Identificação de Ameaças relacionadas a Medidores de Glicose
Abstract
Given the COVID-19 pandemic, the advancement of telemedicine demonstrates that the use of technologies is indispensable for performing diagnostics, monitoring and remote treatment of patients in distant locations. Given that they are medical services that include critical devices, a possible breach of the security of these devices has extreme consequences and should therefore be identified and avoided. Although the literature presents a variety of information about smart devices, the same is not true of glucose meters and the safety assessment process for these devices. This article proposes a methodology to understand the architecture and functionalities of glucose meters, the threats to which glucose meters are subject, and the vulnerabilities that can be exploited by malicious agents. The proposed model, which uses the STRIDE and attack tree methods, identifies threats linked to the meter with a focus on three types of threats: physical, networks and software.
References
ANVISA (2018). Instrução normativa Nº 24, de 17 de maio de 2018. Standard, Agência Nacional de Vigilância Sanitária, Brasil, BR.
Burleson, W., Clark, S. S., Ransford, B., and Fu, K. (2012). Design challenges for secure implantable medical devices. In DAC Design Automation Conference 2012, pages 12–17.
Cagnazzo, M., Hertlein, M., Holz, T., and Pohlmann, N. (2018). Threat modeling for mobile health systems. In 2018 IEEE Wireless Communications and Networking Conference Workshops (WCNCW), pages 314–319.
Chowdhury, N. M. and Mackenzie, L. (2014). Development of a threat model for vehicular ad-hoc network based accident warning systems. In Proceedings of the 7th International Conference on Security of Information and Networks, SIN ’14, page 447–458, New York, NY, USA. Association for Computing Machinery.
Chunxiao Li, Raghunathan, A., and Jha, N. K. (2011). Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system. In 2011 IEEE 13th International Conference on e-Health Networking, Applications and Services, pages 150–156.
Deogun, D., Johnsson, D. B., and Sawano, D. (2019). Secure by Design. O’Reilly.
Instruments, T. (2014). Blood glucose monitor continuous blood glucose monitor sensor unit. [Online; accessed 23-July-2020].
Instruments, T. (2015). Microcontrollers in Blood Glucose Meters. Standard, Texas Instruments, United States of America, USA.
Integrated, M. (2010). Important Considerations for Insulin Pump and Portable Medical Designs. Standard, Maxim Integrated, United States of America, USA.
International Diabetes Federation (2020). Demographic and geographic outline. [Online; accessed 06-Abril-2020].
International Electrotechnical Commission (2006). Medical Device Software Software Life Cycle Processes. Standard, International Electrotechnical Commission, Switzerland, CH.
International Organization for Standardization (2013). In vitro diagnostic test systems — Requirements for blood-glucose monitoring systems for self-testing in managing diabetes mellitus. Standard, International Organization for Standardization, Switzerland, CH.
Laurence Goasduff (2020). Gartner says 5.8 billion enterprise and automotive iot endpoints will be in use in 2020. [Online; accessed 09-Abril-2020].
Matthew Field (2020). Wannacry cyber attack cost the nhs £92m as 19,000 appointments cancelled. [Online; accessed 07-Abril-2020].
Meier, J., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., and Murukan, A. (2003). Chapter 3 – threat modeling. [Online; accessed 21-July-2020].
Nexperia (2013). Glucose Meter Fundamentals and Design. Standard, Nexperia, Netherlands, NL.
Shostack, A. (2014). Threat Modeling: Designing for Security. Wiley Publishing, 1st edition.
Sándor, H. and Sebestyén-Pál, G. (2017). Optimal security design in the Internet of Things. In 2017 5th International Symposium on Digital Forensic and Security (ISDFS), pages 1–6.
Technology, M. (2013). Glucose Meter Reference Design. Standard, Microchip Technology, United States of Americas, USA.
U.S. Food and Drug Administration (2014). Content of premarket submissions for management of cybersecurity in medical devices. Standard, U.S. Food and Drug Administration, United States of America, USA.
USFDA (2018). Evaluation of automatic class III designation for Dexcom G6 continuous glucose monitoring system. Standard, U.S. Food and Drug Administrationa, United States of America, USA.
Wang, P., Ali, A., and Kelly, W. (2015). Data security and threat modeling for smart city infrastructure. In 2015 International Conference on Cyber Security of Smart Cities, Industrial Control System and Communications (SSIC), pages 1–6.
Yaqoob, T., Abbas, H., and Atiquzzaman, M. (2019). Security vulnerabilities, attacks, counterIEEE Communications measures, and regulations of networked medical devices—a review. Surveys Tutorials, 21(4):3723–3768.
Burleson, W., Clark, S. S., Ransford, B., and Fu, K. (2012). Design challenges for secure implantable medical devices. In DAC Design Automation Conference 2012, pages 12–17.
Cagnazzo, M., Hertlein, M., Holz, T., and Pohlmann, N. (2018). Threat modeling for mobile health systems. In 2018 IEEE Wireless Communications and Networking Conference Workshops (WCNCW), pages 314–319.
Chowdhury, N. M. and Mackenzie, L. (2014). Development of a threat model for vehicular ad-hoc network based accident warning systems. In Proceedings of the 7th International Conference on Security of Information and Networks, SIN ’14, page 447–458, New York, NY, USA. Association for Computing Machinery.
Chunxiao Li, Raghunathan, A., and Jha, N. K. (2011). Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system. In 2011 IEEE 13th International Conference on e-Health Networking, Applications and Services, pages 150–156.
Deogun, D., Johnsson, D. B., and Sawano, D. (2019). Secure by Design. O’Reilly.
Instruments, T. (2014). Blood glucose monitor continuous blood glucose monitor sensor unit. [Online; accessed 23-July-2020].
Instruments, T. (2015). Microcontrollers in Blood Glucose Meters. Standard, Texas Instruments, United States of America, USA.
Integrated, M. (2010). Important Considerations for Insulin Pump and Portable Medical Designs. Standard, Maxim Integrated, United States of America, USA.
International Diabetes Federation (2020). Demographic and geographic outline. [Online; accessed 06-Abril-2020].
International Electrotechnical Commission (2006). Medical Device Software Software Life Cycle Processes. Standard, International Electrotechnical Commission, Switzerland, CH.
International Organization for Standardization (2013). In vitro diagnostic test systems — Requirements for blood-glucose monitoring systems for self-testing in managing diabetes mellitus. Standard, International Organization for Standardization, Switzerland, CH.
Laurence Goasduff (2020). Gartner says 5.8 billion enterprise and automotive iot endpoints will be in use in 2020. [Online; accessed 09-Abril-2020].
Matthew Field (2020). Wannacry cyber attack cost the nhs £92m as 19,000 appointments cancelled. [Online; accessed 07-Abril-2020].
Meier, J., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., and Murukan, A. (2003). Chapter 3 – threat modeling. [Online; accessed 21-July-2020].
Nexperia (2013). Glucose Meter Fundamentals and Design. Standard, Nexperia, Netherlands, NL.
Shostack, A. (2014). Threat Modeling: Designing for Security. Wiley Publishing, 1st edition.
Sándor, H. and Sebestyén-Pál, G. (2017). Optimal security design in the Internet of Things. In 2017 5th International Symposium on Digital Forensic and Security (ISDFS), pages 1–6.
Technology, M. (2013). Glucose Meter Reference Design. Standard, Microchip Technology, United States of Americas, USA.
U.S. Food and Drug Administration (2014). Content of premarket submissions for management of cybersecurity in medical devices. Standard, U.S. Food and Drug Administration, United States of America, USA.
USFDA (2018). Evaluation of automatic class III designation for Dexcom G6 continuous glucose monitoring system. Standard, U.S. Food and Drug Administrationa, United States of America, USA.
Wang, P., Ali, A., and Kelly, W. (2015). Data security and threat modeling for smart city infrastructure. In 2015 International Conference on Cyber Security of Smart Cities, Industrial Control System and Communications (SSIC), pages 1–6.
Yaqoob, T., Abbas, H., and Atiquzzaman, M. (2019). Security vulnerabilities, attacks, counterIEEE Communications measures, and regulations of networked medical devices—a review. Surveys Tutorials, 21(4):3723–3768.
Published
2020-10-13
How to Cite
COSTA, Fernando Homem da; BENTO, Lucila Maria de Souza; RODRIGUEZ, Noemi.
Identificação de Ameaças relacionadas a Medidores de Glicose. In: WORKSHOP ON SCIENTIFIC INITIATION AND UNDERGRADUATE WORKS - BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 20. , 2020, Evento Online.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2020
.
p. 155-168.
DOI: https://doi.org/10.5753/sbseg_estendido.2020.19282.
