One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 2651838 |
| Date de publication | 2021-04-16 10:00:00 (vue: 2021-04-16 10:05:36) |
| Titre | Considerations for performing IoMT Risk Assessments |
| Texte | What are Internet of Medical Things (IoMT) products? Internet of Medical Things (IoMT) products refer to a combination of medical applications and devices connected to healthcare information technology systems through an online computer network or a wireless network. IoMT devices rely heavily on biosensors, critical in detecting an individual's tissue, respiratory, and blood characteristics. Non-bio sensors are also used to measure other patient characteristics such as heart and muscle electrical activity, motion, and body temperature. IoMT product classifications One needs to gain insight into what makes a device a medical device. In the U.S., the sale of medical devices is regulated by the Food and Drug Administration (FDA). As required by the FDA, medical devices are classified as being Class I, Class II, or Class III based on the risk posed by the device. Therefore, one must understand the risk level of a medical device and its intended use and indications of use. IoMT layers and the threat-driven approach to security Like IoT, IoMT has several layers, including the business, application, application, middleware, network, and perception layers. Notably, the perception layer in IoMT is tasked with the transfer of medical data acquired from sensors to the network layer. Medical things types that fall under the perception layer can be classified as: wearable (muscle activity sensors, pressure and temperature sensors, smartwatches); implantable (implantable cardioverter defibrillators (ICD); swallowable (camera capsule); ambient (vibration and motion sensors), and; stationary devices (surgical devices, CT scan). Likewise, IoMT devices are subject to attacks based on their architecture or application. That is, IoMT devices can suffer layer-specific attacks. While hackers can target any layer for an attack, they typically focus on either the perception or network layer attacks. Perception layer attacks focus on devices that acquire data from sensors. Hackers use perception layer attacks to defeat the device administrator's ability to track the sensor and discover that it has been cloned or otherwise tampered with. Conversely, at the network layer, IoMT devices can be subject to DoS attacks, Rogue access, Man-in-the-Middle (MiTM), replay, and Eavesdropping. Common IoMT vulnerabilities arise from the challenges experienced during IoMT device development, such as the lack of a threat-driven approach to security. The threat-driven approach to security corresponds to modeling the relationship between threats, the risk to the asset, and the security controls that should govern them. For example, Bluetooth Low Energy (BLE) technology, whose applications range from home entertainment to healthcare, is associated with many threats such as network communication decryption, replay attacks, and Man-in-the-Middle attacks. Primary considerations in performing IoMT Risk Assessments Threat modeling is the tool best fitted for addressing perception and network-layer threats. Cybersecurity practitioners commonly use the STRIDE threat modeling technique to help solve IoMT-related security challenges at both layers. STRIDE is a threat model suitably fitted for helping cybersecurity practitioners identify and analyze threats in an IoMT environment. More specifically, STRIDE is the most adept tool for answering the question 'what can go wrong in the IoMT environment that can adversely affect patient safety?' The STRIDE model allows cybersecurity practitioners to determine what threat is a violation of a desirable property for an IoMT system. Desirable properties preserve privacy, data protection and contribute to the security of an IoMT asset. Desirable properties align with the STRIDE model as illustrated below: |
| Envoyé | Oui |
| Condensat | 'what 2900 ability acceptable access acquire acquired activity address addressing adept administration administrator's adversely affect after align all allow allows also ambient analysis analyze and; answering any applicable application applications appraising approach architecture are arise as: assessment assessments asset associated attack attacker attacks attributes authenticity authorization availability based been being below: best between bio biosensors ble blood bluetooth body both building business camera can capsule cardioverter case catastrophic categories categorize categorized challenges characteristics class classifications classified cloned combination common commonly communication computer conclusion conditions confidentiality confirmed connected connection considerations contribute control controls conversely corresponds critical crucial cybersecurity data death decryption defeat defibrillators denial design desirable desired detecting determine determines development device device's devices disclosure discomfort discover distinguish dos driven drug during each eavesdropping either electrical elevation encountered energy entail entails entertainment environment evaluate evaluating example exist exists expected experienced fall fault fda feasible final fitted five flows focus food framework from gain gap gaps generate govern guidance hackers has have having hazards healthcare heart heavily help helping highlight hipaa/hitrust home however icd identify identifying iii illustrated impact impairment implantable including inconvenience indications individual's information inherent injury insight instance integrity intended internet intervention investigates iomt iot its judged lack layer layers level levels life like likewise low makes man manufacturers many mapped market means measure medical middle middleware minor mitm model modeling more most motion muscle must necessary needs negligible network non not notably objective once one online only other otherwise outcome outcomes particular patient perception perfect performing permanent piece plays posed possible post potential practitioner practitioners pre preserve pressure primary privacy privilege problems product products professional properties property protection question range reason reasonable reduced refer regulated related relates relationship rely remediation replay repudiation required requirements requiring respiratory risk rogue role safety safety: sale scan scenarios security sensor sensors serious serve service several severity should smartwatches solve specific specifically spoofing standard stationary strategies stride structured subject subsequently such suffer suitably surgical swallowable system systems taking tampered tampering tandem target tasked technique technologically technology temperature temporary terms them then therefore things threat threatening threats through tissue tool tools track transfer types typically ultimate unacceptable under understand use used user using vectors vibration violation vulnerabilities wearable what when whether whose wireless within worst wrong |
| Tags | Tool Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.