Digital forensics in healthcare: An analysis of data associated with a CPAP machine

Abstract

The need for digital forensic services across all sectors is not a new concept, nor is the increasing demand seen globally. However, the devices on which we perform digital forensics have changed and continue to evolve. For each device new approaches need to be developed or adapted to facilitate the secure preservation and analysis of the data it contains. The healthcare sector has seen particular adoption of a range of devices, from traditional through to cutting edge. The Covid-19 pandemic facilitated the need for a more boundary-agnostic level of care for patients, and medical devices are becoming increasingly more interconnected to facilitate remote care. This presents challenges in that devices are no longer “secured” in medical premises and will often be found in patient's homes, making them more exposed to attack, but also in a position to record significant amounts of personal data. The integration of information technology in medical environments has influenced the need for the development of a digital forensic process to perform analysis on medical devices. One such device is a continuous positive airway pressure (CPAP) machine, used by patients who suffer from Obstructive Sleep Apnea (OSA). It is estimated that 3-9% of the world's population suffer from this disorder, the normal medical treatment is the use of some form of CPAP machine. The research undertaken focuses on the ResMed AirSense 10 CPAP machine and a complete forensic postmortem analysis of the data contained and recorded by the device. The application of digital forensics to a traditional medical device, such as a CPAP machine, requires an adapted version of digital forensics, but in general the same tools and processes can be used. Through the analysis conducted, all patient data was located on a removable FAT32 formatted SD card, allowing the recovery of specific medical information about the device and personally identifiable information about the patient. The recovered data was then visualised using a variety of tools and systems. Information that can be derived from the visualisations include a sequence of events, to some extent how the device was operating, and the clinical information recorded on the device.