Keywords
air gap technique
medical-grade systems
How to Cite
Abstract
Modern medical imaging devices (MID) are usually connected to the network. Transfer of digital data to the Picture Archiving and Communication Systems (PACS) and then to Hospital Information Systems (HIS) without the internal network is not technically nor economically reasonable. It is estimated that by the interconnection of medical devices and providing remote access to them, health care costs will be cut by $ 63 billion till 2030. Sharing MID’s over public network by remote access can dramatically cut costs of medical care but creates risks well known from oce networks. The firewall/IDS and the air gap isolation techniques are there applicable. Medical society ask for advice what to choose or what are the threats of network operation of medical devices. Here will be given description of known attacks on the security of air gapped networks and cases of disorder operation of systems and ecient data transfer from networks traditionally known as invulnerable and impermeable. Analyzing the presented cases of successful attacks allows to identify weak points of the air-gap mechanism. In conclusion opinion how to straighten security of isolated networks will be given, on the other hand an eective IDS has advantage and many strong points.
References
Arendt, D., Bezpieczeństwo teleinformatyczne- transmisja danych i kontrola dostępu, In: Konferencja Promieniowanie jonizujące w medycynie, PJOMED 2015, 1-2 June, Krajowe Centrum Ochrony Radiologicznej, 2015, pp. 58–63, ISBN 978-83-61856-07-8(in Polish).
Healey, J., Pollard, N., and Woods, B., The Healthcare Internet of Things, Rewards ad Risks, The Atlantic Council of the United State, 2015, ISBN 978-1-61977-981-5.
FDA, Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication, Tech. rep., U.S. Food & Drug Administration, 2013.
Mah, C. and Higgins, S., Cisco Medical-Grade Network (MGN) 2.0—Security Architecture, No. EDCS-957250 in s1, Cisco Corp., 2012.
Kozlej, S., National Security Strategic Tasks of the Republic of Poland at the Turn of the Second and Third Decade of the Twenty-First Century, Mysl Ekonomiczna i Polityczna, Vol. 3(54), No. 2081-5913, 2015, pp. 292–317.
Hanspach, M. and Goetz, M., On Covert Acoustical Mesh Networks in Air, Journal of Communications, Vol. 8, No. 11, 2013, pp. 758–767.
Guri, M., Kahlon, A., Hasson, O., and Elovici, Y., GSMem: Data Exfiltration from Air Gapped Computers over GSM Frequencies, In: 24th USENIX Security Symposium, 2015, pp. 849–864, ISBN 978-1-931971-232.
Madhavapeddy, A., Sharp, R., Scott, D., and Tse, A., Audio networking: the forgotten wireless technology, IEEE Pervasive Computing, Vol. 4, No. 3, 2008, pp. 55–60.
Guri, M., Monitz, M., and Elovici, Y., USBee: Air-Gap Covert-Channel via Electromagnetic Emission from USB, arXiv preprint arXiv:1608.08397, 2016.
Guri, M., Solewicz, Y., Diadulov, A., and Elovici, Y., DiskFiltration: Data Exfiltration from Speaker less Air Gapped Computers via Covert Hard Drive Noise, arXiv:1608.03431, 2016.
Guri, M., Solewicz, Y., and Elovici, Y., Fansmitter: Acoustic Data Exfiltration from Speaker less Air-Gapped Computers, arXiv:1606.05915, 2016.
Schneider, B., Jumping Air Gaps with All-in-One Printers, 2014, [online] http://www.schneier.com/blog/ archives/2014/10 [accesed 2016.03.02].
Constantin, L., All-in-one printers can be used to control infected air-gapped systems from far away, 2015, [online] http://www.itworld.com/ article/2835037/ all-in-one-printers-can- be-used-to-control- infected-air- gappedsystems-from-far-away.html [Accessed 2016.04.16].
Loughry, J. and Umphress, D., Information Leakage from Optical Emanations, ACM Transactions on Information and System Security, Vol. 5, No. 3, 2002, pp. 262–289.
Goodman, M., Future Crimes: Inside the Digital Underground and the Battle for Our Connected World, Anchor Books, 2015, ISBN 978-0804171458.
Powell, J.-P., Mind the gap: Are air-gapped systems safe from breaches? 2014, [online] https://www.symantec.com/ connect/blogs/ mind-gap-are-airgapped-systems- safe-breaches [accesed 2016.02.02].