Session ID: 

Attack Modeling and Mitigation Strategies for Networked Medical Devices

8:30am - 3:30pm Wednesday, February 13
Orlando - Hyatt Regency
Hyatt - Regency Ballroom U


This poster session will be displayed in conjunction with the HIMSS19 Career Fair. 


The integration of technology in the medical field has paved the way for new innovative ways to provide patient care and complete daily tasks. With the use of electronics in the healthcare world, many questions are raised about the security of patient information stored and transferred on these devices. In this research, we examine the legitimacy of utilizing system evaluation tools to identify vulnerabilities and threats in networked medical devices that could cause harm to medical assets. Assets that could be at risk from using unsecure devices are patients’ health, patients’ personally identifiable data, and the hospital’s networking system. After gathering detected vulnerabilities in the system, we will import the data into a database to allow us to run a risk assessment on the collected data.

In this study, we will evaluate tools that run on legacy systems such as Microsoft Office XP and gather detected weaknesses. These weaknesses will then aid in the identification of threats and vulnerabilities relative to the device being observed. These vulnerabilities can then be categorized and ranked using risk assessment measurements such as: Common Vulnerability Enumeration (CVE), Common Weakness Enumeration

(CWE), and Common Vulnerability Scoring System (CVSS). The research will employ a database driven model to query the assessment of medical devices by implementing real world data. The database will contain information about attributes of medical devices such as name, manufacturer, operating system, etc. This information will then be used to identify any commonly known vulnerabilities or threats these devices have encountered recently or in the past. A system evaluator called Open Vulnerability Assessment Language (OVAL) will be implemented in the devices to execute a system check for vulnerabilities in the tools we are testing. Once the system is evaluated, the results will be integrated into the database and execute a unique risk assessment that will list the found vulnerabilities, possible threats, and recommended countermeasures. Aside from running a system evaluation tool, another risk assessment framework will be added to the database to increase the validity of the collected data. The framework that we will be adding is the Common Attack Pattern Enumeration and Classification (CAPEC) dictionary, which could provide the attacker’s perspective to a risk assessment.

With the results from a system evaluation and the addition of more attack definitions, the database report could potentially aid IT specialists in the medical field determine what security implementations should be put into practice on their devices to ensure the security of their data as well as their patients.

Learning Objectives: 

  • Understand and identify the type of vulnerabilities devices have in the healthcare sector.
  • Apply our knowledge of threat modeling frameworks and vulnerability scanners to these devices.
  • Analyze the vulnerability reports and summarize the results for upper management in a hospital's environment.


Early Careerist Professional
IT Professional