From diagnosing patients to surgical assistance, Artificial Intelligence is now seen as a game-changer in various medical disciplines. As of June 224, the FDA has approved 882 AI/ML-enabled devices for commercial use, and the number keeps going up every year. However, our studies show that for ~75% of these devices, the FDA pre-market summaries do not contain any mention of security risk assessment. Around 22% of them perform device-specific assessments, which, as we eventually discover, are inadequate. On this research journey, we set out to investigate how secure these devices are from various cyber threats. In this process, we started looking for answers to the following crucial questions.
- Do the manufacturers of the AI-enabled devices implement any security measure? If so, what are they, and how do they assess the security risks to the devices they design?
- The AI-enabled devices need to be interfaced with various other medical and non-medical peripheral devices (manufactured by different vendors) at deployment. Can any of these peripherals pose a threat to the security of the ML engine?
- In case of a post-deployment security breach in a multi-vendor AI-enabled system, who is to be held accountable, and what is the best strategy to mitigate the threat?
- In the event of a security breach on an AI-enabled medical device, do all patients get affected to the same extent? If not, why?
We soon figured that these questions are not trivial, and our quest for the answers eventually laid the foundation of this project. Stay tuned as we uncover the mysteries!
