nach oben

Journal of Imaging Informatics in Medicine

Erschienen in:

17.02.2022 | Original Paper

A Cyber-Security Risk Assessment Methodology for Medical Imaging Devices: the Radiologists’ Perspective

verfasst von: Tom Mahler, Erez Shalom, Arnon Makori, Yuval Elovici, Yuval Shahar

Erschienen in: Journal of Imaging Informatics in Medicine | Ausgabe 3/2022

Einloggen, um Zugang zu erhalten

Abstract

Medical imaging devices (MIDs) are exposed to cyber-security threats. Currently, a comprehensive, efficient methodology dedicated to MID cyber-security risk assessment is lacking. We propose the Threat identification, ontology-based Likelihood, severity Decomposition, and Risk assessment (TLDR) methodology and demonstrate its feasibility and consistency with existing methodologies, while being more efficient, providing details regarding the severity components, and supporting organizational prioritization and customization. Using our methodology, the impact of 23 MIDs attacks (that were previously identified) was decomposed into six severity aspects. Four Radiology Medical Experts (RMEs) were asked to assess these six aspects for each attack. The TLDR methodology’s external consistency was demonstrated by calculating paired T-tests between TLDR severity assessments and those of existing methodologies (and between the respective overall risk assessments, using attack likelihood estimates by four healthcare cyber-security experts); the differences were insignificant, implying externally consistent risk assessment. The TLDR methodology’s internal consistency was evaluated by calculating the pairwise Spearman rank correlations between the severity assessments of different groups of two to four RMEs and each of their individual group members, showing that the correlations between the severity rankings, using the TLDR methodology, were significant (P < 0.05), demonstrating that the severity rankings were internally consistent for all groups of RMEs. Using existing methodologies, however, the internal correlations were insignificant for groups of less than four RMEs. Furthermore, compared to standard risk assessment techniques, the TLDR methodology is also sensitive to local radiologists’ preferences, supports a greater level of flexibility regarding risk prioritization, and produces more transparent risk assessments.

Nur mit Berechtigung zugänglich

S. Larson, “Massive Cyberattack Targeting 99 Countries Causes Sweeping Havoc,” CNN, 2017. Available: https://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/.

C. Czeschik, “Black Market Value of Patient Data,” in Digital Marketplaces Unleashed, Berlin, Heidelberg: Springer Berlin Heidelberg, Sep. 2018, pp. 883–893, ISBN: 9783662492758. https://doi.org/10.1007/978-3-662-49275-8_78. [Online]. Available: https://link.springer.com/chapter/10.1007/978-3-662-49275-8_78.

Food and Drug Administration, “Postmarket management of cybersecurity in medical devices,” 2016. Available: https://www.fda.gov/regulatory-information/search-fda-guidance-documents/postmarket-management-cybersecurity-medical-devices.

S. Fenz, J. Heurix, T. Neubauer, and F. Pechstein, “Current challenges in information security risk management,” Information Management & Computer Security, vol. 22, no. 5, pp. 410–430, Nov. 2014, ISSN: 0968–5227. https://doi.org/10.1108/IMCS-07-2013-0053. Available: https://www.emerald.com/insight/content/10.1108/IMCS-07-2013-0053/full/html.

National Institute of Standards and Technology (NIST), “Guide for conducting risk assessments,” National Institute of Standards and Technology, Gaithersburg, MD, Tech. Rep., 2012. https://doi.org/10.6028/NIST.SP.800-30r1. Available: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf.

BS ISO/IEC, “ISO/IEC 27005:2008, Information Technology – Security techniques – Information Security Risk Management,” vol. 3, 2008. Available: https://www.iso.org/obp/ui/#iso:std:iso-iec:27005:ed-2:v1:en.

C. J. Alberts, A. J. Dorofee, J. F. Stevens, and C. Woody, “Introduction to the OCTAVE Approach,” Tech. Rep., 2003. Available: https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=51546.

B. Farquhar, “One approach to risk assessment,” Computers & Security, vol. 10, no. 1, pp. 21–23, Feb. 1991, ISSN: 01674048. 10. 1016/0167–4048(91)90051-E. Available: https://www.sciencedirect.com/science/article/pii/016740489190051E?via%3Dihub.

Z. Yazar, A Qualitative Risk Analysis and Management Tool – CRAMM, 2002. Available: https://www.sans.org/reading-room/whitepapers/auditing/qualitativerisk-analysis-management-tool-cramm-83.

10.

J. Freund and J. Jones, Measuring and managing information risk a FAIR approach. 2015, ISBN: 978–0–12–420231–3. https://doi.org/10.1016/C2013-0-09966-5.

11.

C. Harpes, A. A. Adelsbach, S. Zatti, and N. Peccia, “Quantitative Risk Assessment With ISAMM on ESA’s Operations Data System,” Proceedings of TTC, pp. 173–176, 2007.

12.

Stine, M. Rice, S. Dunlap, and J. Pecarina, “A cyber risk scoring system for medical devices,” International Journal of Critical Infrastructure Protection, Apr. 2017, ISSN: 18745482. https://doi.org/10.1016/j.ijcip.2017.04.001. Available: https://www.sciencedirect.com/science/article/pii/S187454821730063X.

13.

T. Yaqoob, H. Abbas, and N. Shafqat, “Integrated Security, Safety, and Privacy Risk Assessment Framework for Medical Devices,” IEEE Journal of Biomedical and Health Informatics, pp. 1–1, 2019, ISSN: 2168–2194. https://doi.org/10.1109/JBHI.2019.2952906. Available: https://ieeexplore.ieee.org/document/8896075/.

14.

T. Mahler, Y. Elovici, and Y. Shahar, "A new methodology for information security risk assessment for medical devices and its evaluation," arXiv:2002.06938 [cs.CR], Feb. 2020. Available: https://arxiv.org/abs/2002.06938.

15.

P. FitzGerald, J. Bennett, J. Carr, P. M. Edic, D. Entrikin, H. Gao, M. Iatrou, Y. Jin, B. Liu, G. Wang, J. Wang, Z. Yin, H. Yu, K. Zeng, and B. De Man, “Cardiac CT: A system architecture study,” Journal of X-Ray Science and Technology, vol. 24, no. 1, pp. 43– 65, Mar. 2016, ISSN: 08953996. https://doi.org/10.3233/XST-160537. Available:https://content.iospress.com/articles/journalof-x-ray-science-and-technology/xst537.

16.

Gede B. Suparta, Focusing Computed Tomography, 2000. Available: https://www.ndt.net/article/wcndt00/papers/idn143/idn143.htm.

17.

D. M. Higgins, ReviseMRI.com: System architecture, 2017. Available: https://web.archive.org/web/20170904143947/, https://www.revisemri.com/tools/system/.

18.

R. W. Brown, Y. C. N. Cheng, E. M. Haacke, M. R. Thompson, and R. Venkatesan, Magnetic Resonance Imaging: Physical Principles and Sequence Design, Second Edition, 2nd ed. Chichester, UK: John Wiley & Sons Ltd, Apr. 2014, p. 978, ISBN: 9781118633953. https://doi.org/10.1002/9781118633953. Available: https://onlinelibrary.wiley.com/doi/book/10.1002/9781118633953.

19.

D. W. McRobbie, E. A. Moore, and M. J. Graves, MRI from Picture to Proton. Cambridge: Cambridge University Press, 2017, p. 394, ISBN: 9781107706958. https://doi.org/10.1017/9781107706958. Available: https://www.cambridge.org/core/books/mri-from-picture-to-proton/83CFA27533607FC2F45EFC48C0FC628B.

20.

D. Elster and J. H. Burdette, Questions and Answers in Magnetic Resonance Imaging, 2nd ed. Mosby, Aug. 2001, ISBN: 0323011845.

21.

M. T. Vlaardingerbroek and J. A. Boer, Magnetic Resonance Imaging, Theory and Practice, 3rd ed. Berlin, Heidelberg: Springer-Verlag Berlin Heidelberg, Jul. 2003, ISBN: 978–3–662–05252–5. https://doi.org/10.1007/978-3-662-05252-5. Available: https://www.springer.com/gp/book/9783540436812.

22.

M. Kutz, Biomedical Engineering and Design Handbook, Volume 2. New York, Chicago, San Francisco, Lisbon, London, Madrid, Mexico City, Milan, New Delhi, San Juan, Seoul, Singapore, Sydney, Toronto: McGraw-Hill, 2009, ISBN: 9780071498395. Available: https://www.accessengineeringlibrary.com/browse/biomedical-engineering-anddesign-handbook-volume-2%20www.unhas.ac.id/tahir/BAHAN-KULIAH/BIO-MEDICAL/NEW/HANBOOK/25_Instrumentation_Design_For_Ultrasonic_Imaging.pdf.

23.

Texas Instruments, Ultrasound System Design Resources and Block Diagram. Available: https://www.ti.com/solution/ultrasound-scanner.

24.

tech3, Block Diagrams-Texas Instruments-Ultrasound System Design Resources and Block Diagram, 2009. Available: https://www.element14.com/community/docs/DOC-3573/l/block-diagrams-texas-instruments-ultrasound-system-designresources-and-block-diagram.

25.

T. Mahler, N. Nissim, E. Shalom, I. Goldenberg, G. Hassman, A. Makori, I. Kochav, Y. Elovici, and Y. Shahar, “Know Your Enemy: Characteristics of Cyber-Attacks on Medical Imaging Devices,” [cs.CR], Jan. 2018. Available: https://arxiv.org/abs/1801.05583.

26.

C. Skinner, “Los Angeles hospital paid hackers $17,000 ransom in bitcoins,” Aol., 2016. Available: https://www.aol.com/article/2016/02/18/los-angeles-hospital-paid-hackers-17-000-ransomin-bitcoins/21314819/.

27.

E. Strickland, “5 Major Hospital Hacks: Horror Stories from the Cybersecurity Frontlines,” IEEE Spectrum, 2016. Available: https://spectrum.ieee.org/the-human-os/biomedical/devices/5-majorhospital-hacks-horror-stories-from-the-cyber-security-frontlines.

28.

J. Wong, “Los Angeles hospital returns to faxes and paper charts after cyberattack,” The Guardian, 2016. Available: https://www.theguardian.com/us-news/2016/feb/16/los-angeles-hospital-cyberattack-ransomware-data-computers.

29.

R. Winton, “Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating,” The Los Angeles Times, 2016. Available: https://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html.

30.

S. Becker, L. Jendele, O. Skopek, N. Berger, S. Ghafoor, M. Marcon, and E. Konukoglu, “Injecting and removing malignant features in mammography with CycleGAN: Investigation of an automated adversarial attack using neural networks,” arXiv, vol. 1811.07767, Nov. 2018. Available: https://arxiv.org/abs/1811.07767.

31.

Y. Mirsky, T. Mahler, I. Shelef, and Y. Elovici, “CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning,” in 28th USENIX Security Symposium (USENIX Security 19), Santa Clara, CA: USENIX Association, 2019, pp. 461–478, ISBN: 978–1–939133–06–9. Available: https://www.usenix.org/conference/usenixsecurity19/presentation/mirsky.

32.

L. Ayala, Cybersecurity for Hospitals and Healthcare Facilities. Berkeley, CA, 2016, pp. 47–51, ISBN: 978–1–4842–2154–9. https://doi.org/10.1007/978-1-4842-2155-6. Available: https://link.springer.com/book/10.1007%2F978-1-4842-2155-6.

33.

Pan, B. Yang, S. LI, W. Kang, and W. Zhengbo, “Sonic Gun to Smart Devices: Your Devices Lose Control Under Ultrasound/ Sound,” in Black Hat USA, 2017. Available: https://www.blackhat.com/us-17/briefings/schedule/index.html#sonic-gun-to-smart-devices-your-devices-lose-control-under-ultrasoundsound-6184.

34.

T. Mahler, E. Shalom, Y. Elovici, Y. Shahar, “A Dual‐Layer Architecture for the Protection of Medical Devices from Anomalous Instructions,” In: M. Michalowski, R. Moskovitch (eds) Artificial Intelligence in Medicine. AIME 2020. Lecture Notes in Computer Science, vol 12299, 2020. Springer, Cham. https://doi.org/10.1007/978-3-030-59137-3_25.

35.

T. Mahler, E. Shalom, Y. Elovici, and Y. Shahar, “A dual‐layer context‐based architecture for the detection of anomalous instructions sent to medical devices,” Artificial Intelligence in Medicine, Volume 123, 102229, 2022, ISSN: 0933‐3657. https://doi.org/10.1016/j.artmed.2021.102229.

Titel: A Cyber-Security Risk Assessment Methodology for Medical Imaging Devices: the Radiologists’ Perspective
verfasst von: Tom Mahler
Erez Shalom
Arnon Makori
Yuval Elovici
Yuval Shahar
Publikationsdatum: 17.02.2022
Verlag: Springer International Publishing
Erschienen in: Journal of Imaging Informatics in Medicine / Ausgabe 3/2022
Print ISSN: 2948-2925
Elektronische ISSN: 2948-2933
DOI: https://doi.org/10.1007/s10278-021-00562-y

Radiological Structured Report Integrated with Quantitative Imaging Biomarkers and Qualitative Scoring Systems

Integration

Deep Learning-based Automated Aortic Area and Distensibility Assessment: the Multi-Ethnic Study of Atherosclerosis (MESA)

Aortic Aneurysm

“Snap on” or Not? A Validation on the Measurement Tool in a Virtual Reality Application

Optimizing a Deep Residual Neural Network with Genetic Algorithm for Acute Lymphoblastic Leukemia Classification

Original Paper

Gamification in Radiology Training Module Developed During the Society for Imaging Informatics in Medicine Annual Meeting Hackathon

COVID-19 CT Scan Lung Segmentation: How We Do It

Zur Zeit gratis
COVID-19

Neu im Fachgebiet Radiologie

Ringen um den richtigen Umgang mit Zufallsbefunden

24.04.2025
DGP 2025
Kongressbericht

Wenn 2026 in Deutschland das Lungenkrebsscreening mittels Low-Dose-Computertomografie (LDCT) eingeführt wird, wird es auch viele Zufallsbefunde ans Licht bringen. Das birgt Chancen und Risiken.

Bald 5% der Krebserkrankungen durch CT verursacht

23.04.2025
Computertomografie
Nachrichten

Die jährlich rund 93 Millionen CTs in den USA könnten künftig zu über 100.000 zusätzlichen Krebserkrankungen führen, geht aus einer Modellrechnung hervor. Damit würde eine von 20 Krebserkrankungen auf die ionisierende Strahlung bei CT-Untersuchungen zurückgehen.

Röntgen-Thorax oder LDCT fürs Lungenscreening nach HNSCC?

06.04.2025
Kopf-Hals-Tumoren
Nachrichten

Personen, die an einem Plattenepithelkarzinom im Kopf-Hals-Bereich erkrankt sind, haben ein erhöhtes Risiko für Metastasen oder zweite Primärmalignome der Lunge. Eine Studie hat untersucht, wie die radiologische Überwachung aussehen sollte.

Statine: Was der G-BA-Beschluss für Praxen bedeutet

06.04.2025
Praxis und Beruf
Nachrichten

Nach dem G-BA-Beschluss zur erweiterten Verordnungsfähigkeit von Lipidsenkern rechnet die DEGAM mit 200 bis 300 neuen Dauerpatienten pro Praxis. Im Interview erläutert Präsidiumsmitglied Erika Baum, wie Hausärztinnen und Hausärzte am besten vorgehen.

Update Radiologie

Bestellen Sie unseren Fach-Newsletter und bleiben Sie gut informiert.

Newsletter bestellen

Springer Medizin

A Cyber-Security Risk Assessment Methodology for Medical Imaging Devices: the Radiologists’ Perspective

Abstract

Weitere Artikel der Ausgabe 3/2022

Radiological Structured Report Integrated with Quantitative Imaging Biomarkers and Qualitative Scoring Systems

Deep Learning-based Automated Aortic Area and Distensibility Assessment: the Multi-Ethnic Study of Atherosclerosis (MESA)

“Snap on” or Not? A Validation on the Measurement Tool in a Virtual Reality Application

Optimizing a Deep Residual Neural Network with Genetic Algorithm for Acute Lymphoblastic Leukemia Classification

Gamification in Radiology Training Module Developed During the Society for Imaging Informatics in Medicine Annual Meeting Hackathon

COVID-19 CT Scan Lung Segmentation: How We Do It

Neu im Fachgebiet Radiologie

Ringen um den richtigen Umgang mit Zufallsbefunden

Bald 5% der Krebserkrankungen durch CT verursacht

Röntgen-Thorax oder LDCT fürs Lungenscreening nach HNSCC?

Statine: Was der G-BA-Beschluss für Praxen bedeutet

Update Radiologie

Springer Medizin

Abstract

Bitte loggen Sie sich ein, um Zugang zu diesem Inhalt zu erhalten