This study addresses the vulnerability of AI/ML-enabled medical devices to falsified data injection attacks, which can lead to misdiagnosis and erroneous treatment and are difficult to anticipate during design. To mitigate this risk, the authors propose SAMD, a novel framework that integrates STPA-Sec with large language models (LLMs) to automatically model system control structures during the design phase, identify potential injection points, and generate concrete attack paths. By synergistically combining STPA-Sec, LLMs, and a database of known vulnerabilities, SAMD enables automated discovery of attack scenarios and their linkage to relevant vulnerabilities. Evaluation on five FDA-cleared devices demonstrates 100% accuracy in attack path identification, 63.2% precision in vulnerability association, and 95.3% accuracy in attack scenario generation, with the fastest analysis completing in just 191.64 seconds.

The growing integration of artificial intelligence (AI) and machine learning (ML) in medical systems requires effective measures to address emerging security risks. One such risk is that of adversaries introducing false data through vulnerable system components during inference, causing misdiagnosis and wrong treatments. These risks are challenging to anticipate and address in the design phase, as the system assembly partially occurs during actual use by end users. To address this concern, we introduce SAMD, an automated tool for performing System Theoretic Process Analysis for Security (STPA-Sec) on AI/ML-enabled medical devices during the design phase. SAMD models the medical system as a control structure, treating all system components as potential points for injecting false data into the ML engine. It leverages state-of-the-art vulnerability databases and Large Language Models (LLMs) to automate vulnerability discovery and generate a list of potential attack scenarios. We demonstrate SAMD's effectiveness through case studies on five FDA-cleared medical devices, showcasing its ability to identify vulnerable points and potential attack paths. We find that SAMD has 100% precision in identifying target device technologies in the case studies' documents, retrieves the known vulnerabilities linked to them (with 63.2% precision), and generates highly relevant attack scenarios on the ML model, including detailed steps that an adversary might take (with 95.3% accuracy, and the highest time taken being 191.64s).