The danger of missing instructions: A systematic analysis of security requirements for MCPS

Josephine Lamp, Carlos E. Rubio-Medrano, Ziming Zhao, Gail-Joon Ahn

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The proliferation of networked medical devices has resulted in the development of innovative Medical Cyber-Physical Systems (MCPS) that promise more coordinated and high quality of care for patients. Unsurprisingly, the cybersecurity of MCPS is of high concern, as they are life-critical systems that, if compromised, may result in dire consequences to the patient. A variety of security requirements have been developed over the past 10 years as a result of governmental acts such as HITECH in order to better secure and protect healthcare environments. However, it is unclear how applicable these re-quirements may be to MCPS infrastructures. As a result, this case study analyzes current healthcare security requirements and their applicability to MCPS using an approach that leverages ontological representations and automated requirement traversal techniques. Using such a methodology, we find that 70% of applicable requirements/risks for MCPS components are missing from the security documentation, including serious items such as Authentication, Data Encryption, DoS attacks, and Legacy Vulnerabilities. We also validate our results within real-world instances and find that almost half of the relevant requirements are not implemented within existing MCPS architectures.

Original languageEnglish (US)
Title of host publicationProceedings - 2018 IEEE/ACM International Conference on Connected Health
Subtitle of host publicationApplications, Systems and Engineering Technologies, CHASE 2018
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages94-99
Number of pages6
ISBN (Electronic)9781538672068
DOIs
StatePublished - Feb 21 2019
Event3rd IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies, CHASE 2018 - Washington, United States
Duration: Sep 26 2018Sep 28 2018

Publication series

NameProceedings - 2018 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies, CHASE 2018

Conference

Conference3rd IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies, CHASE 2018
CountryUnited States
CityWashington
Period9/26/189/28/18

Fingerprint

Computer Security
instruction
Delivery of Health Care
Quality of Health Care
Documentation
Equipment and Supplies
Authentication
Cryptography
Cyber Physical System
proliferation
documentation
vulnerability
infrastructure
methodology

Keywords

  • MCPS
  • Medical Cyber Physical Systems
  • Ontology
  • Requirements Analysis
  • Security Requirements

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Biomedical Engineering
  • Health(social science)
  • Communication
  • Software
  • Computer Science Applications
  • Health Informatics

Cite this

Lamp, J., Rubio-Medrano, C. E., Zhao, Z., & Ahn, G-J. (2019). The danger of missing instructions: A systematic analysis of security requirements for MCPS. In Proceedings - 2018 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies, CHASE 2018 (pp. 94-99). (Proceedings - 2018 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies, CHASE 2018). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1145/3278576.3278602

The danger of missing instructions : A systematic analysis of security requirements for MCPS. / Lamp, Josephine; Rubio-Medrano, Carlos E.; Zhao, Ziming; Ahn, Gail-Joon.

Proceedings - 2018 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies, CHASE 2018. Institute of Electrical and Electronics Engineers Inc., 2019. p. 94-99 (Proceedings - 2018 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies, CHASE 2018).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Lamp, J, Rubio-Medrano, CE, Zhao, Z & Ahn, G-J 2019, The danger of missing instructions: A systematic analysis of security requirements for MCPS. in Proceedings - 2018 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies, CHASE 2018. Proceedings - 2018 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies, CHASE 2018, Institute of Electrical and Electronics Engineers Inc., pp. 94-99, 3rd IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies, CHASE 2018, Washington, United States, 9/26/18. https://doi.org/10.1145/3278576.3278602
Lamp J, Rubio-Medrano CE, Zhao Z, Ahn G-J. The danger of missing instructions: A systematic analysis of security requirements for MCPS. In Proceedings - 2018 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies, CHASE 2018. Institute of Electrical and Electronics Engineers Inc. 2019. p. 94-99. (Proceedings - 2018 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies, CHASE 2018). https://doi.org/10.1145/3278576.3278602
Lamp, Josephine ; Rubio-Medrano, Carlos E. ; Zhao, Ziming ; Ahn, Gail-Joon. / The danger of missing instructions : A systematic analysis of security requirements for MCPS. Proceedings - 2018 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies, CHASE 2018. Institute of Electrical and Electronics Engineers Inc., 2019. pp. 94-99 (Proceedings - 2018 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies, CHASE 2018).
@inproceedings{099f2c547eba492380f1b697068c2284,
title = "The danger of missing instructions: A systematic analysis of security requirements for MCPS",
abstract = "The proliferation of networked medical devices has resulted in the development of innovative Medical Cyber-Physical Systems (MCPS) that promise more coordinated and high quality of care for patients. Unsurprisingly, the cybersecurity of MCPS is of high concern, as they are life-critical systems that, if compromised, may result in dire consequences to the patient. A variety of security requirements have been developed over the past 10 years as a result of governmental acts such as HITECH in order to better secure and protect healthcare environments. However, it is unclear how applicable these re-quirements may be to MCPS infrastructures. As a result, this case study analyzes current healthcare security requirements and their applicability to MCPS using an approach that leverages ontological representations and automated requirement traversal techniques. Using such a methodology, we find that 70{\%} of applicable requirements/risks for MCPS components are missing from the security documentation, including serious items such as Authentication, Data Encryption, DoS attacks, and Legacy Vulnerabilities. We also validate our results within real-world instances and find that almost half of the relevant requirements are not implemented within existing MCPS architectures.",
keywords = "MCPS, Medical Cyber Physical Systems, Ontology, Requirements Analysis, Security Requirements",
author = "Josephine Lamp and Rubio-Medrano, {Carlos E.} and Ziming Zhao and Gail-Joon Ahn",
year = "2019",
month = "2",
day = "21",
doi = "10.1145/3278576.3278602",
language = "English (US)",
series = "Proceedings - 2018 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies, CHASE 2018",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "94--99",
booktitle = "Proceedings - 2018 IEEE/ACM International Conference on Connected Health",

}

TY - GEN

T1 - The danger of missing instructions

T2 - A systematic analysis of security requirements for MCPS

AU - Lamp, Josephine

AU - Rubio-Medrano, Carlos E.

AU - Zhao, Ziming

AU - Ahn, Gail-Joon

PY - 2019/2/21

Y1 - 2019/2/21

N2 - The proliferation of networked medical devices has resulted in the development of innovative Medical Cyber-Physical Systems (MCPS) that promise more coordinated and high quality of care for patients. Unsurprisingly, the cybersecurity of MCPS is of high concern, as they are life-critical systems that, if compromised, may result in dire consequences to the patient. A variety of security requirements have been developed over the past 10 years as a result of governmental acts such as HITECH in order to better secure and protect healthcare environments. However, it is unclear how applicable these re-quirements may be to MCPS infrastructures. As a result, this case study analyzes current healthcare security requirements and their applicability to MCPS using an approach that leverages ontological representations and automated requirement traversal techniques. Using such a methodology, we find that 70% of applicable requirements/risks for MCPS components are missing from the security documentation, including serious items such as Authentication, Data Encryption, DoS attacks, and Legacy Vulnerabilities. We also validate our results within real-world instances and find that almost half of the relevant requirements are not implemented within existing MCPS architectures.

AB - The proliferation of networked medical devices has resulted in the development of innovative Medical Cyber-Physical Systems (MCPS) that promise more coordinated and high quality of care for patients. Unsurprisingly, the cybersecurity of MCPS is of high concern, as they are life-critical systems that, if compromised, may result in dire consequences to the patient. A variety of security requirements have been developed over the past 10 years as a result of governmental acts such as HITECH in order to better secure and protect healthcare environments. However, it is unclear how applicable these re-quirements may be to MCPS infrastructures. As a result, this case study analyzes current healthcare security requirements and their applicability to MCPS using an approach that leverages ontological representations and automated requirement traversal techniques. Using such a methodology, we find that 70% of applicable requirements/risks for MCPS components are missing from the security documentation, including serious items such as Authentication, Data Encryption, DoS attacks, and Legacy Vulnerabilities. We also validate our results within real-world instances and find that almost half of the relevant requirements are not implemented within existing MCPS architectures.

KW - MCPS

KW - Medical Cyber Physical Systems

KW - Ontology

KW - Requirements Analysis

KW - Security Requirements

UR - http://www.scopus.com/inward/record.url?scp=85063261733&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85063261733&partnerID=8YFLogxK

U2 - 10.1145/3278576.3278602

DO - 10.1145/3278576.3278602

M3 - Conference contribution

AN - SCOPUS:85063261733

T3 - Proceedings - 2018 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies, CHASE 2018

SP - 94

EP - 99

BT - Proceedings - 2018 IEEE/ACM International Conference on Connected Health

PB - Institute of Electrical and Electronics Engineers Inc.

ER -