Keywords

1 Introduction

Cyber Security vulnerabilities have the potential to exist in any computer, it is easily forgotten that everything ranging from our smart phones to an MRI scanner are basically computers. If a malicious attack is performed on a server it can bring down a website, on a pacemaker this has the potential to kill. The FDA (US Food and Drug Administration) recently recalled half a million pacemakers, due to a security vulnerability within the devices that could have been fatal [31]. Implanted Medical devices in particular have been steadily on the rise since the conception of medical technology, however in turn so has the dependency on such devices by patients. Pacemakers, insulin pumps and even neural implants are commonplace in everyday life [10, 11]. There are an estimated 25,000 people every year in the UK that have a pacemaker fitted [30], this does not even include those outside of the UK or those who have other medical implants fitted. This figure is set to rise further with the ease of access to advanced medicine in the UK, as well as the longer lives that humans are experiencing due to the advances in modern medicine [9].

Many of these varying implantable devices, and other types of medical equipment, have been proven time and again to have had flaws in their security. With little sign of meaningful changes to correct this concerning issue, it has become a hot topic in the news and in media. In recent years there has been an increasing amount of attention towards medical device hacking [26], though no meaningful changes have been made to existing laws and legislation. The issue is a disconnect between the medical manufacturing industry and the field of Cyber Security, at first glance you could almost assume that these devices are being developed with only basic security principles in mind.

Malicious attackers are enhancing their tactics, techniques and procedures (TTPs) in order to cause security breaches within organisations leading to data theft, manipulation or blackmailing for instance. An article from Forbes (2019) claims that Electronic Health Records (EHRs) can be worth $1000 (£778) for hackers and therefore the steady increase of cyber-attacks towards the medical sector. One of the most relevant breaches affecting medical processes was the WannaCry ransomware attack over England National Health Service (NHS) [20] that caused a total of 19,000 appointments cancelled and £92 million in investment to remediate and recover from the incident. In addition, an article presented by DiGiacomo [11] presents that in January of 2018 there were reported approximately 115 cyber-attacks, which the one with highest damage rate was over Health South-East RHF, a healthcare organisation that manages hospitals in Norway with a possibility that over 2.9 million users are potentially affected by the breach [5].

Various governing bodies have discussed the idea that the internet should be a human right, providing all of humanity with information and tools that can be as helpful as they are dangerous. It has been proven on numerous occasions that a whole range of medical equipment can be hijacked by a third party, ranging from X-Ray systems, CT Scanners and even Blood Refrigeration Units [36]. Yet despite this knowledge, there has been little advancement towards even the regulation of security within such devices, thus attacks that were used in 2008 may still be viable in 2018. There are governing bodies who regulate the manufacturers of medical devices, however, there appears to be an oversight when it comes to the regulations to enforce adequate security.

2 Value of Healthcare Data for Organised Crime

The article from Morgan [25] points out how data breaches on healthcare are increasing steadily, reaching to a number of 20,836,531 records leaked. Attackers are showing their high interest in this type of information within healthcare services as shown on the previous section, and furthermore, the selling or health records in the black market are rising sharply.

Healthcare has become part of CNI because of the sensitivity of data held by these organisations. Furthermore, the fact that IoT has been involved in this sector enhancing services and easing patient’s life style connecting more devices to the internet implies more risks associated in terms of cybersecurity.

The research from Ibarra et al. [13] claims that EHRs offer a significant wealth of information, attracting hackers to exploit and steal. It contains information such as:

  • Demographic information.

  • Full names, same as shown personal IDs, driver licenses, passports.

  • Address history.

  • Work history.

  • Names, ages, contact details from relatives, which can belong to parents, siblings, life partners or any representative the health provider contacts this person in case the patient faces an emergency.

  • Financial information, including bank details, credit/debit cards.

  • National Insurance Number (Social Security Number outside the UK).

  • Medical history, which contains sensitive information. It includes details of previous medical appointments along with details from doctors, nurses. Moreover, it likely has critical information such as allergy details, surgeries the patient was submitted, results from medical diagnosis such as xrays, electromagnetic resonance. The appointments listed include diagnosis, prescriptions, treatments and dates for the next medical control organised in a chronological manner.

EHRs contains precise details of the victim’s life. Once a health provider was subject to a security breach compromising patient records, customers who got involved within the breach can likely get exposed to extortive blackmails for a lifetime. Furthermore, if EHRs contain additional information such as cancer diagnoses, STDs, psychological conditions established (i.e., asperger syndrome, autism, depression, alcoholic), the victim can be exposed to public embarrassment or political assassination depending on the goals of the attackers.

The research from Terry [33] claims that the development of electronic patient health record (E-PHR) systems, the usage of personal health technologies and the Internet of things (IoT), caused policy-makers to highlight a big concern regarding the massive increase of IoT devices used by consumers, whilst data is created and processed every second therefore, the increase of cyber threats and attacking vectors. In addition, he also points out a great challenge to protect healthcare data in the future. This is due to the lack of training and preparation for precision medicine, and usage of robotics for sensitive procedures like surgeries for instance. Therefore the need for the deployment of reliable frameworks, methodologies and standardisation of technologies that could allow organisations to protect their digital assets and respond effectively against any security breach attempt. In addition, the process model proposed for forensic investigation would support businesses to learn from their previous mistakes in order to harden the security posture. Nowadays cyber security is a vital component for businesses to continue competing within the market and it is paramount to adopt the last updated technologies along with training and awareness methodologies before, during and after an incident. This could support investigators to execute the expected top level reports in order to track the origin and author of the unauthorised activities.

3 GDPR in Healthcare

It is necessary to understand how the implemented GDPR has taken effect across IoT networks in order to determine the deliverables, and ascertain with the main stakeholders within the usage of IoT-based medical devices. This will be performed by critically analysing the research from O’ Connor [29], which proposed an approach of the “Privacy by Design” principle for IoT environments. This research highlights the importance of an electronic consent (eConsent) in order to proceed with data management, being proactive and not reactive for instance. This regulation points out with emphasis the importance of assuring data privacy and the protection of owners when their personal data has being compromised. In forensic investigation, the assurance of transparency and privacy are vital because businesses must keep producing during an incident, otherwise it would imply significant financial losses, customer dissatisfaction and therefore, their reliability would decrease. In addition, the GDPR sets up to £17 m in fines if the local authority considers that the organisation was considered incapable of executing the necessary steps to protect personal information.

The research from Shu and Jahankhani (2017) claims the impact of the GDPR on the Information Governance Toolkit pointing out on healthcare. Mentioning the impact of cloud computing for allocation of huge amounts of data with focus on six benefited assets as shown in Fig. 1. Governance is one of the main components for effective cyber security regardless of the speciality area. Effective communication and control allows to achieve regulatory compliance and policy enforcement assurance. During a forensic investigation, it is possible that policies and procedures would get changed as result of the lessons learned during a cyber incident along with modifications on the technical infrastructure and configuration management procedures.

Fig. 1
figure 1

Impact of cloud computing in healthcare

Full size image

4 The Role of Forensic Investigation in IoMT

Forensic investigation is an essential part of incident response in cyber security following the NIST Cyber Security Framework. It shows details of the performance of the intrusion, actions and methods that attackers performed, along with assets compromised (systems and/or data). Furthermore, it allows organisations to learn from those mistakes in order to mitigate risks and if applicable the modification or implementation of new cyber security strategies either technical, organisational or legal because compliance is a feature in this field.

Healthcare providers must get adapted to the last updated guidelines, frameworks and standards because the are holding sensitive data that could cause unmeasurable damage if it gets leaked. In addition, the adoption of IoT in medical environments expanded the risks within the industry and because IoT is not standardised yet, can cause extensive trouble for investigators to collect evidence and present comprehensive reports either for courts and the compromised organisation in order to mitigate risks.

However, the threat landscape is subject to modifications and it would depend whether the Internet of Things gets standardised or not during the next years. Otherwise, it will difficult the job from forensic investigators leading to cases rejected or lost due to lack of relevant evidence supporting the investigation.

4.1 Challenges of Digital Forensic Investigation in IoMT

Digital Forensic (DF) investigation is a process that works along with Incident Response in order to extract information from a particular device, system or infrastructure, which is submitted to analysis, preservation and presentation of digital evidence that can be used to identify activities related to security/policy violation or crime. Nevertheless, there is not a standardised model that can provide an overview of the entire investigation. In fact, some of these came from the experience of ethical hackers, system administrators and law enforcement entities without the solidity and consistency that involves every stage of the investigation (technical and non-technical). An investigator might present relevant and incriminating evidence in a comprehensive and consistent manner targeted to legal authorities, otherwise the case may be lost or discarded during the investigation process [22, 23, 24]. Considering that most of devices are unlikely to show or contain the necessary consent from users [29], the limitations that Internet of Things (IoT) present in terms of hardware and software, the complexity in its architecture, no standardisation present, along with the recently enforced European Global Data Protection Regulation (GDPR), the requirement to define a comprehensive and holistic forensic investigation model that ensures data privacy and compliance maintaining most discretion during an investigation in order to protect people during and after a security breach.

Khan et al. [18] claim that forensic investigation in the Internet of Things demands solutions from researchers, security and IoT experts, along with cloud computing providers to secure the infrastructure during a security incident. Nowadays, it is a fact that one of the main targets for malicious attackers are EHRs from patients and therefore, investigators muse assure privacy to data owners during the investigation process. This is because stolen records can lead to severe damage including terrorist-based attacks attempting against the person’s life.

The information showed below following Fig. 2, shows the challenges that forensic investigation presents in medical IoT along with details of each component mentioned in the mind map. Considering that IoT works on a similar way as cloud it has been divided into three stages that require investigation. Firstly the device from users, secondly the network where the information is being transmitted and finally the cloud servers. It is important to recall that all digital evidence extracted and sent to courts must be reliable, authentic, complete, believable and admissible in order to present it showing the overall of the investigation.

Fig. 2
figure 2

Digital forensics challenges in IoMT

Full size image

In addition the evidence analysed must contribute to the incrimination of the malicious actor involved with the unauthorized action performed. Details of every component of forensic investigation in IoMT along with their own challenges are shown below.

5 Attack Vectors

All medical implants are required to operate on the MICS band [35], this range is 402 MHz to 405 MHz. There have been many successful hacking attempts on implants by hijacking the RF module [12], this is the most commonly used communication method for implants, this however is due to change and be updated to Bluetooth technology. There is a serious risk for medical equipment within third parties companies and institutions such as the NHS, there were 93 cyber-attacks taken place in healthcare organizations from 2013 to 2016 [2].

The paper “Hacking NHS Pacemakers: A Feasibility Study” [1] demonstrates a blackbox test on NHS implants, in this case pacemakers were chosen. Based on the results the most common attack vectors can be defined as:

  • Denial of Service (DoS)

  • Replay Attacks

  • Code Injection Attacks

5.1 Denial of Service (DoS)

DoS is a type of cyber-attack, the intended aim of which is to take the targeted source offline [7]. The methodology behind this attack is to overload the target by overpowering its resources, this is achieved by sending a multitude of spam data signals at the same time. This attack cannot work if the intended target has enough resources available to cope with the extra workload, in these instances more devices are required to perform the attack and succeed. DoS attacks can be combined with a code injection attack, the idea behind this is to execute spam code whilst flooding the connection to intensify the effect.

The primary defence methods for this type of attack are as follows:

  • Disabling the wireless functions of the target to stop all communications

  • Increase the resources available to the target so it can cope with the extra load

  • Limit communication to only specific pre-authorised devices

In RF terms, the equivalent of a DoS attack is signal jamming. This is achieved by broadcasting on the same frequency but at a higher power than the target, effectively this is spamming the airwaves in the same way that a DoS attack spams wireless communications. This results is the device being unable to cope with the high levels of interference and in theory, may cause erratic behaviour in the unit such as performing at a slower rate or even powering off entirely [16].

There are few ways to protect an RF device against signal jamming, the most efficient way is to attempt to mask the transmission so the attacker does not know which frequency to jam. Code Division Multiplexing (CDM) is an alternative method of combating signal jamming in UHF systems (Thakur n.d). CDM works by spreading the spectrum of the signal into multiple channels, then each channel is encoded with its own unique code. Only the receiver of the signal knows the code generated, though the spreading effect does reduce the overall power of each channel.

In theory, a pacemaker or ICD should only be accessible by the corresponding manufactures programmer, however, as can be seen in the previous examples of attacks it has been possible to bypass the need for these devices. Fundamentally this is an unavoidable failing with all communication technologies. If you are going to allow wireless connectivity then you must account for unauthorised access attempts, so plan accordingly.

5.2 Replay Attack

Home monitoring units send data to and from pacemakers and ICDs when the user is in the vicinity. This data can be captured mid-traffic by utilising the listening functions of a radio antenna, and then it can be replayed back to the device. Since the data or commands it is being sent came from the device originally it may be able to read them, whether the unit accepts this signal is down to the security employed by the receiver.

Since medical implants are commonplace in the UK it is expected that the MICS range could be flooded with signals. These signals clearly do not affect each other however as otherwise they would be subjected to constant replay attacks. Therefore, it can be surmised that some form of unique identifier must be used. If this is the case, then to successfully perform this attack a signal from the same device must be played back to it. If this is not the case then, theoretically any signal from a device of the same type and manufacturer could be used to attack any other.

5.3 Code Injection

Code injection is a generic term that refers to the unauthorised uploading of potentially malicious code [6]. The programming language used can alter however the fundamental techniques remain the same. When malicious code is packaged it is referred to as malware, this is a catch-all term given to computer viruses.

There are various cyber-security platforms and automated software that is specially designed to remove malware, however, if this code is not detected by such tools then it is left to the user to go through the system until it is found. Anti-virus providers and cyber-security agencies typically have in-house experts who specialise in searching for malicious code, once found their clients are notified and a patch to resolve the issue is pushed out. There are many skilled individuals who design malware to perform all sorts of functions such as stealing information, hijacking a device, blackmail purposes or just because they enjoy doing it. Due to the increase in IoT devices and expertise in computer skills, the amount of malware in circulation will exponentially increase.

Pacemakers and ICDs are re-programmable, they have to be to ensure that any issues with the software can be patched. This opens up a possible avenue for attack, if code is accepted from any source then malicious malware could be uploaded to the device instead. Code does not need to be long and complex, if simple commands are accepted then it would be possible to upload a command to download the data, wipe the device entirely or even switch the device off.

5.4 Summary

Radio Frequency has been previously stated as being easily breakable, however, the results from the 2019 work could argue that they are shielded enough to alleviate users concerns. It could be a legal consideration as to why documentation states potential risks of EMI interference, that device manufacturers who implement RF technology must inform the user of potential risk.

The devices used in the tests in 2019 were provided by the NHS, they were standard modern units and as such it is expected that they should have a reasonable defence against hacking. The conclusion of the work was that for the attacks to work, the individual must have expertise and knowledge of both wireless commination (in this instance RF) and the inner workings of the devices being targeted.

6 Forensic Investigation on the Internet of Things and Considerations on 5G Networks

As shown in Sect. 4.1, performing forensic investigation on IoT is complex due to the multiple architectures that investigators have to deal with. In addition, the arrival of 5G makes it more complex because of the massive use of Software Defined Networks (SDNs). Performing forensic investigation on IoT could mean to interact with cloud servers, communication between different VPSs, performing packet analysis between transport networks and SDNs and also analysing infected devices of end users that could violate their rights in terms of data privacy.

The proposed forensic investigation process model is done considering the main components that involve an IoT architecture as mentioned on the previous sections. It has been designed from high to low-level approach allowing forensic investigators to obtain precise information and retrieve a better perception over the detailed components, named processes, stages, sub-stages and principles. It consists of 7 processes, which each one is formed by a different number of stages. This guideline is shown only at its high level, and details of the model can be found at the research from Ibarra et al. [13]. The overview of this model works along with eight concurrent processes regardless of the architecture investigators are interacting with (Fig. 3):

Fig. 3
figure 3

Guideline for forensic investigation on IoMT

Full size image

  • Preserve Digital and Physical Evidence – Evidence must be retained in its original form and its integrity must be preserved from the opening to the closing stage of the investigation for both physical and digital evidence. It is paramount for investigators to show that evidence has not been altered and if some unavoidable changes were made to report them and justify. IoT networks deal with massive amounts of personal data therefore, the requirement of ensuring privacy during the investigation to assure GDPR compliance. Achieving privacy and integrity of physical and digital evidence ensure a high quality investigation and reliable evidence to present it to a court. The preservation process might involve investigators to prevent people without authorisation to enter or leave the crime scene, system/device/network/VPS isolation to acquire the volatile data and locate suspicious processes running. Preservation also includes the assurance of log files before its removal and a full backup of the imaged system.

  • Preserve Chain of Custody – Digital evidence is often prone to be handled by different parties, and in some cases its poor preservation allows courts and defensive members to challenge it with confidence leading to its rejection. Events are correlated in order to reconstruct the crime scene within a CoC, and this must be considered the main component for any forensic investigation. Potential digital evidence is gathered from threat hunting and incident response (IR) detection stages, processing physical and digital crime scenes, hence the initiation of the CoC and this principle should be observed from the IR detection stage. Proper, accurate and detailed documentation are essential to preserve the CoC as well as supporting evidence such as videos, pictures and drawings. In addition, a reliable CoC demands from investigators to records of the personnel responsible for handling evidence including actions taken with dates and it might require the development of supporting documents that would contribute to the final report prior to its presentation in courts.

  • Manage Information Flow – This principle is about the permission for investigators to interact with the variety of laws, languages, etc. appropriately during the entire investigation. One example is the interaction between two investigative entities responsible for the same case, or digital evidence exchange between parties. It can be protected using hashing algorithms such as MD5, SHA-1 or any PKI-based encryption.

  • Maintain a Detailed Case Management – It refers to manage wisely the investigation, record and keep track of evidential items, events and crucial forensic findings. Casey [4] points out the importance of this principle as one of the main components of scaffolding to bind all evidence, reports, supporting documentation for the building of a strong case. Likewise, Khatir et al. [19] highlights the effectiveness of an investigation based on strong case management.

  • Prepare Tools and Techniques – Forensic investigators must need to use diverse tools and techniques to perform each process during the investigation. This principle is extensively covered by standardised documents such as NIST [17], The International Organisation for Standardisation (2005), (2013), same as technical reporting like the Information Assurance Advisory Council (IAAC) [32]. The known tools can be used for system imaging and data carving i.e. FTK, EnCase, as well as for packet analysis i.e. Wireshark, Tcpdump, Solarwinds. However for IoT devices it is likely to perform some reverse engineering techniques to assess the behaviour of the firmware and determine any malicious code modified against the original with tools such as IDAPro, GDB for instance and the execution of MITM attacks to extract the current firmware from the device depending on the communication protocols developed by the provider. For IP address tracking there are a variety of open source and online tools i.e. ping, nslookup, dig, traceroute, Whois, WhatIsMyIPAddress [34] or IP Location [14].

  • Obtain and Adhere to Consent – Any investigation requires authorisation either internal or external. This principle requires from investigating entities to obtain proper consent from: governments, system administrators, users., when carrying out an investigation. Now that GDPR has been implemented across Europe, it is paramount for investigators to execute processes precisely because personal data must not be compromised during an investigation and the protection of people is crucial. In addition, it is possible that users must not allow the retrieval of potential evidence for security reasons that could likely interfere with the performance of investigators. One option is the proposal of a smart contract [21], based on blockchain technologies that allows to perform a secure and reliable forensic investigation.

  • Maintain a Detailed Documentation – Activities and actions performed must be logged and documented in detail using comprehensive vocabulary that would allow legal courts to understand the details of the crime executed in order to make fair decisions when the case is presented on audiences. The documentation includes possible changes across the investigation that should be recorded and mentioned during the presentation to justify the actions that investigations performed.

  • Interact with Physical Investigation – Even the crime was performed in the digital world, the main component of technology is people. Investigators must interact with people involved in the scene that might witness some unusual event that could contribute to the development of the investigation. However, details should be recorded and authorised by the witness to be presented due to the GDPR regulation. The more supporting evidence investigators collect to present at courts, the stronger and more reliable the CoC gets.

The adoption of IoT must be heavily considered as an important use case in 5G because of the resource constraints that these devices currently have (e.g. e-home, wearable/implantable devices, industrial IoT). It is paramount to consider that 5G networks offer higher download/upload speed rates, and the current cyber attack trend that is currently affecting 4G. Therefore, 5G will offer more efficient execution of attacks especially affecting the most of software-defined layers.

For instance, as shown in the research by Nomikos et al. [28], the communication in 5G is defined by software as well bringing the challenge of creating a Dynamic Radio Access Control Network (DyRAN). Hence, controlling unusual behaviour in this part is important to avoid resource consumption, and this lack of accountability is of course a clear problem for IoT as shown in Nieto et al. [27], which clearly affects 5G networks as well.

Other important feature of 5G is the Device-to-Device (D2D) communication created to increase the coverage of the network e.g. network relays [28]. This could facilitate the set of vulnerabilities and attacks propagated hop by hop leading to possible access to critical parts of the infrastructure i.e. software controllers. As shown in the ENISA 5G security report [3], SDN controllers are prone to attacks to the communication APIs between controllers and between controllers and the SDN elements close to the end user.

One of the most important topics to discuss in 5G is the Mobile Edge Computing (MEC), bringing improvements in terms of data, storage and performance exploiting the latests changes in this new architecture. Therefore, the requirement of working with massive data traffic amounts. Finally, a critical feature is the ability to virtualise network functions and thus, using Network Function Virtualisation (NFV) allows to replace software with more ease compared with hardware based networks. This can allow to isolate attacks immediately by just stopping the service and containing the infected VPS, but on the other side the use of software leads the system to vulnerabilities related to coding errors and the requirement of constant patching.