|Intelligent Automation & Soft Computing |
Device Security Assessment of Internet of Healthcare Things
1Faculty of Computing and Information Technology, King Abdulaziz University, Jeddah-21589, Saudi Arabia
2Department of Information Technology, Babasaheb Bhimrao Ambedkar University, Lucknow-226025, Uttar Pradesh, India
3Department of Computer Application, Shri Ramswaroop Memorial University, Barabanki 225003, Uttar Pradesh, India
*Corresponding Author: Rajeev Kumar. Email: firstname.lastname@example.org
Received: 06 November 2020; Accepted: 14 December 2020
Abstract: Security of the Internet of Healthcare Things (IoHT) devices plays a vital role in e-healthcare today and there has been a rapid increase in the use of networked devices of IoHT in the present healthcare services. However, these networked devices are also highly vulnerable to attackers who constantly target the security of devices and their components to gain access to the patients’ data. Infringement of patients’ data is not only a violation of privacy but can also jeopardize patients’ health if the health records are tampered with. Once the device has been intruded upon, attackers can not only change the record of the patients but also block and switch off the device. Decidedly, the security of IoHT devices is at a huge risk and needs to be designed, manufactured and networked with more secure mechanisms. In this league, the present study employs a new methodology to assess the privacy and security of the IoHT devices. The study analyses the security defects of the medical devices by enlisting the opinions of the hacking experts. Based on the collated list of defects cited by the experts, the authors have designed a list of criteria and represented the defects in hierarchical format for assessing the security defects in the devices. Thereafter, the Technical for Order Preference by Similarity to Ideal Solution (TOPSIS) method has been used for ranking the security of IoHT devices, based on their security features. The findings of the study iterate that the proposed mechanism would be an efficacious approach for evaluating the security of the medical devices.
Keywords: Healthcare device; TOPSIS method; security and privacy; IoHT
Healthcare industry started the use of computers in the last few decades, thus bringing in a phenomenal change. Imaging based security of IoHT devices have revolutionized the treatment procedures by providing novel capabilities like the early diagnosis of diseases that enables prompt and efficacious treatment. In this context, the computational capabilities of IoHT devices are being given greater focus and have emerged as the domain for new development in the healthcare industry [1,2]. However, the computational capabilities of IoHT devices are two sides of the same coin. While on one side, the computational capabilities of devices provide better treatment and diagnosis of the diseases in the early stages itself, on the other side, they render the devices vulnerable to intrusions [3–6]. Medical industry is very different from the other industries and the development process of a medical device is also singularly different from any other device’s life cycle in design, implementation and application [7–12]. The World Health Organization (WHO) defines a medical device as, “a machine, apparatus, and embedded system which is used for the monitoring, treatment, and diagnosis of the sickness of the patients” [13–16]. Security features of IoHT devices are differentiated according to their working and properties which are software based, hardware based and software-hardware based [17–21].
Networked devices provide a wide range of technologies that aid in monitoring, and diagnosing the ailments of patients. Since the IoHT devices are network connected, the devices become prone to network related threats. Security of IoHT devices is an essential part of the healthcare organizations. Failure of the medical devices can stop the operations of the hospitals, thereby affecting the patients as well as the healthcare service providers. Implantable devices play an important role in treating and monitoring the patients’ health [22–25].
Attackers usually invade the security of IoHT devices through malware. Malware is used for data tempering and modification in healthcare data. Malware can be harmful for healthcare and medical devices. The graph in Fig. 1 illustrates the malware discovered by the publically available data of AV-TEST year-wise.
AV-TEST files 3.5 lakhs new malware programs daily . Given the upsurge in the numbers and kinds of cyber threats that are evolving day-by-day, as cited by the figures mapped below, the manufacturers and vendors of IoHT devices must revise security mechanisms to engineer foolproof devices.
Healthcare industry is considered to be the most prized target of the hackers because of the availability of numerous vulnerabilities that are easy targets for the hackers. A recent study done in this context cites that nearly 10 to 15 networked IoHT devices can be present in a single bed hospital . Software security measure is a common issue in the development of the software. Software is one of the most essential pillars in the medical device as the entire computing functioning of the device is controlled by the software.
If software vulnerabilities remain in the IoHT devices, then cyber attackers can easily invade the systems, thus hampering the devices’ efficacy and use. Nearly 1,527,311 breaches occurred due to the software vulnerability of IoHT in the last decade .
Thus the present study undertakes a thorough perusal of the privacy and security features of the IoHT devices and, thereafter, proposes a methodology for evaluating the security of IoHT devices in an accurate and a conclusive manner. To achieve this intent, the study has been segregated in the following parts:
• Section 2 discusses the previous research initiatives in the context of the security of IoHT devices.
• In Section 3, the authors have designed the hierarchy system for evaluating the security of the medical devices with a set of chosen criteria and alternatives.
• In Section 4 & 5, we have discussed the methodology and the statistical findings, respectively.
• Conclusion of the article has been detailed in section 6.
2 Past Research Initiatives
Although an extensive reference was drawn for attempting the present research analysis, this section only discusses the security perspectives of IoHT devices, which were particularly useful for our study. The key pursuits are listed below:
McMahon et al.  proposed a model which used the Shodan database (collection of IP addresses) for checking the vulnerabilities of networked devices. This database passes with Nessus by python to check the vulnerability that exists in the network and finds that most of the devices are affected with drop bear SSH server problem, PHP Vulnerabilities and SSH weaknesses for bypassing the authentication.
Yaqoob et al.  did a review paper on the vulnerabilities in the security of IoHT devices and attacks. Jagannathan et al.  designed a security framework for assessing the cyber security risk and conducting preliminary Hazards analysis. The preliminary hazard analysis would help the vendors to customize the cybersecurity at the initial level.
Choudhri et al.  discussed the security issues for mobile medical imaging. In this study, the authors discussed the security and privacy guidelines for protecting the mobile medical imaging.
Pingchuan et al.  undertook a quantitative analysis of imaging medical device’s security. In this study, the authors used Fuzzy Analytic Hierarchy Process (FAHP) for assessing the security of devices and provided the ranks of the devices according to their security. Fuzzy-AHP was used to assess the security of medical devices. Fuzzy-AHP has some limitations like complex computations, and rank reversal.
More specifically, to overcome these issues in our research pursuit, we have used the Fuzzy-TOPSIS methods. This methodology provides easy computation and addresses the rank reversal issues that might arise while ranking the alternatives.
3 Hierarchy System for Evaluating the Security of Medical Device
We have designed a multi-level hierarchy for the assessment of medical device’s security in Fig. 2. We opted for the TOPSIS techniques for assigning the ranking. The attributes taken for the ranking were identified and collated by referring to the established standards, and after consulting with the industry experts and academicians. After developing the list of criteria, we checked the medical devices’ security and assigned the ranks to the devices according to their security. The hierarchical model has been discussed below.
Confidentiality of the medical device implies that only the genuine users can gain access to their data because the medical information contains personal data of the patients and mustn’t be breached upon .
Integrity of the medical data should be maintained and there should be no change in the functioning of the device in case of any attack on the machine . In the context of healthcare data integrity, the data of the patients and diagnosis report should not vary.
Availability of the medical device means that it should be available in any circumstances, and at any given time, for the processing of the patients’ images and data . In the context of healthcare, the data should be available when required, or at the time when the device goes off.
3.4 Access Control
Access control also is an authentication process of the authentic users . The Authentication processes are used for the access control of the security of IoHT device.
The authentication process is done to protect the device from the unauthorized access . In the authentication process, the users’ details are verified so as to permit the users to access the device.
3.6 Network Protection
Networked devices always suffer from the man-in-the-middle attacks. For the safety of the medical device , the first thing to do is to make the network secure.
3.7 Physical Safeguard
All the vendors of the medical devices should develop the physical safeguards for the IoHT devices’ security  because these devices mostly suffer from the brute-force- attacks.
Confidentiality of the devices cannot be checked at the time of purchase. Hence, identity authentication is required at every level. But identity authentication cannot be applied on the doctors when the surgical devices are in use. All these factors also determine the security of IoHT devices.
4 Fuzzy TOPSIS Methodology
TOPSIS is the most widely used methodology for solving the real time problems. This method is a multi-criteria decision making process and is simple and easy to calculate. In this methodology, the selected alternatives are compared with each criterion for obtaining the weights. Thereafter, the weights are normalized and the geometric length among the alternatives is evaluated to determine the best rank among the criteria. Exact values are used for representing the experts’ opinions in the traditional TOPSIS format . Usually, the decision making models do not accept precise values, as is seen in many practical cases. Hence, the decision makers opt for approximate values instead of exact values.
TOPSIS technique cannot resolve the ambiguities and uncertainties that arise due to variations in experts’ choices of attributes because they are not in specific values. Hence, the fuzzy set theory is applied in place of exact values to permit the experts for options like: partial ignorance, the non-obtainable information, incomplete information in the decision making process. Fuzzy-TOPSIS approach is constructed for finding solutions to the challenges like rating and evidence [21,22]. In this form, the selected alternative that has the farthest geometric distance from the fuzzy negative ideal solution (FNIS), and is also the closest to the fuzzy positive ideal solution (FPIS) is ranked as the best alternative. TOPSIS assigns fuzzy numbers to the real-time fuzzy setting to reflect the relative importance of the criterion. The technique of Fuzzy-TOPSIS is as follows:
Step 1- In this step, membership values, in linguistic terms, are assigned to the chosen factors. Thereafter the weights for the factors are determined. Then, the ranks of the alternatives are established as per their weights.
Step 2- Draw the fuzzy decision matrix.
The authors constructed the decision matrix which was based on the linguistic terms and the criteria (Eq. (1)-(3)). The matrix mxn was constructed wherein, m = alternatives and n = criteria.
In this matrix A1,….Am represent the alternatives, and C1,C2…Cn represent the criteria of the medical devices, and is the ranking of alternatives (Eq. (4)).
Thereafter, the weights of the criteria, w = weight with criteria values are calculated.
Step 3- This step is used for normalizing the fuzzy decision matrix, this is done by the Eqs. (5) and (6).
For evaluating the security of the medical devices, we used the criteria max value by using the Eq. (5). Otherwise, the min value is determined by using Eq. (6).
Step 4- Weighted fuzzy decision matrix is calculated in this section. We obtained the weighted normalized fuzzy decision matrix by multiplying the fuzzy decision matrix with the weights. Fuzzy weighted matrix can be normalized with the Eqs. (7) and (8).
Step 5- The Fuzzy Positive-Ideal Solution (FPIS) and Fuzzy Negative-Ideal Solution (FNIS) are evaluated in this step, ranging from 0 to 1. TFN of FPIS, and FNIS is represented as (1,1,1) or (0,0,0). Eqs. (9) and (10) are used for calculating the values.
Step 6- Calculate the distance of each alternative from FPIS and FNIS. The distance () of each alternative from A+ and A- can be evaluated by Eqs. (11) and (12).
Step 7- Closeness coefficients are determined. Closeness Coefficients () is used to find the ranks of all the alternatives. Further, shows that alternative is closest to and farthest from .
The can be calculated by Eq. (13).
Step 8- Rank of the alternatives.
After the overall calculations, the ranks of the alternatives are obtained; the highest rank denotes the best alternative.
5 Numerical Assessment
Fuzzy TOPSIS technique has been proposed for the evaluation of the security of the medical devices in this section [23,24]. Linguistic terms and their respective membership functions are shown in Tab. 1 [16,17]. The framework can be explained as follows:
• Design the Fuzzy Decision Matrix
Linguistic terms are changed into the TFNs by using the Tab. 1 and Eqs. (1)–(4). TFNs help in farming of the fuzzy decision matrices, as shown in Tab. 2.
• Normalize the Aggregate Fuzzy Decision Matrix
After designing the decision matrix, we calculated the normalized matrix by the Eqs. (5) and (6); the results are shown in Tab. 3.
• Design the Weighted Normalized Decision Matrix
In this step, we evaluated the weighted fuzzy decision matrix after normalizing the decision matrix with the help of Eqs. (7) and (8). The weighted matrix is shown in Tab. 4.
• Evaluate the FPIS and FNIS
The ideal solution is the distance calculated by FPIS and FNIS with the help of Eqs. (9)–(13); the results are shown in Tab. 5 and Fig. 3.
We obtained the ranks of the alternatives after evaluating the closeness coefficients. TOPSIS technique permits the experts to choose the most suitable alternative from a host of options/choices. This has been calculated by Eq. (13). Final output and the ranks of the alternatives have been shown in Tab. 5 and Fig. 3. According to the results, devices are ranked in the order of: A4, > A5, > A6, > A1, > A2, > A3. According to the ranking order, the alternative A4 is nearest to the FISP, and farthest from FNIS.
Security of the IoHT devices is not only a critical, but also an elemental concern in e-healthcare. Medical devices take the data inputs, store, process, and transmit the data. In all these processes, the important thing is to ensure the security of the data. However, a systematic and quantitative assessment of the security of the IoHT devices is still a matter of extensive research. We opted for the TOPSIS method for conducting a quantitative assessment of the security of the medical devices. The first step in this league was to formulate a list of criteria and alternatives. Thereafter, we conducted the evaluations as discussed in the section on the framework of evaluation. In the ensuing step, the ranking of the devices was done to identify the most secure device. The lowest ranked device was the one with very poor security. Such a method affords a highly feasible and efficacious way to assess the security levels of IoHT devices. The proposed mechanism can be used by the government, manufacturers and vendors to strengthen the security of the networked medical devices.
Funding Statement: The authors have not received no specific funding for this study. This pursuit is a part of their scholarly endeavours.
Conflicts of Interest: The authors declare that they have no conflicts of interest to report regarding the present study.
|This work is licensed under a Creative Commons Attribution 4.0 International Licensex, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.|