Research team aims to enhance security of medical devices

A team of Virginia Commonwealth University researchers has received support from the National Science Foundation for a project that aims to increase the security of internet-connected medical devices.

Tamer Nadeem, Ph.D. and Irfan Ahmed, Ph.D.
Tamer Nadeem, Ph.D. and Irfan Ahmed, Ph.D.

A team of Virginia Commonwealth University researchers has received support from the National Science Foundation for a project that aims to increase the security of internet-connected medical devices.

Tamer Nadeem, Ph.D., the principal investigator of the VCU-based MedKnights project, explained that the project’s focus is on the Internet of Medical Things (IoMT). Nadeem and co-PI Irfan Ahmed, Ph.D., both associate professors in the VCU College of Engineering Department of Computer Science, recently received $600,000 from the NSF’s Office of Advanced Cyberinfrastructure to put together a framework to improve IoMT security. 

IoMT devices are used in a range of diagnostic, monitoring and therapeutic applications. IoMT includes patient monitors, ventilators, MRI machines — even “smart beds.” Ahmed cited the internet-connected insulin pump is a good example of an IoMT device. Internet connectivity allows for both monitoring and adjusting the dosage remotely — functions that require a high degree of security for patient privacy as well as safety.

All IoMT devices are potentially vulnerable to ransomware, denial of service and other malicious hacker attacks. Nadeem points out that IoMT devices have a higher security requirement than traditional IoT devices such as smart doorbells and smart thermostats in homes.

“The most important thing in the medical domain is privacy,” Nadeem said. “For IoT devices in your home, you wouldn’t care that much about privacy, but for medical devices, it is an essential thing. You wouldn’t want anyone to know what your health conditions are, or what problems you might have had.”

The work of the MedKnights group is important, as the IoMT domain is expanding; there is growth in terms of types of devices, number of patients using them and number of IoMT vendors. Nadeem added that the COVID pandemic and accompanying quarantine and stay-home orders increased the focus of medical-technology providers on the possibilities of IoMT.

“Talking to some of the medical-device providers, I’ve learned that they are considering a line of products where they can remotely monitor patients on those devices, and they also can configure those devices remotely,” Nadeem said. 

Security is a large concern for the new generation of devices, because the current IoMT devices have been hit hard by hackers, he said. Security is an issue that extends from the individual patient to the institution.

“Statistics show there are a lot of ransom attacks being done on the health sectors during the pandemic,” Nadeem said. “That motivated us.”

The MedKnights team’s preparation for taking on the dragon of malicious IoMT attacks includes building a “test bed,” an isolated hardware/software assembly that Nadeem says will mimic the internet-enabled hospital setting.

“In the hospital environment, there’s set of rooms. Each room has a lot of medical devices; they could be wired, or they could be wireless devices,” he said. “But there is no way that we can do what we want to do in a hospital.”

The test bed will incorporate IoMT datasets based on typical device behavior, traffic and known malicious attacks. Nadeem explained that MedKnights will explore vulnerabilities of various IoMT hardware and software by subjecting the elements of the IoMT test bed to a range of attacks. 

“We will try to see in real time how efficient our technologies to monitor or detect these attacks, then try to intervene if we notice any change in the activities on the network,” he said. “Now, if the attacks manage to get into the device, we would like to also to start to see whether we can monitor these devices and observe abnormality or any misbehavior.”

Nadeem said the next step is to isolate the source of fishy activity in the test bed network and begin to reverse-engineer the malware. He explained the group will work on understanding the question by looking for the “hole” that created the vulnerability.

Ahmed said the MedKnights will bring undergraduates into the project through DURI, the Dean’s Undergraduate Research Initiative at the VCU College of Engineering. High school students will have an opportunity to join the team through a similar program known as the Dean’s Early Research Initiative, or DERI. DURI and DERI are just two ways of getting younger scientists and engineers involved in actual research.

“For the last couple of years, I’ve been contacted by local high schools to host a couple of their students during the summer,” Nadeem added. “The students were really excited about it. We came up with some nice ideas about how to extend that work to their classrooms. As we continue this project, we will reach out to the schools, because we would love having a couple of their students involved.”