Article
Cyber Risks Prediction and Analysis in Medical Emergency
Equipment for Situational Awareness
George Burke and Neetesh Saxena *
Citation: Burke, G.; Saxena, N.
Cyber Risks Prediction and Analysis
in Medical Emergency Equipment for
Situational Awareness. Sensors 2021,
21, 5325. https://doi.org/10.3390/
s21165325
Academic Editors: Alexios Mylonas
and Nikolaos Pitropakis
Received: 18 June 2021
Accepted: 4 August 2021
Published: 6 August 2021
Publisher’s Note: MDPI stays neutral
with regard to jurisdictional claims in
published maps and institutional affil-
iations.
Copyright: © 2021 by the authors.
Licensee MDPI, Basel, Switzerland.
This article is an open access article
distributed under the terms and
conditions of the Creative Commons
Attribution (CC BY) license (https://
creativecommons.org/licenses/by/
4.0/).
School of Computer Science and Informatics, Cardiff University, Cardiff CF10 3AT, UK; burkegj@cardiff.ac.uk
* Correspondence: nsaxena@ieee.org
Abstract:
In light of the COVID-19 pandemic, the Medicines and Healthcare products Regulatory
Agency administered the standards for producing a Rapidly Manufactured Ventilator System (RMVS)
free of charge due to the United Kingdom’s shortfall of ventilator systems throughout health centers.
The standards delineate the minimum requirements in which a Rapidly Manufactured Ventilator
System must encompass to be admissible for usage within hospitals. This work commences by
evaluating the standards provided by the government to identify any potential security vulnerabilities
that may arise due to the succinct development standards provided by the MHRA. This research
investigates what cyber considerations are taken to safeguard a patient’s health and medical data
to improve situational awareness. A tool for a remotely accessible, low-cost ventilator system is
developed to reveal what a malicious actor may be able to inflict on a modern ventilator and its
adverse impact.
Keywords: cyber risks; situational awareness; manipulation attack; healthcare
1. Introduction
The increasing connectivity of modern medical devices to computer networks and the
convergence of technologies are steadily exposing vulnerabilities within the devices and the
software applications they employ. The medical device companies must intend for front-
line usage explicitly consider all aspects of the devices’ security throughout their life cycle.
This includes the device’s design, procurement, monitoring/auditing, and operation [
1
].
Health trusts across the United Kingdom employ medical devices to perform life-critical
tasks on a patient and are highly dependent on the systems running uninterrupted. These
systems perform a wide range of activities in which a human may find challenging to
accurately emulate. An example of this would be utilizing a ventilation system to provide
a specific respiratory rate (number of breaths per minute) to a patient suffering from
a respiratory-related illness. It is crucial the companies that are manufacturing these
devices highly dependent upon medical devices incorporate an extensive level of security
into medical device systems to prevent malicious actors interfering with how the system
functions as otherwise, major repercussions can transpire.
Healthcare organizations are particularly vulnerable and targeted by cyber threats as
they possess high levels of information of high monetary and intelligence value to cyber
attackers and nation-state actors. This is typically the patient’s data and privacy that is at
risk, and potentially their health. The UK’s NHS is no stranger to cyber-attacks—falling
victim to a ransomware attack in May 2017 known famously as the WannaCry attack [
2
].
This attack rendered medical devices including computers, MRI scanners, blood-storage
refrigerators, and theatre equipment inoperative. This attack was feasible due to the
outdated Windows XP operating system being used on thousands of computers within
particular trusts throughout the nation. The Windows XP operating system contained
major security flaws which malicious actors were able to successfully exploit, costing the
NHS £92 million in disruption to services and IT upgrades [
3
]. With this in mind, it is
Sensors 2021, 21, 5325. https://doi.org/10.3390/s21165325 https://www.mdpi.com/journal/sensors
