About Service provider RISE Research Institutes of Sweden:  RISE is Sweden’s research institute and innovation partner. Through international collaboration programmes with industry, academia and the public sector, RISE ensures the competitiveness of the Swedish business community on an international level and contribute to a sustainable society. RISE has around 3300 employees engage in and support all types of innovation processes. RISE is an independent, State-owned research institute, which offers unique expertise and over 130 testbeds and demonstration environments for future-proof technologies, products and services.

 

RISE,” TEF Health - supporting businesses to use AI solutions in health | RISE, “ became a TEF-health partner with a main focus on AI and cyber security solutions. RISE provides both services and offers testbeds for implementation projects supporting SME and international organisations. Testbeds and competence to boost AI development in health | RISE.

 

About SME Kiwok Nordic AB (publ): a MedTech company, is a Swedish SME founded in 2003 and based in Stockholm, Sweden. Their product is for Remote Patient Monitoring (RPM), BodyKom/Twitrac. The RPM product consists of a small, convenient sensor that is attached with a patch to the sternum. The sensor measures i.e. multi-channel ECG and is specially designed for continuous long-term measurement, and it finds rare events and deviations in the heart rhythm. The sensor communicates via Bluetooth or Wi-Fi with a mobile app, which in turn sends health data via the mobile network in real time to the healthcare provider for analysis and diagnosis. The solution has been validated at Karolinska University Hospital Huddinge and Region Blekinge (in Sweden) and the first version of the product was previously CE marked according to MDD.

 

Kiwok, is now developing a next generation of the product. They have started a regulatory plan to certify according to the MDR. The new product is based on their RPM solution, and Kiwok is planning the development of AI-based analysis of incoming health data for earlier detection, an individual health profile based on virtual twin technology for a more personalized analysis and care, and lifestyle advice for a complete solution for a longer and healthier life.

 

Service provided by TEF-Health: The service provided by TEF-Helath partner RISE is cyber security testing at Cyber range, specifically penetration testing. Normally medical devices are designed to collect, store and transmit health data that could potentially be accessible to, or even manipulated by a hacker if the device is not properly protected. The penetration testing process utilizes methods and tools used by real hackers to perform attacks against a system with the goal of uncovering potential vulnerabilities. With the knowledge of these vulnerabilities, the developer can then work to fix the issues that could lead to the system getting hacked. The idea is simply to identify and remedy the issues before they are discovered by a malicious hacker.

 

Penetration testing is a common method used to increase security in a lot of different connected systems, but the process can differ a lot depending on what kind of system is being tested. For medical devices there can be a lot of variety in terms of the technology used, such as different processors, operating systems, wireless interfaces, and communication protocols. This makes the testing process more difficult because the ethical hacker performing the tests needs to be familiar with and understand many kinds of systems in order to perform well.  When developing a secure system there are many different things to consider and many things that can go wrong and penetration tests are just one tool to help find potential issues before they are exploited by hackers.

 

Penetration testing was performed in Cyber ​​Range on the medical device called BodyKom, Kiwok - BodyKom, which is developed and manufactured by Kiwok in Sweden.

Kiwok - BodyKom,

 

The Penetration Testing Process performed at RISE for Kiwok product-BodyKom

This approach simulates a real-world attack scenario, providing valuable insights into potential vulnerabilities that a malicious actor could exploit.

A penetration test typically follows a structured process to identify security weaknesses.

1. Reconnaissance – Gathering publicly available information about the device and its infrastructure to understand its potential attack surface.
2. Scanning & Enumeration – Identifying open ports, services, and communication protocols used by the device to transmit data to the server.
3. Exploitation – Attempting to exploit discovered vulnerabilities to gain unauthorized access or disrupt the device’s functionality.
4. Post-Exploitation & Persistence – Evaluating how deeply an attacker could infiltrate the system and whether they could maintain access.
5. Reporting & Remediation – Documenting findings, assessing risks, and providing recommendations for improving security.

 

Based on the above, we decided that the attack vectors we would investigate were:

1. Firmware analysis of any binaries extracted from the device
2. Bluetooth communication
3. Wifi communication

 

In addition, by Penetration Testing Process at RISE, Kiwok can find out if their medical (IoT) device is secure against cyber threats.

Ensuring the security of medical (IoT) devices is an ongoing process, requiring continuous monitoring, regular updates, and periodic security assessments. RISE’s penetration test provided valuable insights, reinforcing Kiwok’s commitment to delivering secure and reliable healthcare solutions.  Finally, TEF-health would like to highlight the importance of proactive security measures in healthcare technology, where even minor flaws can have significant consequences.

Cyber Range at RISE, Center for cybersecurity - Cyber Range | RISE