Attacking and defence pathways for Intelligent Medical Diagnosis System (IMDS)

Ying He; Ruben Suxo Camacho; Hasan Soygazi; Cunjin Luo

doi:10.1016/j.ijmedinf.2021.104415

Attacking and defence pathways for Intelligent Medical Diagnosis System (IMDS)

Int J Med Inform. 2021 Apr:148:104415. doi: 10.1016/j.ijmedinf.2021.104415. Epub 2021 Feb 11.

Authors

Ying He¹, Ruben Suxo Camacho², Hasan Soygazi³, Cunjin Luo⁴

Affiliations

¹ School of Computer Science, University of Nottingham, Nottingham NG8 1BB, United Kingdom. Electronic address: ying.he@nottingham.ac.uk.
² School of Computer Science and Informatics, De Montfort University, Leicester LE1 9BH, United Kingdom. Electronic address: P2446462@my365.dmu.ac.uk.
³ School of Computer Science and Informatics, De Montfort University, Leicester LE1 9BH, United Kingdom. Electronic address: P17241568@alumni365.dmu.ac.uk.
⁴ School of Computer Science and Electronic Engineering, University of Essex, Colchester CO4 3SQ, United Kingdom; Key Lab of Medical Electrophysiology, Ministry of Education, Institute of Cardiovascular Research, Southwest Medical University, Luzhou 646000, China. Electronic address: cunjin.luo@essex.ac.uk.

PMID: 33601252
DOI: 10.1016/j.ijmedinf.2021.104415

Abstract

Background: The Intelligent Medical Diagnosis System (IMDS) has been targeted by the cyber attackers, who aim to damage the Healthcare Critical National Infrastructure (CNI). This research is motivated by the recent cyber attacks happened worldwide that have resulted in the compromise of medical diagnosis records. This study was conducted to demonstrate how the IMDS could be attacked and diagnosis records compromised (i.e. heart disease) and suggest a list of security defence strategies to prevent against such attacks.

Methods: This research developed an IMDS simulation platform by implementing the OpenEMR system. A Cardiac Diagnosis Component is then added to the IMDS. The IMDS is fed with the ECG data (retrieved from the PhysioNet/Computing in Cardiology Challenge 2017). This research then launched systematic ethical hacking, which was tailored to target IMDS diagnosis records. The systematic hacking was based on the NIST ethical hacking method and followed an attack pathway, starting from identifying the entry points of the medical websites, then propagating to gain access to the server, with the ultimate aim of modifying the heart disease diagnosis records.

Results: The hacking was successful. Four major vulnerabilities (i.e. broken authentication, broken access control, security misconfiguration and using components with known vulnerabilities) were identified in the simulated IMDS and the cardiac diagnosis records were compromised. This research then proposed a list of security defence strategies to prevent such attacks at each possible attacking points along the attacking pathway.

Conclusions: This research demonstrated a systematic ethical hacking to the IMDS, identified four major vulnerabilities and proposed the security defence pathways. It provided novel insights into the protection of IMDS and will benefit researchers in the community to conduct further research in security defence of IMDS.

Keywords: Cardiac diagnosis records; Cyber defence strategies; Ethical hacking; Intelligent Medical Diagnosis System (IMDS); OpenEMR system.

Publication types

Research Support, Non-U.S. Gov't

MeSH terms

Computer Security*
Humans