Background

The Intelligent Medical Diagnosis System (IMDS) has been targeted by the cyber attackers, who aim to damage the Healthcare Critical National Infrastructure (CNI). This research is motivated by the recent cyber attacks happened worldwide that have resulted in the compromise of medical diagnosis records. This study was conducted to demonstrate how the IMDS could be attacked and diagnosis records compromised (i.e. heart disease) and suggest a list of security defence strategies to prevent against such attacks.

Methods

This research developed an IMDS simulation platform by implementing the OpenEMR system. A Cardiac Diagnosis Component is then added to the IMDS. The IMDS is fed with the ECG data (retrieved from the PhysioNet/Computing in Cardiology Challenge 2017). This research then launched systematic ethical hacking, which was tailored to target IMDS diagnosis records. The systematic hacking was based on the NIST ethical hacking method and followed an attack pathway, starting from identifying the entry points of the medical websites, then propagating to gain access to the server, with the ultimate aim of modifying the heart disease diagnosis records.

Results

The hacking was successful. Four major vulnerabilities (i.e. broken authentication, broken access control, security misconfiguration and using components with known vulnerabilities) were identified in the simulated IMDS and the cardiac diagnosis records were compromised. This research then proposed a list of security defence strategies to prevent such attacks at each possible attacking points along the attacking pathway.

Conclusions

This research demonstrated a systematic ethical hacking to the IMDS, identified four major vulnerabilities and proposed the security defence pathways. It provided novel insights into the protection of IMDS and will benefit researchers in the community to conduct further research in security defence of IMDS.

中文翻译：

---

智能医疗诊断系统（IMDS）的攻防途径

背景

智能医疗诊断系统（IMDS）已成为网络攻击者的目标，他们旨在破坏国家医疗保健关键基础设施（CNI）。这项研究的动机是最近发生的全球网络攻击，这些攻击导致医疗诊断记录遭到破坏。进行这项研究的目的是演示如何攻击IMDS和损害诊断记录（即心脏病），并提出一系列防止此类攻击的安全防御策略。

方法

这项研究通过实施OpenEMR系统开发了IMDS仿真平台。然后，将心脏诊断组件添加到IMDS。IMDS会收到ECG数据（摘自PhysioNet / Computing in Cardiology Challenge 2017）。然后，这项研究启动了系统的道德黑客，专门针对IMDS诊断记录。系统黑客基于NIST道德黑客方法，并遵循一条攻击路径，即从确定医疗网站的入口点开始，然后传播以获取对服务器的访问权限，最终目的是修改心脏病诊断记录。

结果

骇客成功。在模拟的IMDS中发现了四个主要漏洞（即，身份验证失败，访问控制失败，安全配置错误以及使用具有已知漏洞的组件），并且心脏诊断记录受到损害。然后，这项研究提出了一系列安全防御策略，以防止在攻击路径上每个可能的攻击点处发生此类攻击。

结论

这项研究表明对IMDS进行了系统的道德攻击，确定了四个主要漏洞，并提出了安全防御途径。它为IMDS的保护提供了新颖的见解，并将使社区中的研究人员受益，以便在IMDS的安全防御方面进行进一步的研究。