Date of Award
Spring 4-15-2026
Document Type
Thesis
Degree Name
Master of Science (MS)
Department
Mathematical and Statistical Sciences
First Advisor
Despoina Perouli
Second Advisor
Keyang Yu
Third Advisor
Robert Scheidt
Abstract
The rapid growth of connected devices in healthcare environments has significantly expanded the cybersecurity threat landscape, extending the potential risks beyond traditional hospital networks. Regulatory guidance from the FDA and risk management frameworks such as the NIST Cybersecurity Framework (NIST CSF) provide an approach for managing cybersecurity risk in connected systems. However, these principles are not always applied during early stages of device development. As a result, security consideration may be deferred until later stages of development, allowing for vulnerabilities to persist in systems as they move toward clinical or commercial deployment. This study presents a structured method for integrating cybersecurity evaluation into early Internet of Medical Things (IoMT) development by combining technical security testing with a regulatory aligned risk analysis. To demonstrate this approach, the security posture of the Souvenir System, a rehabilitation exercise monitoring system that includes wearables monitors, smartphone application, and a cloud storage backend service, was evaluated as a case study. A series of penetration tests were conducted to examine the Bluetooth Low Energy (BLE) communication boundary through replay analysis, reconnection race-condition testing, and robustness assessment under burst command conditions. The results revealed behaviors relevant to authentication, authorization, integrity protection, and system availability. Introducing an interpretive mapping between the NIST CSF and FDA cybersecurity premarket guidance placed these findings within a regulatory context, illustrating how early stage security testing can be systematically aligned with regulatory expectations.