Government 2016a), and makes publicly available, a
database of reported incidents specifically relating to medical devices (Australian
Government 2016b). The cause of this confusion is not immediately clear. It could be
suggested that a lack of regulation explicitly requiring hospitals to report adverse incidents
involving medical device cybersecurity might be a contributing factor. The TGA provides
instructions on submitting medical device incident reports, and provides insight as to why
this is useful, but it does not appear that the reporting of these incidents is mandatory
(Australian Government 2016c; Weaver, 2016). The Private Health Facilities Act 2007 (NSW)
on the other hand, does require adverse incidents involving medical devices to be reported.
However, under the Act, the definition of adverse incident makes no mention of
cybersecurity (NSW Government, 2014). Further to this, there is no apparent requirement
in the Act for hospitals to subscribe to and follow the advisories and notifications made by
the TGA regarding medical device cyber vulnerabilities and there are suggestions that this is
the cause of the lacklustre response from hospitals (Holdsworth & Choo, 2016).
Finding 2: Accreditation: It was clear in the results of the survey that private hospitals aspire
to reach certification against the National Safety and Quality Health Service Standards
(NSQHS). To better understand why this is the case is it important to explore the standards
in more detail. According to the Australian Commission on Safety and Quality in Healthcare,
the NSQHS Standards were:
developed by the Australian Commission on Safety and Quality in Health Care (ACSQHC)
in consultation and collaboration with jurisdictions, technical experts and a wide range
of stakeholders, including health professionals and patients… with the primary aim to…
protect the public from harm and to improve the quality of health service provision.
They provide a quality assurance mechanism that tests whether relevant systems are in
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 63
place to ensure minimum standards of safety and quality are met, and a quality
improvement mechanism that allows health services to realise aspirational or
developmental goals (Australian Commission on Safety and Quality in Health Care,
2012).
The above definition makes it easy to see why accreditation against these standards is a
good idea, but the key factor is that unlike the recommendations made by the TGA,
implementation of the NHQHS standards is in fact mandatory:
All hospitals and day procedure services and the majority of public dental services
across Australia need to be accredited to the NSQHS Standards. Private health service
organisations need to confirm their requirements for accreditation to any standards in
addition to the NSQHS Standards with the relevant health department (Australian
Commission on Safety and Quality in Health Care, 2016).
Although accreditation against the standards is mandatory, the majority of respondents in
the study did not consider these standards to be relevant in terms of cybersecurity. Taking
a closer look at the standards, it appears that the respondents might be correct in their
thinking. It could be argued that of the 15 standards in the framework, only Standard 14 –
Information Management and Standard 15 – Corporate Systems and Safety somewhat
relate to medical device cybersecurity issues, and even if this is the case, they only provide
broad non-specific direction. Using Standard 14.4 as an example, the ‘organisation has an
integrated approach to the planning, use and management of information and
communication technology’ (ACHS 2015, p.5). This could be considered a very broad
requirement for some form of formal governance or control around information
management, yet it provides no detail about the appropriate way in which this can be
achieved. Similarly, with Standard 15.6 where ‘building, signage, plant medical devices,
equipment supplies, utilities and consumables are managed safely and used efficiently and
effectively’ (ACHS 2015, p.5) is another broad direction without an appropriate
methodology provided.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 64
Chapter 4
4. Conclusions, Limitations & Further Work
4.1 Literature Review
The number of medical devices deployed across the globe is likely to increase as we head
into the future, in addition, as technology advances, medical devices will be increasingly
integrated into healthcare and private networks. This increase in use and numbers creates
not only a larger potential target for malicious users, but also a potentially larger number of
adverse incidents relating to exploitation of vulnerabilities contained in the devices.
Generally, an effort is being made to address the vulnerabilities present in medical devices;
however, the efforts seem to lack a holistic focus or use an uncoordinated approach. Each
associated party appears to have their own priorities and these individual priorities do not
necessarily work towards the same goal. Medical Device manufacturers for example are
focussed on profits, while Healthcare facilities are focussed on clinical outcomes. Unless
each party can collaborate to produce and maintain effective countermeasures, the
increased exposure to vulnerabilities will likely result in increased incidents of loss of
sensitive data, patient injuries, and in some cases even death.
The recommendations based on this research is that the Authorities, medical facilities,
standards organisations, and academia all need to work together in a coordinated, holistic
focussed approach, concentrating on the areas relating to vulnerabilities which lack effort or
that have not been addressed. Authorities on the one hand, need to provide clear, concise
guidance on the expectations of each party involved rather than general guidance applicable
to all parties. Perhaps by defining an area of responsibility for certain tasks, Authorities can
be more specific about the areas on which each party should focus. The introduction of
mandatory reporting by all Healthcare providers involving cyber security incidents
associated with medical devices and patient data, with financial penalties for failing to
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 65
report might produce a better repository of reported incidents providing clarity on the
volume of issues occurring.
In a similar vein, the introduction of mandatory vulnerability assessment testing as part of a
medical device approval and registration process or a restriction on a manufacturers license
if their medical devices fail to meet an approved standard such as ISO 80001, might
encourage device manufacturers to focus more heavily on security.
Perhaps there is future scope for healthcare facilities and device manufacturers to work
more proactively with academia, funding or sponsoring specific research or specific device
vulnerability testing rather than waiting for researchers to hack or crack a device.
Regardless of the approach, better visibility in to the areas in which the associated parties
need to focus their efforts will likely result in a more effective and coordinated response to
tackling the medical device cyber security problem.
4.1.1 Literature Review Limitations
Device Manufacturers
The scoring matrix revealed that, in the analysed literature, Medical Device Manufacturers
had the lowest effort score due to having the lowest number of related items found. This
was a somewhat surprising result given that it could be suggested that manufactures are the
associated party type who are likely to hold the deepest understanding of a particular
device’s design and any resulting cyber vulnerabilities yet we saw little evidence of any
vulnerabilities, or vulnerability mitigation efforts being published. Thinking about this
further however, it may not necessarily be in the best interest of medical device
manufacturers to publish information regarding vulnerabilities contained in their devices.
Information of this type could be considered sensitive and commercial in confidence and
could risk reputational damage if for example one particular manufacturer had a higher
number of vulnerabilities published for a device than a competing manufacturer. Perhaps in
this case, a literature review is an unlikely mechanism with which to detect levels of effort
contributed by the device manufacturers.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 66
That being said, we did see examples in the literature which exhibited studies taken against
the FDA’s MAUDE database in which incidents involving medical devices are reported, so
these is some evidence that incidents are at least being reported in some instances. Our
study categorised these literature articles against the Academia associated party type given
that the studies appeared in academic items, however, perhaps there was some scope for
these items to be classified against the Device Manufacturer associated party type instead.
Indeed, a more in-depth analysis of the MAUDE database could shed some light onto the
exact nature of the reported incident and whether the incident was for example, reported
by a user (Medical Facility) or a manufacturer.
Authority
The literature demonstrated that the European Union had contributed a limited level effort
in tackling medical device vulnerabilities and we did make a sweeping statement in this
regard, however, what the literature did not take into account was what the individual
European Union member states may be doing to tackle the medical device cybersecurity
problem. Indeed, the United Kingdom for example has the Medicines and Healthcare
Regulatory Agency (MHRA) which has its own rules regarding medical device and medical
software cyber security and the same is no doubt true for other individual member states. A
separate study on the regulations of the individual member states would no doubt help
shed some light determine specific Effort contributions by the different member states.
4.2 Survey & Questionnaire
The evidence gathered in this part of the research also suggests that Australian healthcare
facilities are at least making some contribution towards mitigating vulnerabilities associated
with medical devices. However, there are signs that they are struggling to do this effectively.
An exact metric around this is quite difficult to ascertain because we saw from the results
that although 75% of the respondents were attempting to protect the clinical and corporate
networks from any vulnerabilities that were present in medical devices by isolating those
devices, the reason for isolating these devices was not necessarily driven because of
vulnerabilities, but rather because of lack of knowledge relating to the configuration of or
risk posed by the devices. There are a number of factors which contribute to this situation
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 67
and it would be unfair to lay the blame wholly on the healthcare facilities. Indeed,
healthcare facilities do not seem to be provided with clear directions about how to protect
against device vulnerabilities and it is apparent that any vulnerability mitigation steps that
are taken by healthcare facilities are not aligned with any particular best practice standard.
The root cause of this seems to be a lack of incentive by any particular authority.
Unfortunately, the result of this is an ad-hoc and non-uniform approach to tackling
associated risks. This unstructured approach is likely to result in risk factors being
overlooked and vulnerability pathways remaining open.
That being said, where the healthcare facilities seem to perform unanimously well is in the
field of mandatory accreditation. We saw in the result that 100% of the survey respondents
reported accreditation to the NHQHS EquIPNational standards, and this is as expected
because of mandatory nature of the accreditation scheme. What this finding shows is that
when the facilities are given an appropriate incentive, they can actually perform really well
in achieving a set standard. Given this result, it could be suggested that mandatory
accreditation against information security standards such as ISO27001 will not only provide
a better incentive for the entities to grow their knowledge about medical device
vulnerabilities, but also allow them to focus on reducing cyber security vulnerabilities in a
uniform, united fashion. The alternative approach to this is, perhaps, refining the NQHQS
Standards be to more prescriptive regarding the processes and techniques that are
expected in relation to securing information and medical devices.
In a similar vein, we saw in the survey that healthcare facilities were generally unaware of
the recommendations relating to medical devices published by the TGA. Perhaps making
TGA recommendations legally binding will provide the healthcare entities the incentive they
need to subscribe and adhere to any notifications published by the TGA.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 68
4.2.1 Survey Limitations
This study sets out to be a representative study of the whole of Australia so input from each
Australian state and territory was sought. In reality, however, the study only received four
respondents which equates to roughly 50% representation of Australia’s eight federated
states and territories. That being said, the respondents were from quite geographically
disparate regions within Australia so the sample is likely to represent a more holistic view
point than four respondents from the same region for example. The other challenge was
getting respondents from some of the larger corporate entities to participate. Indeed, the
size of the hospitals in this study was relatively small in terms of number of beds. The study
did set out to include sizes from 40 to 1500 beds; however, in reality the sample size was
between 44 and 256. This sample size is likely to have some effect on the results,
particularly the result indicating shared and generic logon accounts for example. As
discussed, this behaviour seemed to be driven by the smaller hospitals out of a necessity to
save on software license costs and it could be suggested that we might not have seen this
behaviour from larger corporate entities with larger financial resources.
Additionally, the scoring matrix used in the study did not account for some of the negative
aspects that were discussed. One example in particular was the use of shared logon
accounts. Given this practice is generally recognised as insecure, it could have been
included in the assessment type matrix and hold a -1 score. This being the case, both
facilities A & C would have had a lower total score if assessed against this negative aspect.
4.3 Future Works
Our earlier research found that a low rate of effort was contributed by two entities:
Healthcare facilities and Device Manufacturers. This second paper followed on from that
study and attempted to investigate why the effort contribution was low from the Healthcare
facility perspective. In order to round out the study, and provide a more holistic view of the
problem, it would be useful to find out why the rate of effort from the device manufactures
also appears to be low. Indeed, a third study which attempts to explore the challenges
faced by the device manufacturers may help us to better understand the problem, and from
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 69
there, formulate a solution or recommendations to remove these challenges and improve
the level of effort. Gaining this visibility into both perspectives may allow us to identify a
way in which both parties can work together to tackle the problem in a coordinated, united
way, resulting in a more effective mitigation strategy for the medical device vulnerability
problem.
Jay Holdsworth | LMIA | Master of Science (Cyber Security and Forensic Computing) 70
References
Akpan, N 2016 ‘Has healthcare hacking become an epidemic?’ PBS Newshour, viewed 25th
August 2016, < http://www.pbs.org/newshour/updates/has-health-care-hacking-become-
an-epidemic/>
Al-Saleh, M, Abuhjeela, F & Al-Sharif, Z 2015, 'Investigating the detection capabilities of
antiviruses under concurrent attacks', International Journal of Information Security, vol. 14,
no. 4, pp. 387-396.
Anderson, P 2014, 'Setting the standard for medical device software', Electronics World, vol.
120, no. 1942, pp. 12-14.
Anonymous, 2012 'Advisory Panel Wants Fed Oversight of Medical Device Security', The
Journal of Medical Practice Management : MPM, Vol. 27, No. 6, pp. 326.
Anonymous, 2013 'Medical Device Manufacturers Tackle Cybersecurity', Information
Management, Vol. 47, No. 5, pp. 15.
Anonymous, 2014 'AHA: Hold medical device makers accountable for cybersecurity', AHA
News, Vol. 50, No. 24, pp. 3.
Association Roundtable 2013 'Educating users', Biomedical Instrumentation and Technology,
vol. 47, no. 5, pp. 366-366.
Australian Government, Attorney Generals Department 2015, 'Cybersecurity', viewed 13th
March 2016,
<https://www.ag.gov.au/RightsAndProtections/cybersecurity/Pages/default.aspx>.
Australian Government, Department of Health, Therapeutic Goods Administration (TGA),
2016 'What is a therapeutic good?', viewed 13th
March 2016,
<https://www.tga.gov.au/what-medical-device>.
Page 71 of 97
Australian Government, Department of Health, Therapeutic Goods Administration (TGA),
2013 'Medical device incident reporting & investigation scheme (IRIS)', viewed 20th
March
2016 <https://www.tga.gov.au/medical-device-incident-reporting-investigation-scheme-
iris>.
Australian Commission on Safety and Quality in Health Care 2012 ‘National Safety and
Quality Health Service Standards’, viewed 26th June 2016,
<http://www.safetyandquality.gov.au/wp-content/uploads/2011/09/NSQHS-Standards-
Sept-2012.pdf>.
Australian Commission on Safety and Quality in Health Care 2012 ‘Information for health
service organisations’, viewed 26th June 2016, < http://www.safetyandquality.gov.au/our-
work/accreditation-and-the-nsqhs-standards/information-for-health-service-
organisations/#Who-needs-to-implement-the-NSQHS-Standards>.
Australian Government, Attorney Generals Department 2015, 'Cybersecurity', viewed 17th
May 2016
<https://www.ag.gov.au/RightsAndProtections/cybersecurity/Pages/default.aspx>
Bardram, J.E., 2005. The trouble with login: on usability and computer security in ubiquitous
computing. Personal and Ubiquitous Computing, 9(6), pp.357-367.
Australian Government, Australian Institute of Health and Welfare, 2014, Australia’s Health
2014, Preventing and treating ill health, viewed 21st May 2016,
<http://www.aihw.gov.au/australias-health/2014/preventing-ill-health/#t7 >
Australian Government, Australian Institute of Health and Welfare, 2014, ‘Australia’s
hospitals 2013-14 at a glance’, viewed 17th June 2016,
<http://www.aihw.gov.au/WorkArea/DownloadAsset.aspx?id=60129551482>
Australian Government, Department of Health 2016 ‘IRIS InSite’ viewed 25th June 2016,
<https://www.tga.gov.au/iris-insite>
Page 72 of 97
Australian Government, Department of Health 2016 ‘Reporting Adverse Incidents’ viewed
25th June 2016, < https://www.tga.gov.au/reporting-adverse-events>.
Australian Government, Department of Health 2016 ‘What is a medical device’, viewed 25th
June 2016, <https://www.tga.gov.au/what-medical-device>.
Australian Government, Department of Health 2016 ‘Who we are & what we do’, viewed
25th June 2016, <https://www.tga.gov.au/who-we-are-what-we-do>.
Australian Government, Department of Health and Human Services 2016 ‘Medical devices
safety update’ vol. 4, no. 1, viewed 18th May 2016, https://www.tga.gov.au/publication-
issue/medical-devices-safety-update-volume-4-number-2-march-2016
Australian Government, Department of Health, Therapeutic Goods Administration (TGA),
2016 'Device cybersecurity a key issue', Medical Devices Safety Update, Vol. 4, No. 2, viewed
14th
March 2016, <https://www.tga.gov.au/publication-issue/medical-devices-safety-
update-volume-4-number-2-march-2016>.
Boxer. B 2016, 'Boxer Urges Medical Device Manufacturers to Address Growing Threat of
Cybersecurity Vulnerabilities', Federal Information & News Dispatch, Inc, Lanham, USA.
Bryson, G, L, Turgeon, A, F & Choi, P, T 2012, 'The science of opinion: survey methods in
research', Canadian Journal of Anaesthesia, vol. 59, no. 8, pp. 736.
Camara, C, Peris-Lopez, P & Tapiador, J. E 2015 ‘Security and privacy issues in implantable
medical devices: A comprehensive survey’, Journal of Biomedical Informatics, vol. 55, no.,
pp. 272-389.
Cambridge Dictionary 2016, Cambridge University Press, viewed 15th September 2016,
<http://dictionary.cambridge.org/>
Choo, K.K.R., 2011, 'The cyber threat landscape: Challenges and future research directions',
Computers & Security, Vol. 30, No. 8, pp. 719-731.
Page 73 of 97
Cisco 2012 'Cisco increases patient data security for large healthcare provider', case study
viewed 27th
March
2016,<http://www.cisco.com/en/US/services/ps2961/external_casestudy_Sentara.pdf>.
Cooper, T & Eagles, S 2011, '80001 New era dawns for medical devices', Biomedical
Instrumentation & Technology, vol. 45, no. 1, pp. 16-25
Coronado, A & Wong, T 2014, 'Healthcare Cybersecurity Risk Management: Keys To an
Effective Plan', Biomedical Instrumentation & Technology, vol. 48, no., pp. 26-30.
Darji, M. and Trivedi, B.H. 2014 ‘Detection of active attacks on wireless IMDs using proxy
device and localization information’, Security in Computing and Communications, pp. 353-
362, Springer, Berlin Heidelberg.
DePhillips, H 2007, 'Initiatives and Barriers to Adopting Health Information Technology: a US
Perspective', Disease Management & Health Outcomes, Vol. 15, No. 1, 2007, pp. 1-6.
Dubé, L. and Paré, G., 2003. Rigor in information systems positivist case research: current
practices, trends, and recommendations. MIS Quarterly, pp.597-636.
Adamson, J, Gooberman-Hill, R, Woolhead, G & Donovan, J 2004, 'Questerviews': using
questionnaires in qualitative interviews as a method of integrating qualitative and
quantitative health services research', Journal of Health Services Research & Policy, vol. 9,
no. 3, pp. 139-45.
Michaelidou, N & Dibb, S 2006, 'Using email questionnaires for research: Good practice in
tackling non-response', Journal of Targeting, Measurement and Analysis for Marketing, vol.
14, no. 4, pp. 289.
Jahanbakhsh, M, Sharifi, M & Ayat, M 2014, 'The Status of Hospital Information Systems in
Page 74 of 97
Iranian Hospitals', Acta Informatica Medica, vol. 22, no. 4, pp. 268-275.
European Union, European Medicines Agency (EMA), 2015, '1993 Council Directive
Concerning Medical Devices', viewed 13th
March 2016, <http://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=CELEX:01993L0042-20071011>.
FBI 2014, 'Health care systems and medical devices at risk for increased cyber intrusions for
financial gain', Private Industry Notification, viewed 19th
March 2016
<http://www.aha.org/content/14/140408—fbipin-healthsyscyberintrud.pdf>.
Filkins, B., 2014, 'Health Care Cyberthreat Report. Widespread compromises detected,
compliance nightmare on horizon, SANS Institute, pp. 42, viewed 14th
March 2016,
<http://www.sans.org/reading-room/whitepapers/analyst/health-care-cyberthreat-report-
widespread-compromises-detected-compliance-nightmare-horizon-34735>.
Finnegan, A., McCaffery, F. & Coleman, G., 2013 ‘Framework to assist healthcare delivery
organisations and medical device manufacturers establish security assurance for networked
medical devices. In Systems, Software and Services Process Improvement (pp. 313-322).
Springer Berlin Heidelberg.
Fu, K 2011 'Trustworthy medical device software', Public Health Effectiveness of the FDA,
510, p.102.
General Electric Company 2015, 'Invenia ABUS Automated breast ultrasound', Product
Brochure, viewed 27th
March 2017, <http://www3.gehealthcare.com.au%2F~%2Fmedia
%2Fdownloads%2Fanz%2Fanz%2520brochure%2520invenia%2520abus.pdf>.
Page 75 of 97
Foddy, W 1993 Constructing questions for interviews and questionnaires: Theory and
practice in social research, Cambridge University Press, Cambridge [England] ; Melbourne
Gomez, J, Konschak, C, 2015 'cybersecurity in Healthcare: Understanding the new world
threats, Divurgent, pp. 1-12, viewed 14th
March 2016,
<http://divurgent.com/wp-content/uploads/2015/03/Cyber-Security-Healthcarepdf.pdf>.
Grimes, S 2004 ‘Medical device security’, Proceedings of the 26th
Annual International
Conference on Engineering and in Medicine and Biology, IEEE, Saratoga Springs, New York,
pp.3512-3514.
Hampton, R 2014, 'Risk management and 80001', Biomedical Instrumentation and
Technology, vol. 48, no. 2, pp. 75.
Hanna, S, Rolles, R, Molina-Markham, A, Poosankam, P, Fu, K & Song, D 2011 'Take two
software updates and see me in the morning: The case for software security evaluations of
medical devices', 2nd
USENIX workshop on Health Security and Privacy, San Francisco, pp. 1-
5.
Hanada, E., Tsumoto, S. and Kobayashi, S., 2010. ”A Ubiquitous environment” through
wireless voice/Data communication and a fully computerized hospital information system in
a university hospital. In E-health, vol., no., pp. 160-168.
Handoll, H.H.G & Smith, A.F, 2003 'How to perform a systematic review', Current
Anaesthesia & Critical Care, Vol. 14, No., pp. 251-257.
Hansen, J.A. & Hansen, N.M., 2010 'A taxonomy of vulnerabilities in implantable medical
devices', Proceedings of the second annual workshop on Security and privacy in medical and
home-care systems, ACM, pp. 13-20).
Heneghan, C & Godlee, F 2013, 'Where next for evidence based healthcare?', BMJ : British
Medical Journal, Vol. 346, No., pp.1-2.
Page 76 of 97
Holden, W.L 2015, 'The vital role of device manufacturers as cybercitizens', Biomedical
Instrumentation & Technology, vol. 49, no. 6, pp. 410-422.
Holdsworth, J & Kerslake, J 2015, 'Barriers to Adoption of Wearable mHealth Devices:
Practitioners compared with Patients', Post Graduate Assignment Submission, University of
South Australia, pp. 1-8.
Helle, A. J 2005, ‘Security culture and risk management is a management responsibility’,
Telektronikk, vol. 1.05, no. 1, pp. 11-14.
HL7 2016 ‘About HL7 International’, viewed 29th
March 2016,
<http://www.hl7.org/about/index.cfm?ref=nav>.
HL7 2016 ‘HL7 Version 2 Product Suite’, viewed 29th
March 2016,
http://www.hl7.org/implement/standards/product_brief.cfm?product_id=185.
Holdsworth, J & Choo, R, K, K 2016, ‘Medical Device Vulnerability Mitigation Effort Gap
Analysis Taxonomy’, Under Peer Review.
Homa. R 2014, 'Medical device security: A higher profile', Security Compliance Associate,
viewed 25th
March 2016, <http://www.scasecurity.com/medical-device-security-a-higher-
profile/>.
Hsu, D.F. & Marinucci, D 2013, ‘Advances in Cyber Security: Technology, Operation, and Ex-
periences’, Fordham University Press.
Humer, C & Finkle, J 2014, ‘your medical record is worth more to hackers than your credit
card’, Reuters, viewed 23rd August 2014, < http://www.reuters.com/article/us-
cybersecurity-hospitals-idUSKCN0HJ21I20140924>
Schultze, U & Avital, M 2011, 'Designing interviews to generate rich data for information
systems research', Information and Organization, vol. 21, no. 1, pp. 1-16.
Talja, S 1999, 'Analyzing Qualitative Interview Data: The Discourse Analytic Method', Library
Page 77 of 97
and Information Science Research, vol. 21, no. 4, pp. 459-477.
Myers, MD & Newman, M 2007, 'The qualitative interview in IS research: Examining the
craft', Information and Organization, vol. 17, no. 1, pp. 2-26.
Ja, A 2015, ‘Hackers selling Healthcare data in the black market’, InfoSec Institute, viewed
23rd August 2016, < http://resources.infosecinstitute.com/hackers-selling-healthcare-data-
in-the-black-market>
Jarow, J.P & Baxley, M.S 2015 'Medical devices: US medical device regulation', Urologic On-
cology: Seminars and Original Investigations, vol. 2015, no. 33, pp. 128-132.
Klumper, M & Vollebregt, E 2015 ‘Navigating the new EU rules for medical device software’,
RAS Devices, Vol., No. 17, pp. 1-8.
Knackmuß, J, Pommerien, W, Creutzburg, R & Möller, T 2015, ‘Security risk of medical
devices in IT networks: The case of an infusion and infusion syringe pump’, Proceedings of
SPIE-IS&T Electronic Imaging, vol. 9411, no. 01, pp. 1-7.
Kohnke, A & Shoemaker, D 2015, 'Making Cybersecurity Effective: The Five Governing
Principles for Implementing Practical IT Governance and Control', EDPACS, vol. 52, no. 3, pp.
9-17.
Page 78 of 97
Koninklijke Philips Electronics 2006 'Philips OB TraceVue System Guide' viewed 4th
April
2016, <http://incenter.medical.philips.com/doclib/enc/fetch/
2000/4504/577242/577243/577247/582646/583147/PMD_-_OBTV_System_Guide_
%28ROW%29.pdf%3fnodeid%3d4413206%26vernum%3d-2>.
Koninklijke Philips N.V. 2016 'Manufacturer disclosure statement for medical device secur-
ity', viewed 27th
March 2016, <http://www.usa.philips.com/healthcare/about/customer-
support/product-security>.
Kotz, D 2011, A threat taxonomy for mHealth privacy, Third International Conference on
Communication Systems and Networks, pp.1-6 .
KPMG 2015, 'Healthcare and cybersecurity: Increasing threats require increased capabilities',
viewed 27th
March 2015, <https://www.kpmg.com/LU/en/IssuesAndInsights/Articlespublic-
ations/Documents/cyber-health-care-survey-kpmg-2015.pdf>.
Kramer, D.B., Baker, M., Ransford, B., Molina-Markham, A., Stewart, Q., Fu, K. & Reynolds,
M.R., 2012. Security and privacy qualities of medical devices: An analysis of FDA postmarket
surveillance. PLoS One, Vol. 7, No. 7
Lanterman, M 2015, 'Not What the Doctor Ordered: Security Concerns in Light of Evolving
Health Technologies', Journal of Health Care Compliance, vol. 17, no. 4, pp. 5-10.
Leveson, N.G & Turner, C.S 1993 'An investigation of the Therac-25 accidents', Computer,
Vol. 26, No. 7, pp. 18-41.
Lewis, C, Orbinati, A & Paladino, S 2014, ‘Cybersecurity in healthcare’, Dissertation
Submission, Utica College.
Page 79 of 97
Mackay, C, Sturmer, J, Macgibbon, A & Mccorkle, T 2013, 'An Australian hospital has
launched a cyber security investigation after American researchers said it was at risk of being
hacked', ABC News NT, screened 8th
May 2013.
Magrabi, F, Ong, M, Runciman, W, Coiera, E 2011, 'Patient safety problems associated with
heathcare information technology: an analysis of adverse events reported to the US Food
and Drug Administration', AMIA ... Annual Symposium proceedings / AMIA Symposium.
AMIA Symposium, vol. 2011, no., pp. 853-858.
Mankovich, N & Fitzgerald, B 2001, 'Managing security risks with 80001', Biomedical
Instrumentation and Technology, vol. 45, no., pp. 27-32.
Matheison, S. A 2015 'NHS data security: Lesson to be learned', Computer Weekly, vol. , no. ,
viewed 28th
March 2016 <http://www.computerweekly.com/feature/NHS-data-security-
lessons-to-be-learned>.
McGee, R, Webster, A, Rogerson, T & Craig, J 2012, 'Medical device regulation in Australia:
safe and effective?', Medical Journal of Australia, vol. 196, no., pp. 256-260.
Medical Device Privacy Consortium 2013, 'Security Risk Assessment Framework for Medical
Devices – Whitepaper', viewed 25th
March 2016
<http://deviceprivacy.org/assets/activities/MDPC_Security_Risk_Assessment_White_Paper
_%28Final%29.pdf>.
Mihailidis, A., Krones, L. and Boger, J., 2006, 'Assistive computing devices: a pilot study to
explore nurses' preferences and needs', Computers Informatics Nursing, Vol. 24, No. 6, pp.
328-336.
Murphy, S 2015 'Is cybersecurity possible in healthcare?', National Cybersecurity Institute
Journal, vol. 3, no. 1, pp. 49-63.
Myers, R.B., Jones, S.L. & Sittig, D.F., 2011. Review of reported clinical information system adverse events in US Food and Drug Administration databases. Appl Clin Inform, Vol. 2, No. 1, pp.63-74.
Page 80 of 97
Opdenakker, R 2006, 'Advantages and Disadvantages of Four Interview Techniques in Qualitative Research', Forum Qualitative Sozialforschung/Forum: Qualitative Social Research, vol. 7, no. 4, pp. Narain, SA, Gupta, M & Ojha, A 2014, 'Identifying factors of "organizational information
security management"', Journal of Enterprise Information Management, vol. 27, no. 5, pp.
644-644.
Neuhaus, C., Polze, A. and Chowdhuryy, M.M., 2011, 'Survey on healthcare IT systems:
standards, regulations and security', Universitätsverlag Potsdam, pp. 17-18.
NI-ISAC 2016 'Medical device security workshop', April 2016, Melno Park California, viewed
28th
March 2016, <http://www.nhisac.org/medical-device-security-workshop/>.
NSW Government 2014 ‘Incident Management Policy’ viewed 25th June 2016, <
http://www0.health.nsw.gov.au/policies/pd/2014/pdf/PD2014_004.pdf>.
O'Brien, G 2015 'Wireless medical infusion pumps', White Paper – Final Draft, National
Institute of Standards and Technology, viewed 28th
March 2016,
<https://nccoe.nist.gov/sites/default/files/nccoe/HIT_Medical_Device_Use_Case_Dec2015_
0.pdf>
Orviska, M, Nemec, J & Hudson, J 2014, 'Standardization and the European Standards
Organisations', Central European Journal of Public Policy, vol. 7, no. 2, pp. 36-58.
Palmer, A 2016, 'A model framework for successful cybersecurity capacity building', Journal
of Internet Law, vol. 19, no. 8, pp. 15.
Patel, M. and Wang, J., 2010. Applications, challenges, and prospective in emerging body
area networking technologies. IEEE Wireless Communications Magazine, vol. 17, no. 1,
pp.80-88.
Paul, N, Kohno, T & Klonoff, D.C. 2011 ‘A review of the security of insulin pump infusion
systems’, Journal of Diabetes Science and Technology, vol. 5, no. 6, pp. 1557-1562.
Page 81 of 97
Pati, S 2013 'Information controls and monitoring framework for healthcare organisations –
Charting the path to bring efficiency in business operation and reduce administrative costs
in support of health care reforms', ISACA Journal, vol. 3, no., pp. 1-5.
Peck, M, E 2011 'Medical devices are vulnerable to hacks, but risk is low overall', IEEE
Spectrum, viewed 6th
March 2016, <http://spectrum.ieee.org/biomedical/devices/medical-
devices-are-vulnerable-to-hacks-but-risk-is-low-overall>.
Prokhorenko, V, Choo, K.K. & Ashman, H 2015 'Web protection techniques: a taxonomy',
Journal of Network and Computer Applications, vol. 2015, no. 60, pp. 95-112.
PWC 2016 ‘The Global State of Information Security Survey 2016: Key Themes’, viewed 29th
March 2016, <http://www.pwc.com/gx/en/issues/cyber-security/information-security-
survey/key-findings.html>.
Polkinghorne, D. E. 2005 Language and meaning: Data collection in qualitative research,
Journal of Counseling Psychology, vol. 52, no. 2, pp. 137−145.
Posthumus, S & Von, SR 2004, 'A framework for the governance of information security',
Computers & Security, vol. 23, no. 8, pp. 638-646
Page 82 of 97
Rodionova, Z 2016 ‘Healthcare is now top industry for cyberattacks, says IBM’, Independent, viewed
25th August 2016, < http://www.independent.co.uk/news/business/news/healthcare-is-now-
top-industry-for-cyberattacks-says-ibm-a6994526.html>
Rodrigues, R 2000, 'Information Systems: the key to evidence-based health practice', Bulletin of the
World Health Organization, vol. 78, no., pp. 1344-1351.
Sackett, D.L & Wennberg, J.E, 1997 'Choosing the best research design for each question', British
Medical Journal, Vol. 315, No. 7123, pp. 1636.
SANS 2016, 'Healthcare cybersecurity summit', San Francisco, California, December 2014, viewed
28th
March 2016, <https://www.sans.org/event/healthcare-summit-2014>.
Sempeles, Susan 2014, 'Concerns Continue to Rise Regarding Device Cyber Security', Journal of
Clinical Engineering, vol. 39, no. 3, pp. 100-101.
Silva, B, Rodrigues, J, Torre Diez, I, Lopez-Coronado, M & Saleem, K 2015, 'Mobile-health: A review of
current state in 2015', Journal of Biomedical Informatics, Vol. 56, No., pp. 265-272.
Standing, S & Standing, C 2008, 'Mobile technology and healthcare: the adoption issues and systemic
problems', International Journal of Electronic Healthcare, Vol. 4, No. 3-4, pp. 221-235.
Sametinger, J, Rozenblit, J, Lysecky, R & Ott, P 2015, 'Security Challenges for Medical
Devices', Association for Computing Machinery. Communications of the ACM, vol. 58, no. 4,
pp. 74.
Schuman, H., & Presser, S 1981 Questions and answers in attitude surveys: Experiments on
question form, wording, and context, San Diego, Academic Press
Stirling, C & Shehata, A 2015 ‘Collaboration – The future of innovation for the medical device
industry’, KPMG International, United Kingdom
Stoner A 2012, 'Australia's medical technology hub', Australian BioTechnology, vol. 22, no.
22, pp. 20.
Page 83 of 97
Suresh, K, Thomas, SV & Suresh, G 2011, 'Design, data analysis and sampling techniques for
clinical research', Annals of Indian Academy of Neurology, vol. 14, no. 4, pp. 287-290.
Tarala, K & Tarala, J 2015 ‘White Paper: The what, where and how of protecting healthcare
data’ SANS Institute Infosec Reading Room, viewed 4th August 2016
<https://www.sans.org/reading-room/whitepapers/dlp/what-protecting-healthcare-data-
35887?utm_medium=Social&utm_source=Twitter&utm_campaign=STH+Blog>
Taylor, M 2015 'Hospitals battle data breaches with a cybersecurity SOS', Hospitals and
Health Networks, vol.89 , no. 2 , pp. 34-36.
The Australian Council on Healthcare Standards 2015, ‘Introducing EQuIPNational Australia’s
premier accreditation program’ viewed 27th June 2016,
http://www.achs.org.au/media/102343/achs_equipnational_brochure_oct_15.pdf, pp. 1-5.
Page 84 of 97
Thibault, M 2015, 'A code for safer medical device software', Medical Device and Diagnostic
Industry, vol. 37, no. 5, pp. 1.
Thompson, H 2011 'Best practices for design and development of software medical devices',
Medical Device and Diagnostic Industry, vol. 33, no. 6, pp. 1-8.
University of South Australia Library, 2014, How to find peer reviewed journal articles,
viewed 16th
March 2016, <http://guides.library.unisa.edu.au/c.php?
g=170007&p=1118336>.
US Department of Health and Human Services, UD Food and Drug Administration (FDA),
2013 'Medical device reporting', viewed 20th
March 2016,
<http://www.fda.gov/MedicalDevices/Safety/ReportaProblem/default.htm>.
US Department of Health and Human Services, US Food and Drug Administration (FDA),
2015 'CFR – Code of federal regulations Title 21', viewed 20th
March 2016,
<http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=803.10>.
US Department of Health and Human Services, US Food And Drug Administration (FDA),
2015 'What is a medical device?', viewed 13th
March 2016,
<http://www.fda.gov/AboutFDA/Transparency/Basics/ucm211822.htm>.
US Department of Health and Human Services, US Food and Drug Administration (FDA),
2014 'Content of premarket submissions for management of cybersecurity in medical devices
– Guidance for industry and drug administration staff', viewed 27th
March 2016,
<http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/
guidancedocuments/ucm356190.pdf>.
Page 85 of 97
US Department of Health and Human Services, US Food and Drug Administration (FDA),
2013 'Cybersecurity for medical devices and hospital networks: FDA safety communication',
viewed 18th
March 2016,
<http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm>.
Vasserman, E.Y., Venkatasubramanian, K.K, Sokolsky, O & Lee, I 2011 'Security and
interoperable-medical-device systems, Part 2: Failures, consequences, and classification',
Security & Privacy, IEEE, vol. 10, no. 6, pp. 70-73.
Vockley, M 2012 'Safe and secure? healthcare in the cyberworld', Biomedical
Instrumentation & Technology, vol. 46, no. 3, pp.164-173.
Von, SB 2001, 'Corporate Governance and Information Security', Computers & Security, vol.
20, no. 3, pp. 215-218
Weaver, C 2016 'Patients put at risk by computer viruses', Wall Street Journal, viewed 20th
March 2016,
<http://www.wsj.com/articles/SB10001424127887324188604578543162744943762>.
Weaver, C 2016 'Patients put at risk by computer viruses', Wall Street Journal, viewed 20th
March 2016,
<http://www.wsj.com/articles/SB10001424127887324188604578543162744943762>.
Williams, P 2001, 'Information Security Governance', Information Security Technical Report,
vol. 6, no. 3, pp. 60-70.
Williams, P.A. and Woodward, A.J., 2015. Cybersecurity vulnerabilities in medical devices: a
complex environment and multifaceted problem. Medical Devices, vol. 8, no., p.305-318.
Wiltz, C 2014 'Healthcare cybersecurity appalling, Legislation not enough: Report', Medical
Device and Diagnostic Industry, vol. 36, no. 4, pp..
World Health Organisation 2011 ‘Introduction to medical equipment inventory
management’, WHO Medical device technical series, p.21, viewed 26th June 2016,
Page 86 of 97
<http://passthrough.fw-notify.net/download/993067/http://apps.who.int/medicinedocs/
documents/s21565en/s21565en.pdf>.
AHA 2015 'Hopitals implementing cybersecurity measures', Facsheet viewed 27th
March
2016, <http://www.aha.org/content/16/factsheet-cybersecurity.pdf>.
AHC Media 2011, 'HRA: Patient data protection not a top priority', Healthcare Risk
Management, vol. 2011, no., pp..
Allen, S 2014, 'Medical device software under the microscope', Network Security, vol. 2014,
no. 2, pp. 11-12.
Wu, F & Eagles, S, 2016 'Cybersecurity for medical device manufacturers: Ensuring safety
and functionality', Biomedical Instrumentation & Technology, vol. 50, no. 1, pp. 22-34.
Yuksel, M. & Dogac, A. 2011 ’Interoperability of medical device information and the clinical
applications: an HL7 RMIM based on the ISO/IEEE 11073 DIM’, Information Technology in
Biomedicine, IEEE Transactions on, vol. 15, no. 4, pp. 557-566.
Zhang, H, Cocosila, M & Archer, N 2010, 'Factors of Adoption of Mobile Information
Technology by Homecare Nurses: a technology acceptance model 2 approach', Computers,
Informatics, Nursing, Vol. 28, No. 1, pp. 49-56.
Page 87 of 97