A Survey on Security and Privacy Issues in Modern Healthcare Systems: Attacks and Defenses

Malware: Any software or application that is written with malicious intent is called malware. A healthcare device infected with malware can stray away from its normal functionalities such as slow or shut down a device. For instance, Conflicker, a relatively old malware, was recently detected on 104 devices, including X-ray machines, mammography, and a gamma camera for nuclear medicine at the James A. Haley Veteran’s Hospital in Tampa, Florida, USA (fu2014controlling, ). This malware affected Microsoft Windows operating system from a thumb drive because the network drivers were not patched with the MS08-067 patch from Microsoft. Hence, a remote and unauthenticated attacker could execute arbitrary code on the vulnerable system. In January 2010, a veterans affairs (VA) catheterization laboratory in New Jersey, was temporarily closed due to a malware infection into the computer systems (softwarethreats1, ). As a result, patients were unable to get any medical services from that hospital. Affected devices were X-ray machines and lab equipment manufactured by reputed companies. Moreover, malware like Kwampirs can introduce instability into healthcare systems by triggering equipment malfunction or delay in accessing information (malware, ).

Ransomware: Ransomware is a unique subset of malware that limits or blocks users’ access by locking the system and data unless a ransom is paid. In May 2017, around 50 hospitals in the U.K. were directly affected, and many hospitals preemptively shut down their computer systems due to ransomware. It caused considerable disruption, such as affecting care delivery, compromising patient safety, and potentially eroding trust (martin2017cybersecurity, ). The ransomware encrypted and blocked the patient’s data and threatened to publish or delete them unless a ransom is paid. In 2016, a ransomware shut down the network of the Hollywood Presbyterian Medical Center in Los Angeles, California for ten days. It prevented its staffs from accessing medical records or using medical equipment until the hospital paid a ransom of $17,000 (mansfield2016ransomware, ). Freedom of information requests in the U.K. found that in 2015-16 up to half of the national health service (NHS) trusts were hit by ransomware (mansfield2016ransomware, ). Also, two US-based health centers (Hancock Health and Erie County Medical Center) were hit by SamSam ransomware and ended up meeting the ransom demand. In all these incidents, on average, it would take 12 days to restore limited system access and six weeks to restore full access to the system (ransomware, ).

Outdated operating systems: Outdated operating system (OS) poses severe threats to healthcare devices as new-found bugs are not addressed in the older versions of the OS by the vendor. As a result, attackers can exploit the existing bugs of the OSes by simply injecting malicious code snippets or software. According to the Duo security research team, 70% of healthcare devices in North America and Europe will still be running outdated Windows 7 OS at the end of 2020, although Microsoft stopped releasing any patches for Windows 7 (wan, ). As an example, the WannaCry ransomware attacks were launched against unpatched healthcare devices, where IT professionals neglected to download the OS update on time. A group of researchers conducted a vulnerability assessment in a radiology department where the majority of the networked medical equipments (e.g., medical ventilator, X-ray machine, anesthetic machine, etc.) were running on an old and insecure version of OSes (e.g., Windows Vista, Windows XP, etc.) (moses2015lack, ). These OSes were running unprotected, insecure, and vulnerable applications that had no firewall or protection against malware.

Counterfeit firmware update: Counterfeit firmware in medical devices introduces numerous threats to healthcare devices as an attacker can gain access to the devices and manipulate the applications using fake copies of firmware. Counterfeit firmware is produced and distributed in such a way that it appears to be authentic. Hanna et al. analyzed an automated external defibrillator (AED) (Cardiac Science G3 Plus 9390A) and found four vulnerabilities, including a software update mechanism that accepts counterfeit firmware (hanna2011take, ). An attacker could replace the firmware of that specific AED with custom firmware designed to exploit the AEDUpdate package to perform buffer overflow. Rios et al. showed that it is possible to update unverified firmware of a home monitoring device that is connected to an ICD (rios2017security, ). As there was no digitally signed firmware within the ICD ecosystem, the unverified firmware allowed to perform a man-in-the-middle attack on the ICD. Rieck et al. reverse engineered a wearable healthcare device (Withings Activite fitness tracker) to identify and reconstruct the header structure within a firmware update (rieck2016attacks, ). As the authentication scheme of this device only computes a checksum over the actual content of the image, it is possible to create a fake copy of the firmware by alternating the checksum in the header field. In other studies (ly2016security, ; clausing2015security, ; kim2015burnfit, ; shim2017case, ; classen2018anatomy, ; arias2015privacy, ), fitness tracker devices’ application codes and firmware were reverse engineered to extract and manipulate fitness-related data. These devices lacked authentication, encryption, and integrity check mechanisms for firmware updates.

Electroencephalography (EEG) attacks: In an EEG-based attack, an attacker is a malicious third-party application developer who is using an EEG-based brain-computer interface (BCI) device. The main goal of this device is to learn secret and private information about the user. An attacker developed a malicious software called brain spyware that was integrated into a BCI device to detect private information of the user (martinovic2012feasibility, ). Moreover, an attacker can specially design the videos and images that can be shown to the user to maximize the information leakage from the BCI device during the time of the attacks. It has been shown that the captured electroencephalography (EEG) signal can reveal personal information (e.g., bank cards, PINs, area of living, etc.). In other studies (bonaci2014securing, ; bonaci2014app, ), researchers used brain spyware to extract not only private information about users’ memories and prejudices, but also their possible neurological disorders.

Weak authentication scheme exploitations: Authentication is a process where one needs to prove his/her identity to an application or system to access a service. Weak authentication describes a scenario where the strength of the authentication mechanism is relatively weak compared to the value of the assets. In a recent study, researchers investigated weak password-based authentication in healthcare devices focusing on external and internal defibrillators. According to the study, an AED using MDLink software has a weak password authentication scheme where the password file is stored on the local hard drive (hanna2011take, ). As a result, anyone with privileges could delete or change the password file and install any new software on the machine. Furthermore, researchers reverse engineered the MDLink authentication mechanism and wrote a small utility to change or recover a user’s password. In another work, Xiao et al. used a malicious brain-computer interface (BCI) app to steal the patient’s EEG data by exploiting the standard software development kit (SDK) as the calling application programming interfaces (APIs) have no authentication schemes (xiao2019can, ). In 2017, a group of researchers identified a hard-coded authentication system in the Medfusion 4000 Wireless Syringe Infusion Pump from Smiths Medical that allowed FTP server connections without any verification (radio8, ). In a recent article, researchers reported an EEG-based application that allows to execute malicious code on the EEG device. When a client requests an EEG file, this application exploits the path requested by the client using the buffer overflow to remotely access the EEG device and make the device unavailable (natus, ).

Privilege escalation attacks: A privilege escalation attack takes advantage of bugs, design flaws, or configuration failures in an OS or application to access healthcare devices and data that usually require exclusive permission or authorization. Privilege escalation attacks can be launched by rogue users (e.g., patients or physicians) who have access to healthcare systems and perform malicious activities, such as calibration failures, data modification, etc. Yan et al. introduced two types of privilege escalation attacks (pressure-based attacks and time-based attacks) to IMDs, which can mislead the diagnostic process by altering collected and stored data after bypassing the initial access control mechanism (yan2014semantic, ). In pressure-based attacks, the attacker can change the pressure value of the sensors connected to the IMDs to report misdiagnosis of the patient. The attacker postpones the pressure data of some pressure sensors for certain time slots in time-based attacks.

Electromagnetic Interference (EMI) attacks: EMI attacks are performed by measuring the electromagnetic (EM) radiation emitted from a device and performing signal analysis to infer sensitive information. Kune et al. showed that analog sensors used in medical devices (e.g., infusion pump, ICD, etc.) are sensitive to EMI and can provide an unchecked entry point into the medical devices (kune2013ghost, ). Here, an attacker can inject EMI signals in an ICD’s sensing unit to alter the sensor readings and trick the medical devices to prevent data communication. Additionally, several prior works reported that EMI could cause device malfunction in pacemakers and ICDs (hayes1997interference, ; jilek2010safety, ).

Sensor spoofing attacks: In a sensor spoofing attack, an adversary alters the physical environment in a way so that a medical system behaves abruptly (sikder2019aegis, ; sikder2019context, ). Park et al. introduced a sensor spoofing attack against the infrared drop (ID) sensor embedded in the infusion pump (park2016ain, ). An ID sensor has a linear property of input-output stimuli, which can be manipulated to non-linear behavior by exceeding the upper bound operating region of the infusion pump. Researchers showed that an attacker could inject an external power signal to a targeted sensor to block the sensor response to environmental changes, which results in over-infusion or under-infusion to the patient. Over-infusion allowed the infusion pump to infuse about 333% of the fluid as compared to the normal operation while under-infusion infused approximately 45% less than the normal operation.

Differential power analysis (DPA) attacks: DPA attacks use different analysis techniques (statistical, error correction, etc.) to infer sensitive information from power consumption data. Zhang et al. introduced a DPA attack that can extract secret keys from extremely noisy channels in a heart-rate monitor using symmetric cipher (zhang2013towards, ). Here, the heart-rate monitor uses AES encryption to encrypt the measured heart rates before transmitting to an end device (hub or storage). An attacker can recover the secret key used in the encryption scheme by analyzing the current consumption rate while measuring the heart rate of the patients. If the same key is used in the same model of all heart-rate monitor devices, an attacker can publicize the inferred secret key and thus make the cryptographic protection ineffective for a large number of devices.

Eavesdropping: Eavesdropping refers to an attack where an adversary tries to steal information over a communication medium by taking advantage of the unsecured communication channels. Several eavesdropping attacks on medical devices (e.g., Medtronic and OneTouch Ping insulin pumps) have been reported, which captures the clear text communication to capture sensitive patient data such as blood glucose results and insulin dosage (blindattack, ; radio5, ). Li et al. demonstrated an eavesdropping attack in an insulin pump by using off-the-shelf hardware and a software radio platform (li2011hijacking, ). As the communication channel does not use any authentication, researchers showed that attackers could capture glucose level, device type, device PIN, and medical condition of the patient by eavesdropping the communication channel. A group of researchers was able to capture enough sensitive data from Withings Blood Pressure Monitors’ network traffic to determine the time and frequency of blood pressure testing on a patient (wood2017cleartext, ). As the information sections of all queries and responses in Withings devices are transmitted in clear-text format, an attacker can easily monitor and capture network traffic to eavesdrop sensitive data including device ID, device type, and patient’s readings.

Replay attacks: A replay attack is a form of attack in which an adversary intercepts the data transmissions and fraudulently re-transmits it to misdirect the receiver. For instance, One touch Ping insulin pumps and blood glucose meters do not use any sequence numbers or timestamps, which allows attackers to capture transmissions and replays them later to perform an insulin bolus without specialized knowledge (radio5, ). A researcher, Jerome Radcliffe, showed that a continuous glucose monitoring device (CGM) without any timestamp or other protection methods in network packets could be exploited by a replay attack (radcliffe2011hacking, ). This attack led to an unusual insulin dosage to the patient resulting in the hypoglycemic condition. In another work, Xiao et al. showed that software-defined radio (SDR) waves emitted from EEG devices can be recorded to replay in an RF dongle to recover the patient’s EEG signals maliciously (xiao2019can, ).

Impersonation attacks: In an impersonation attack, an adversary successfully disguises as a valid user in the communication system to gain access to the victim’s sensitive information and take advantage of the clear text communication between healthcare devices. Li et al. showed that an unencrypted communication between a glucose monitoring device and the insulin delivery system could be sniffed, and by applying reverse engineering methods, it is possible to discover the device PIN (li2011hijacking, ). Furthermore, this PIN can be used to authenticate a patient maliciously to perform an impersonation attack. In another work, researchers introduced a hijacking attack using a smartphone application and its corresponding Medical IoT (MIoT) devices (e.g., pulse oximeter, glucometer, etc.) (flynn2020knock, ). MIoT devices can store offline readings when the user’s smartphone application is not available to upload the results in the smartphone interface. A hijacker with stolen user credentials can open an account from another smartphone and retrieve all the offline readings that can be verified using manual and digital forensics techniques (babun2018iotdots, ).

Denial-of-service (DoS) attacks: In DoS attacks, the attackers usually make a healthcare device or system unavailable temporarily or permanently to the legitimate users by sending excessive and unnecessary service requests. For example, an ICD remains in the standby mode for 5 minutes after activation even though there is no active communication session. This wait time can be exploited by initiating false communication sessions and keep the ICD in standby mode for longer times (dos, ). Ransford et al. reported a crash attack to cardiovascular implantable electronic devices (CIEDs) in which attackers send undisclosed radio traffic to disrupt the radio connectivity of CIED, causing the device to stop working (ransford2017cybersecurity, ). A group of researchers reverse engineered the communication protocol of a battery-powered ICD to make a communication with an unauthenticated device that posed a potential DoS risk to the ICD (halperin2008pacemakers, ). An exploitable DoS vulnerability was identified in the use of a return value in an EEG-based software applications program (natus, ). As a consequence, a specially crafted network packet could cause an out of bounds read to trigger this vulnerability.

Multiple Input and Multiple Output (MIMO) attacks: MIMO refers to a setting where multiple antennas used by the transmitter to transmit a wireless message to a receiver with multiple antennas. In the MIMO attack, attackers try to recover signals sent by the transmitter in the presence of a friendly jammer, without any collaboration with the jammer or transmitter. An attacker can recover confidential messages from distances even when the friendly jammer and the data source are few centimeters apart, and the attacker is several meters away. Friendly jamming is often used to protect the confidentiality of the communicated data, which also enables message authentication and access control. Researchers showed that MIMO attacks are still possible with two receiving antennas from a range up to 3 meters (tippenhauer2013limitations, ).

Man-in-the-middle (MITM) attacks: A MITM attack occurs when communication between different components of healthcare systems is monitored and modified by unauthorized users. This attack can be used to inject malicious codes to a healthcare device or server, intercept sensitive information like protected health information, expose confidential information, and modify trusted information. Researchers introduced distance hijacking attack to intercept an ongoing communication in healthcare systems (cremers2012distance, ). Here, two medical devices, prover and verifier, are considered in the distance bounding protocol, where verifier establishes physical proximity with the prover. The authors considered various adversarial capabilities for falsifying physical abilities to the prover to create a false or rogue prover that can intercept the communication and establish a new communication channel with the authorized verifier. In another study, a Bluetooth-enabled medical device named pulse oximeter was used to perform MITM attack (pournaghshband2012securing, ). In this attack, attackers jammed the Bluetooth device to break the existing connection to pair the device with an access point (AP). Hei et al. presented a MITM attack where an attacker compromised the wireless communication between an insulin pump and a USB device (hei2014patient, ). As the communication in the insulin pump was unencrypted, the attacker could perform signal acute overdose and chronic overdose attacks. Signal acute overdose issued a one-time overdose to the patient, whereas the chronic overdose issued extra portions of medication to the patient over a long period of time. Marin et al. demonstrated a MITM attack by intercepting the communication between the ICD and the programmer device (marin2016security, ). Additionally, the researchers reverse engineered the communication protocol of the ICD to show that these proprietary protocols do not provide any security during communication.

Battery depletion attacks: A battery depletion attack is a forced authentication attack where an attacker tries to connect with an IMD to perform multiple authentications and drain the battery of the device. Raymond et al. presented a denial-of-sleep attack that prevents the medical device to activate power-down mode in case of failed authentication attempt to exhaust the battery life (raymond2009effects, ). Security researchers of MedSec studied St. Jude Medical Merline’s CIED and reported a battery drain attack that reduces the CIED operating time cycle (ransford2017cybersecurity, ). In a recent report, an implementation flaw in an ICD is reported where the ICD does not go to the sleep mode even after ending an active communication session (dos, ). This flaw can trigger a DoS attack and drains the battery of the ICD. Hei et al. presented a battery depletion attack on the IMD by exploiting the wireless communication between the IMD and programmer device (hei2013security, ). As the programmer device needs to authenticate itself to the IMDs, an unauthorized programmer device can send several authentication requests to consume a considerable amount of battery life of the IMD. Researchers reported unsecured authentication in earlier versions of wearable devices, such as Google Glass, which allows root access to the attackers (safavi2014improving, ). Using this root access, attackers can establish a connection with the wearable devices and pass certain commands to recognize the users’ face, record the footage containing video, and voice recording of the user.

Attack approach: Based on the attack approach in a healthcare system, the attacks can be categorized as active or passive. Active attacks (e.g., DoS attack, MITM attack, etc.) try to change the healthcare system resources or affect the system’s operations while passive attacks (e.g., eavesdropping, weak authentication scheme exploitations, etc.) read or make use of the information from the healthcare system resource. From Figure 3a, one can observe that passive attacks have been reported more (55.6%) in healthcare than active attacks (44.4%).

Impacted security: After a successful exploitation, confidentiality (C), integrity (I), and/or availability (A) of a healthcare system are impacted by the existing attacks. Active attacks (e.g., malware, ransomware) mostly affect the integrity and availability of a healthcare system. On the contrary, passive attacks (e.g., eavesdropping, MIMO) jeopardize the confidentiality of a healthcare system. As Figure 3b shows, the integrity of the systems is impacted the most (44.0%) due to reported attacks in healthcare.

Targeted medical devices: Based on the existing attacks in a healthcare system, as Figure 3c presents, non-invasive medical devices are the most targeted by the attackers. Most of the non-invasive devices (e.g., smartwatches, BCI devices, etc.) do not use encryption and authentication mechanisms during their communication with the programmer rather perform clear-text data transmission. As a consequence, an attacker can perform active attacks (e.g., DoS attack, replay attack, etc.) and passive attacks (e.g., eavesdropping, impersonation, etc.) on these devices. Attacks on active therapeutic devices are much lower compared to the attacks on invasive devices.

Targeted components: Among the five components in a healthcare system (explained in Section 3), the medical devices and data are the most affected due to attacks (Figure 3d). As the patients’ data and information produced by healthcare devices can be used for blackmail and extortion (black, ), attackers target medical devices and data the most. Besides these components, network and healthcare provider attacks are also high in numbers. Sensor-level attacks are the minimum in number compared to the other targeted components.

Types of attacks: Based on the current attacks, as Figure 3e presents, communication channel attacks are the most common attack on healthcare systems. Healthcare devices use various wireless communication protocols (e.g., Wi-Fi, Bluetooth, Zigbee, etc.) to check the patient’s status remotely, which at the same time makes them vulnerable to the attacks. Software attacks are emerging as more medical devices are getting smart and support third-party applications. Hardware attacks occur because third-party vendors develop most of the ICs. Although small in number, hardware attacks are still a concern for the patients as it is increasing day by day.

Electric current analysis: The electric current analysis measures the current consumption in a device, allowing experts to detect anomalies in devices at the hardware level. Bhunia et al. monitored current leakage from static CMOS gates to identify trojan circuits in a healthcare device (bhunia2014hardware, ). As current leakage always remains the same for CMOS gate, the difference in current consumption can distinguish hardware trojan from the base circuits. However, in the case of a large circuit with a high number of gates and fewer trojan, the current analysis fails due to an insignificant change in current readings and difficulty of performing extensive testing. Aarestad et al. proposed current analysis in multiple pins instead of a single point to increase the sensitivity and reduce the problem of detecting a few gates in a fraction of the total gates in the IC (aarestad2010detecting, ). However, this technique cannot detect HTs that are small in size due to the power and timing variations that HT can cause (wei2013undetectable, ).

Delay variation and characterization: This HT detection method works by measuring and detecting small systematic changes in path delays introduced by capacitive loading effects or series inserted gates of HTs. A high-precision, low-overhead embedded test structure (ETS) called REBEL was proposed to detect delay anomalies in HTs (lamech2012trojan, ). REBEL was capable of delivering high-resolution measurements of path delays and able to identify a wide range of delay anomalies introduced by HTs. It provides significant benefits over other traditional delay testing methods as the digital snap-shot captured by REBEL allows glitches to be detected and can potentially speed up the path delay measurements using a small number of repeated application of the test pattern. The detection sensitivity of REBEL was checked by varying the analog control voltage on each trojan emulation circuits one at a time and classifying the result using regression analysis. A backtracking-based algorithm was proposed in (wei2012hardware, ) to identify the reconvergent locations in the circuits where the delay variations caused by HT is not observable.

Power consumption analysis: Malware detection in healthcare devices can be performed by power consumption analysis, which compares the power consumption of traditional programs and known malware to find anomaly in the system. Clark et al. proposed a behavior monitoring system, WattsUpDoc, which uses supervised learning to classify normal and abnormal power consumption in the replacement of a pre-constructed power consumption model and detect anomaly behavior in healthcare devices (clark2013wattsupdoc, ). The key idea is to high sampling rate in power consumption tracing and high-accuracy power measurement to detect malware in the healthcare devices. However, WattsUpDoc raises false alarms in case of an inconsistent base set of known-behavior. Also, achieving high accuracy power measurement in resource-constrained medical devices is difficult, which results in a low accuracy rate in detecting malware.

Battery-constraint mitigation: As healthcare devices are resource-constraint devices, battery depletion/drainage attacks can cause severe obstruction in the normal operation of the devices. However, a defense mechanism against the battery drainage attack needs to be power-efficient, or else the defense mechanism itself may consume more power than the attack. Researchers proposed zero-power defenses for ICDs where RF energy harvested from external sources are used for notification, authentication, and key exchange (halperin2008pacemakers, ). Also, BAN protocols can be used to mitigate this problem. For instance, the IEEE 802.15.6 BAN standard allows a node and hub to negotiate their communication intervals by encoding them in authenticated messages. Accordingly, the node will not wake up without any messages that are outside of negotiated time intervals to save power in the devices (kwak2010overview, ). Tiri et al. proposed novel logic styles with data-independent power consumption as circuit-level solutions against battery drainage attacks to reduce the dependence of power dissipation on input patterns (tiri2002dynamic, ; tiri2004charge, ). In recent work, Siddiqi et al. proposed an adaptive zero-power defense solution using a radio frequency power transfer mechanism based on energy harvesting against battery-depletion attacks (siddiqi2019towards, ).

Shielding and filtering: Shielding and filtering are commonly used to defend against EMI attacks. Kune et al. showed that covering the exterior of a healthcare device with a conducting surface can force the attacker to transmit $10^{4}$ times more powerful signal to have the same effect in an EMI attack, which can be differentiated from legitimate signals easily (kune2013ghost, ). Faraday cage is another countermeasure to block EM radiation and to reduce the EM radiation signature (quisquater2001electromagnetic, ). However, it is hard to defeat electromagnetic analysis, except if the circuit and its countermeasures overlapped.

Masking: Masking is a technique of hiding original data with modified content. Intermediate values of a cryptographic computation are randomized by masking, which avoids dependencies between these values and the power consumption applied in algorithmic level. Moreover, it does not rely on the power consumption characteristics of the medical device. Researchers proposed a key masking method as a software solution against DPA attacks (hasan2001power, ). Although this method attempts to randomize the secret key before each execution of the scalar multiplication, power overhead is a concern here for healthcare devices. A band-pass filter (ratanpal2004chip, ) or a current-flattening circuit (muresan2008protection, ) can be added to the cryptosystem to suppress information leakage through the current supply pin. An internally generated random mask based on ring oscillators was proposed in (liu2010low, ) to change the power consumption dynamically.

Hardware trojan triggering and PUF: This type of HT detection depends on testing the design after the chip fabrication. Wu et al. proposed Golden Die Method to detect HTs with significant footprints differentiated from the base standard (wu2016tpad, ). However, cleverly inserted HTs may not be easily triggered by this approach as the testing mechanism may not know the presence of HT and its location in the chip. Francq et al. presented a functional verification method that depends on checking the functionality of the hardware by monitoring the output and checking for expected behavior (francq2015introduction, ). Compare to the aforementioned methods, the PUF method is useful for healthcare applications as it derives a secret from the physical characteristics of the IC instead of storing secrets in digital memory (herder2014physical, ).

Physical separation: This is a hardware-centric design solution where security applications run on separate hardware from the device’s main architecture. The trusted platform module (TPM) is proposed as a physical separation method where the cryptographic keys for a specific host computer are stored in a separate module to use in IWMDs. As separate module introduces overhead, a software-based TPM can be used to increase the effectiveness in healthcare devices (aaraj2008analysis, ). Sorber et al. proposed Plug-n-Trust, which is a MicroSD card that provides a trusted computing platform on a smartphone (sorber2012plug, ). Plug-n-Trust encrypts all the medical data transmitted from the devices and can only be decrypted in the card for further analysis in verified API. However, it does not hide data processing, which may reveal the patient’s information and can be vulnerable to DoS attacks.

Online HT detection method: Online HT detection method refers to identify HTs at run-time. Wehbe et al. proposed an online method to identify HTs by checking underlying hardware functionality at run-time (wehbe2018securing, ). Here, researchers divided the whole architecture in two-chip, generating signatures deep in the hardware and later checked it during data processing and transmission. This technique relies on the digital logic modules that minimally impacts the performance of the system.

Secure execution environment: A secure execution environment is a safe execution space for executing the code that ensures security to the code and loaded data. For ensuring the safety of healthcare applications, one needs to run these applications on a secure execution environment to protect from a compromised OS. In this sense, secure virtual machines (VM) can be a viable solution that provides a network interface, storage, and execution environment. The main advantage of using a secure VM is that only security-critical healthcare applications will be running on the VM, making them isolated from other applications that may be compromised. However, the management environment can still be a compromised OS (li2010secure, ).

Static analysis: Although a secure execution environment can protect healthcare applications from a compromised system, it can not defend them if the healthcare application itself is a malware. Static analysis techniques can be used to characterize the execution behavior of a program and find program flaws by analyzing the source code. By using symbolic execution techniques to explore the execution paths of the software, static analysis detects potentially fatal errors that may not be easily detected through conventional testing methods. Jetley et al. proposed CodeSonar, a static analysis tool to automatically detect buffer overrun, initialized variables and null pointer dereference in the healthcare apps (jetley2008static, ). However, static analysis depends on the availability of the source code, which is not openly available for healthcare applications.

Run-time analysis: Run-time analysis can be used to detect unintended behavior of a healthcare app at run-time. Aaraj et al. proposed a dynamic binary instrumentation-based (DBI) malware detection framework that observes the execution of unknown programs, models safe/unsafe behavior with respect to specified security policies, and ensures that the program does not deviate from safe behavior (aaraj2008dynamic, ). This framework uses two virtual execution environments, testing and real environment. In the testing environment, DBI collects specific information in the form of execution traces to construct a hybrid model for representing dynamic control and data invariants. This hybrid model along with a behavioral model generated from security polices is used to define the malware behavior in DBI framework. In the test environment, a program is analyzed based on the generated model in test environment to detect malicious behavior of a program in healthcare devices. An unknown program is only moved into the real environment to monitor its execution if the behavior pattern is matched with the allowed model generated in test environment.

Formal verification: Formal verification methods are proposed in several prior works to develop reliable medical device systems (li2013improving, ; cordeiro2009semiformal, ; jetley2006formal, ). Formal methods are well-formed statements in mathematical logic, and formal verification provides strict deduction of that logic. As a result, the entire state space of a system can be examined to establish a security property for all possible input. Formal verification can be used to verify whether medical devices are free from vulnerabilities or not. An example of a formal verification approach is described in (li2013improving, ), where medical device software is the first subject to the source transformation to address the semantic gaps. Properties based on the functional specification of the medical device are expressed in input/output sequences and then translated into a verifiable property to make it acceptable for the medical device software. After that, a model checker is used to feed transformed code, and valid assertions, which verifies the code against the statements and reports whether the code is acceptable or an anomaly is detected. Current software verification tools are written in a high-level programming language, which is not suitable for platform-specific and low-level programs of medical devices. Researchers proposed a semiformal verification approach that was a combination of dynamic and static verification to cover the state space exhaustively (cordeiro2009semiformal, ). A pre and post-market analysis were carried out based on formal verification techniques to support the process of reviewing healthcare software in (jetley2006formal, ).

Biometrics: Biometric properties such as fingerprint, EEG, heart rate, blood glucose, etc. can be used to authenticate a healthcare device and establish trust between two communicating devices worn in the same body (hu2013opfka, ; venkatasubramanian2010pska, ; chang2012body, ; rostami2013heart, ; jurik2011securing, ; cherukuri2003biosec, ; chizari2019extracting, ; belkhouja2019biometric, ). Poon et al. presented an ECG signal based trust management system, which asserts that the time between heartbeats or interpulse interval (IPI) can create a high level of randomness and can be used to generate a secret key for communication (poon2006novel, ). Cai et al. proposed a user-specific supervised learning model to detect temporal and morphological alterations of ECG measurements using arterial blood pressure (ABP) signal (cai2019data, ; cai2016detecting, ). As ECG and ABP signals both measure the cardiac process, different physiological signals generated by the same underlying physiological process are inherently correlated. Any unilateral change in the ECG signal without a corresponding change in the ABP signal can be detected by the proposed model. A wearable sensor is used in (cornelius2012wears, ) to authenticate users passively with high accuracy (¿90%) by measuring their bio-impedance to alternating current of different frequencies. However, specific physiological signals within the human body can be incorrect, which may affect both the security and privacy of healthcare devices.

Out-of-Band (OOB) authentication: An auxiliary channel or out-of-band (OOB) communication uses audio, visual, or haptic channels for authentication that are outside the established data communication channel (denning2010patients, ; li2013secure, ; schechter2010security, ; goodrich2006loud, ). Halperin et al. proposed a low-frequency audio channel that enables medical devices (e.g., implantable medical devices) to use a zero-power radio-frequency identification (RFID) for generating and transmitting a key over the audio channel. Denning et al. proposed visual OOB authentication (e.g., ultra-violet or visible tattoos) to record permanent IMD keys, where the keys are only visible under UV (black) lights (denning2010patients, ). Though this mechanism is suitable for the emergency situation, it will be a problem for key revocation and usability. Also, Li et al. (li2013secure, ) proposed a mechanism where the users are required to inspect simultaneous LED blinking visually to achieve authentication in BANs. However, this is not appropriate for emergency situations if the patient is unconscious, which makes its application limited.

Close-range communication: To prevent unauthorized access, restricting the communication range is an intuitive way to avoid radio attacks. If a healthcare system uses close-range communication, the attacker has to come within the range to perform radio attacks which increases the chance of detecting the attack/attacker. There are several close-ranged communication (e.g., near-field communication, RFID-based channel, near-field identification, etc.) proposed in prior works to secure the communication in a healthcare system (israel2001pacemaker, ; freudenthal2007suitability, ). One recent close-ranged communication for securing healthcare devices is body-coupled communication (BCC) proposed in (baldus2009human, ). BCC uses the human body as a signal propagation medium, which utilizes two different mechanisms: the transmission line approach and the capacitive approach. The transmission line approach uses the human body as a transmission line where electrodes are directly attached to the human body for directly transmitting the electrical signals. The capacitive approach uses the human body as a floating conductor, whose electric potential is changed with the electric field generated by the transmitter. However, the idea of using BCC is not ideal as physiological signals can be read during physical contact like handshake (bagade2013protect, ). An alternative solution of short-range communication can be distance bounding communication between the medical device and external devices. Here, access to external devices is granted if the devices are within a safe range. The distance can be measured in various ways, including limiting the response time to a verification request, Ultrasonic waves, received signal strength indicator, etc. (cremers2012distance, ; rasmussen2009proximity, ; shi2013bana, ).

External devices: For enhancing the security of existing medical devices, a significant modification is required in hardware and software, which may lead to unintended changes in their behavior. To address this problem, recent studies suggest using external devices to ensure communication medium-security without any modification to the existing healthcare devices. An external device can be used as an authentication module to verify service requests from the external user, which can save the battery life of the main healthcare devices. Denning et al. proposed Cloaker , a wearable device to block access requests from all external programmers at run-time (denning2008absence, ). Cloaker allows access to only preauthorized programmers in the normal mode while any programmer, even unauthorized one, can access the device in the emergency mode.

Encryption: For transmitting sensitive data, especially over a wireless channel, encryption is a fundamental technique to secure the communication channel. Although there are many encryption techniques to follow, high energy consumption and implementation costs of encryption are big issues for resource-constraint medical devices (hosseini2011lightweight, ; rostami2013balancing, ). As symmetric encryption mechanism usually consume less power than asymmetric encryption mechanism, it is more practical to use then for the resource-constrained platforms like medical devices (potlapally2003analyzing, ). In this domain, PRESENT and KATAN, two lightweight hardware-oriented block ciphers (bogdanov2007present, ; de2009katan, ) were developed with 64-bit block size and 80-bit key. Additionally, a low power block-cipher based security protocol was proposed in (beck2011block, ), which offers two operational modes: stream and session mode. For short message transmission, the stream mode utilizes output feedback (OFB) to obtain a scalable stream cipher that enables strict duty cycling for energy. The session mode utilizes the CBC and a challenge-response scheme to provide advanced security to health data.

Machine learning-based approaches: Machine learning (ML) is a data analytic technique that provides healthcare systems the ability to learn from data and perform specific tasks such as anomaly detection, behavior analysis, etc. from experience without being explicitly programmed. ML algorithms have been explored widely by the research community to detect attacks on healthcare systems (rathore2020deep, ; sikder2019patent, ). Saeedi et al. demonstrated how a decision tree algorithm can be used to detect malicious attacks in healthcare devices (saeedi2019machine, ). Here, authors used the normal behavior of healthcare devices as ground truth, and any deviation from the normal behavior was identified as an attack. Vhaduri et al. used several physiological and behavioral parameters such as calorie burn, average step counts, minute heart rate as features of support vector machine (SVM) to detect unauthorized access to a healthcare device, and its captured data (vhaduri2017wearable, ). In a recent work, Newaz et al. proposed HealthGuard, a novel ML-based security framework to detect malicious activities in a connected healthcare system (newaz2019healthguard, ). HealthGuard collects the vital signs of different healthcare devices and uses several ML algorithms to correlate the changes in body functions of the patient to distinguish benign and malicious activities. Although ML algorithms can identify anomalous behavior in a healthcare system, implementing an ML-based solution on medical devices can consume more energy, which is an issue for these resource-constrained devices.

Blockchain-based approaches: A blockchain is a distributed system that maintains a continuously growing list of data records and keeps these records safe from tampering. Blockchain-based security frameworks are widely used by researchers to protect healthcare data from unauthorized entities. Chen et al. proposed a blockchain-based storage scheme for medical data to ensure safe data storage and sharing (chen2019blockchain, ). Researchers also introduced a service framework for sharing medical records to describe the process of personal medical data management in some applications. A novel hybrid approach introduced in (dwivedi2019decentralized, ) that combines several cryptographic primitives (e.g., private key, public key, blockchain, etc.) to develop a patient-centric access control for electronic medical records. Srivastava et al. introduced a reliable data communication between the network and storage with more advanced and lightweight cryptographic techniques like the ARX encryption scheme (srivastava2019light, ). They introduced the concept of Ring Signatures in the communication, which provides important privacy properties like Signers Anonymity and Signature Correctness. The same group of researchers introduced GHOSTDAG, a novel and unique blockchain protocol for remote patient monitoring, which uses a directed acyclic graph instead of classic long singular blockchains (srivastava2019data, ). Researchers utilized the idea of smart contract programs from blockchain to monitor the health data of the patients. However, the ownership of the current medical data is still an issue, and currently, there are no rules for using blockchain in the health insurance portability and accountability act.

Access control mechanisms: Access control mechanisms prevent unauthorized access to healthcare devices. Researchers proposed several types of access control for healthcare systems, including proximity-based, identity-based, role-based, attribute-based, and risk-based access control (sun2011hcpp, ; sikder2019multi, ). Lin et al. proposed an identity-based access control to protect private health data in a cloud-assisted health monitoring system (lin2013cam, ). In the role-based access control scheme, the service requester’s role determines whether the access will be granted or denied. Li et al. proposed to give access rights to healthcare providers based on their roles in the wireless BAN (li2010data, ). The attribute-based access control is an extension of identity-based access control where decisions are made based on a set of attributes (e.g., specialty, license validity, etc.). Attribute-based access policy has been employed in many research works to control access to medical data, BAN, cloud system (li2012scalable, ; guan2015achieving, ). The risk-based access control brings real-time, risk-aware decision-making capability in the access control mechanism. The anomaly detection-based access control schemes, fall into this category that constantly monitors any abnormal behavior in accessing a healthcare device (hei2010defending, ), (zhang2013medmon, ). Proximity-based access control is based on the distance between the programmer and the device (halperin2008pacemakers, ; li2011hijacking, ). Here, programmer can generate the same key to decrypt the communication only if it is near the patient. Fu et al. (fu2019poks, ) presented a physical obfuscated key (POK)-based IMD access control mechanism where researchers leveraged IC cards of POKs for secure credential storage. They had designed a lightweight access control protocol with minimal computation and communication overhead on IMDs.