Identificação de Ameaças relacionadas a Medidores de Glicose
Resumo
O avanço da telemedicina, devido ao cenário de pandemia do COVID-19, demonstra que o uso de tecnologias é indispensável para realização diagnósticos, monitoramento e tratamento remoto de pacientes em locais distantes. Por serem serviços médicos que incluem dispositivos críticos, uma possível violação de segurança desses dispositivos têm consequências extremas e devem, portanto, ser identificadas e evitadas. Apesar da literatura apresentar uma variedade de informações sobre alguns dispositivos inteligentes, o mesmo não ocorre com os medidores de glicose e o processo de avaliação de segurança dessa classe de dispositivos. Neste sentido, o presente trabalho propõe uma metodologia para conhecer a arquitetura e funcionalidades dos medidores de glicose e com essas informações compreender as ameaças às quais os medidores de glicose estão sujeitos e, consequentemente, as vulnerabilidades que podem ser exploradas por agentes maliciosos. O modelo proposto, com o uso dos métodos STRIDE e árvore de ataque, identifica as ameaças vinculadas ao medidor com foco em três tipos de ameaças: física, redes e software.
Referências
Burleson, W., Clark, S. S., Ransford, B., and Fu, K. (2012). Design challenges for secure implantable medical devices. In DAC Design Automation Conference 2012, pages 12–17.
Cagnazzo, M., Hertlein, M., Holz, T., and Pohlmann, N. (2018). Threat modeling for mobile health systems. In 2018 IEEE Wireless Communications and Networking Conference Workshops (WCNCW), pages 314–319.
Chowdhury, N. M. and Mackenzie, L. (2014). Development of a threat model for vehicular ad-hoc network based accident warning systems. In Proceedings of the 7th International Conference on Security of Information and Networks, SIN ’14, page 447–458, New York, NY, USA. Association for Computing Machinery.
Chunxiao Li, Raghunathan, A., and Jha, N. K. (2011). Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system. In 2011 IEEE 13th International Conference on e-Health Networking, Applications and Services, pages 150–156.
Deogun, D., Johnsson, D. B., and Sawano, D. (2019). Secure by Design. O’Reilly.
Instruments, T. (2014). Blood glucose monitor continuous blood glucose monitor sensor unit. [Online; accessed 23-July-2020].
Instruments, T. (2015). Microcontrollers in Blood Glucose Meters. Standard, Texas Instruments, United States of America, USA.
Integrated, M. (2010). Important Considerations for Insulin Pump and Portable Medical Designs. Standard, Maxim Integrated, United States of America, USA.
International Diabetes Federation (2020). Demographic and geographic outline. [Online; accessed 06-Abril-2020].
International Electrotechnical Commission (2006). Medical Device Software Software Life Cycle Processes. Standard, International Electrotechnical Commission, Switzerland, CH.
International Organization for Standardization (2013). In vitro diagnostic test systems — Requirements for blood-glucose monitoring systems for self-testing in managing diabetes mellitus. Standard, International Organization for Standardization, Switzerland, CH.
Laurence Goasduff (2020). Gartner says 5.8 billion enterprise and automotive iot endpoints will be in use in 2020. [Online; accessed 09-Abril-2020].
Matthew Field (2020). Wannacry cyber attack cost the nhs £92m as 19,000 appointments cancelled. [Online; accessed 07-Abril-2020].
Meier, J., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., and Murukan, A. (2003). Chapter 3 – threat modeling. [Online; accessed 21-July-2020].
Nexperia (2013). Glucose Meter Fundamentals and Design. Standard, Nexperia, Netherlands, NL.
Shostack, A. (2014). Threat Modeling: Designing for Security. Wiley Publishing, 1st edition.
Sándor, H. and Sebestyén-Pál, G. (2017). Optimal security design in the Internet of Things. In 2017 5th International Symposium on Digital Forensic and Security (ISDFS), pages 1–6.
Technology, M. (2013). Glucose Meter Reference Design. Standard, Microchip Technology, United States of Americas, USA.
U.S. Food and Drug Administration (2014). Content of premarket submissions for management of cybersecurity in medical devices. Standard, U.S. Food and Drug Administration, United States of America, USA.
USFDA (2018). Evaluation of automatic class III designation for Dexcom G6 continuous glucose monitoring system. Standard, U.S. Food and Drug Administrationa, United States of America, USA.
Wang, P., Ali, A., and Kelly, W. (2015). Data security and threat modeling for smart city infrastructure. In 2015 International Conference on Cyber Security of Smart Cities, Industrial Control System and Communications (SSIC), pages 1–6.
Yaqoob, T., Abbas, H., and Atiquzzaman, M. (2019). Security vulnerabilities, attacks, counterIEEE Communications measures, and regulations of networked medical devices—a review. Surveys Tutorials, 21(4):3723–3768.
