CyMed: A Framework for Testing Cybersecurity of Connected Medical Devices
Christopher Scherb, Adrian Hadayah, Luc Bryan Heitz
TL;DR
The paper tackles the gap between high-level cybersecurity regulatory guidance for Connected Medical Devices (CMDs) and the need for concrete testing procedures. It introduces CyMed, a design-science framework that combines CVE checks, firmware analysis, fuzzing, and symbolic execution to detect known and unknown vulnerabilities in CMD software and SaMD, with or without source code. The framework is validated through practical testing on real firmware and expert interviews, demonstrating both feasibility for vendors and relevance to industry needs. Overall, CyMed offers actionable, deployable steps to improve premarket security and postmarket resilience of CMDs, potentially reducing patient risk and increasing device reliability.
Abstract
Connected Medical Devices (CMDs) have a large impact on patients as they allow them to lead a more normal life. Any malfunction could not only remove the health benefits the CMDs provide, they could also cause further harm to the patient. Due to this, there are many safety regulations which must be adhered to prior to a CMD entering the market. However, while many detailed safety regulations exist, there are a fundamental lack of cybersecurity frameworks applicable to CMDs. While there are recent regulations which aim to enforce cybersecurity practices, they are vague and do not contain the concrete steps necessary to implement cybersecurity. This paper aims to fill that gap by describing a framework, CyMed, to be used by vendors and ens-users, which contains concrete measures to improve the resilience of CMDs against cyber attack. The CyMed framework is subsequently evaluated based on practical tests as well as expert interviews.