Security Analysis of Medical Devices within Wireless Body Area Networks and Mobile Health Applications

Yıl 2018, Cilt: 11 Sayı: 1, 1 - 8, 31.01.2018

Abdulkerim Demir , Emin İslam Tatlı

https://doi.org/10.17671/gazibtd.301668

Öz

Body Area Networks (BAN) consisting of medical devices that interact
with human body have been developed in accordance with technical developments
in healthcare area. Providing this, devices automatically measuring human blood
pressure or insulin value and feeding data into hospital management systems have
started being used in daily-life. These medical devices help to improve health status
of patients, however they are also subject to risks caused by unauthorized
intervention. In this study, medical devices used in Wireless Body Area
Networks (WBAN) and mobile health applications have been analyzed according to different
security requirements and aspects. Initially, all threats and risks faced by
remotely accessible medical devices in WBAN have been identified by applying WBAN
threat modeling. Security analysis and penetration testing of mobile health
applications running on smart devices have been conducted. In addition, secure
architecture principles for WBAN design have been specified in detail.

Anahtar Kelimeler

WBAN architecture, WBAN security analysis, mobile application penetration testing, health security

Vücut Alan Ağlarındaki Medikal Cihazların ve Mobil Sağlık Uygulamaların Güvenlik Analizleri

Öz

Sağlık
alanındaki teknolojik gelişmelerle birlikte insan vücudu ile etkileşimde
bulunan medikal cihazlardan oluşan Vücut Alan Ağları (BAN) geliştirildi. Bu
sayede örneğin insan kan basıncını ya da insülin değerini otomatik ölçen ve
hastane yönetim sistemlerine aktaran mobil cihazlar günlük hayatta kullanılmaya
başlandı. Bu medikal cihazlar bir yandan sağlık yönetimini iyileştirirken diğer
taraftan bunlara yapılacak izinsiz müdahale ile insan sağlığını riske
atabilmekte hatta ölümlere neden olabilmektedirler. Bu çalışmamızda Kablosuz
Vücut Alan Ağları (WBAN)’nda kullanılan medikal cihazların ve mobil sağlık
uygulamalarının güvenlik analizleri gerçekleştirildi. Öncelikle WBAN’ın tehdit
modellemesi yapılarak WBAN’da ki özellikle uzaktan erişilebilir medikal
cihazların karşı karşıya kaldıkları bütün tehditler ve riskler belirlendi. Akıllı
cihazlar üzerinde çalışan mobil sağlık uygulamaları için güvenlik analizleri ve
güvenlik sızma testleri gerçekleştirildi. Ayrıca, WBAN sistem tasarımı için
güvenli mimari prensipleri belirlendi.

Anahtar Kelimeler

WBAN mimari, WBAN güvenlik analizi, mobil uygulama sızma testi, sağlık güvenliği

Kaynakça

• H. F. Rashvand, V. T. Salcedo, E. M. Sanchez, D. Iliescu, “Ubiquitous Wireless Telemedicine”, Communications, IET, 2(2), pp.237-254, 2008.
• R. Bults, K. Wac, A. Van Halteren, D. Konstantas, V. Jones, I. Widya, “Body Area Networks for Ambulant Patient Monitoring Over Next Generation Public Wireless Networks”, 3rd IST Mobile and Wireless Communications Summit, Lyon, France, 27/30, 27-30 June, 2004.
• M. Li, W. Lou, K. Ren, “Data Security and Privacy in Wireless Body Area Networks”, IEEE Wireless Communications, ISSN 1536-1284, 17(1), pp.51-58, 2010, doi: 10.1109/MWC.2010.5416350.
• IEEE Standard for Local and metropolitan area networks - Part 15.6: Wireless Body Area Networks, IEEE Std 802.15.6-2012, pp.1-271, Feb. 29 2012, doi: 10.1109/IEEESTD.2012.6161600.
• Internet: Microsoft STRIDE Threat Model, https://msdn.microsoft.com/library/ms954176.aspx, 19.04.2016.
• Internet: D. Galpin, I. Lewis, Google I/O 2012 - Ten Things Game Developers Should Know, https://www.youtube.com/watch?v=WDDgoxvQsrQ, 13.12.2015.
• A. Demir, Vücut Alan Ağlarındaki Medikal Cihazların ve Mobil Sağlık Uygulamalarının Güvenlik Analizleri, Master Thesis, Istanbul Sehir University, Graduate School of Natural and Applied Sciences, 2016.
• C. s. Jang, D. G. Lee, J. w. Han, “A Proposal of Security Framework for Wireless Body Area Network”, Security Technology, International Conference on’08, Los Alamitos, CA, USA, pp. 202-205, December, 2008, doi: 10.1109/SecTech.2008.32.
• O. Garcia-Morchon, T. Falck, T. Heer, K. Wehrle, "Security for Pervasive Medical Sensor Networks," 2009 6th Annual International Mobile and Ubiquitous Systems: Networking & Services, MobiQuitous, Toronto, ON, pp. 1-10, July, 2009, doi: 10.4108/ICST.MOBIQUITOUS2009.6832.
• C. Li, A. Raghunathan and N. K. Jha, "Hijacking an Insulin Pump: Security Attacks and Defenses for a Diabetes Therapy System," 2011 IEEE 13th International Conference on e-Health Networking, Applications and Services, Columbia, MO, pp. 150-156, June, 2011, doi: 10.1109/HEALTH.2011.6026732.
• W. Burleson, S. S. Clark, B. Ransford, K. Fu, "Design Challenges for Secure Implantable Medical Devices," DAC Design Automation Conference 2012, San Francisco, CA, pp. 12-17, June, 2012, doi: 10.1145/2228360.2228364.
• D. Halperin et al., "Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses," 2008 IEEE Symposium on Security and Privacy (sp 2008), Oakland, CA, pp. 129-142, May, 2008, doi: 10.1109/SP.2008.31.
• L. C. Silva et al., “A Baseline Patient Model to Support Testing of Medical Cyber-Physical Systems”, MedInfo, Studies in Health Technology and Informatics, vol:216, Editor: Indra Neil Sarkar et al., IOS Press, pp. 549-553, 2015, doi: 10.3233/978-1-61499-564-7-549.
• S. N. Ramli, R. Ahmad, M. F. Abdollah, E. Dutkiewicz, "A Biometric-based Security for Data Authentication in Wireless Body Area Network (WBAN)," 2013 15th International Conference on Advanced Communications Technology (ICACT), PyeongChang, pp. 998-1001, January, 2013.
• S. N. Ramli, R. Ahmad, M. F. Abdollah, "Electrocardiogram (ECG) Signals as Biometrics in Securing Wireless Body Area Network," 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013), London, pp. 536-541, December, 2016,doi: 10.1109/ICITST.2013.6750259