<  Back to the Polytechnique Montréal portal

Risk assessment of cyber-attacks on telemetry-enabled cardiac implantable electronic devices (CIED)

Mikaela Stéphanie Ngamboe Mvogo, Paul Berthier, Nader Ammari, Katia Dyrda and Jose Manuel Fernandez

Article (2021)

Open Acess document in PolyPublie and at official publisher
Open Access to the full text of this document
Published Version
Terms of Use: Creative Commons Attribution
Download (691kB)
Show abstract
Hide abstract


Cardiac implantable electronic devices (CIED) are vulnerable to radio frequency (RF) cyber-attacks. Besides, CIED communicate with medical equipment whose telemetry capabilities and IP connectivity are creating new entry points that may be used by attackers. Therefore, it remains crucial to perform a cybersecurity risk assessment of CIED and the systems they rely on to determine the gravity of threats, address the riskiest ones on a priority basis, and develop effective risk management plans. In this study, we carry out such risk assessment according to the ISO/IEC 27005 standard and the NIST SP 800-30 guide. We employed a threat-oriented analytical approach and divided the analysis into three parts, an actor-based analysis to determine the impact of the attacks, a scenario-based analysis to measure the probability of occurrence of threats, and a combined analysis to identify the riskiest attack outcomes. The results show that vulnerabilities on the RF interface of CIED represent an acceptable risk, whereas the network and Internet connectivity of the systems they rely on represent an important potential risk. Further analysis reveals that the damages of these cyber-attacks could spread further to affect manufacturers through intellectual property theft or physicians by affecting their reputation.

Uncontrolled Keywords

Cardiac implantable electronic device, CIED, cybersecurity, cyber-attack, attack vector, attack scenario, threat-oriented analysis, risk assessment

Subjects: 1900 Biomedical engineering > 1901 Biomedical technology
2700 Information technology > 2706 Software engineering
9000 Health sciences > 9000 Health sciences
Department: Department of Computer Engineering and Software Engineering
PolyPublie URL: https://publications.polymtl.ca/9257/
Journal Title: International Journal of Information Security (vol. 20, no. 4)
Publisher: Springer Nature
DOI: 10.1007/s10207-020-00522-7
Official URL: https://doi.org/10.1007/s10207-020-00522-7
Date Deposited: 24 Mar 2022 10:45
Last Modified: 05 Apr 2024 17:22
Cite in APA 7: Ngamboe Mvogo, M. S., Berthier, P., Ammari, N., Dyrda, K., & Fernandez, J. M. (2021). Risk assessment of cyber-attacks on telemetry-enabled cardiac implantable electronic devices (CIED). International Journal of Information Security, 20(4), 621-645. https://doi.org/10.1007/s10207-020-00522-7


Total downloads

Downloads per month in the last year

Origin of downloads


Repository Staff Only

View Item View Item