The experiment by Fu et al [1] that compromised implantable medical devices (IMDs), when published in 2008, gained considerable attention in the medical and security community. Committees were formed to assess the security of these devices, and news articles[2][3][4][5] ensued highlighting the gravity of the situation. On the other hand, the IMD manufacturers were dismissive of the study. The Medtronic issued a statement saying, “To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide”[5]. After presenting the paper by Prof. Fu in class, I became curious about the state of IMD security today, nearly four years after this sensational paper was published. Has the whole issue been swept under the rug?
According to my research, it appears to me that the medical companies have largely continued to follow the same old tactics of providing security by obscurity, i.e. by keeping the software secret. However, the research community have continued to push for new robust technique for medical security. First, there has been several followup publications on different techniques for providing security to these devices [6][7][8][9][10]. As presented in class, the security mechanism for these devices have one challenging requirement, the security measure should in no way compromise the safety of the patient in the case of emergency or failure. Second, there has been an interesting study on incorporating patients perspective into the design of security feature[3]. I discuss below important progresses made in IMD security research that I learned about in my brief survey.
As Fu et. al noted in [6], a business challenge exists in attempting to design a security system for IMD, that is IMD manufactures are not forthcoming about the design of the device and security measures that they have employed. However progresses have been made. A USENIX 2011 paper [7] shows that the highest amount of energy is consumed in RF communication of vital medical signals instead of local calculation of these signals. Hence, they used a low-energy technique called coefficient encryption that significantly reduced the amount of RF communication without loosing vital information and making it slightly more complicated to hack these signals. Likewise, IEEE INFOCOM 2011 paper[8] presents a promising authentication mechanism for emergency situation. On top of the key based authentication during the non-emergency situation, it proposes a two level biometric pattern based authentication for an emergency situation. At the first level, it uses patients biometric information such as height, iris color and fingerprint. At the next level, it uses patients iris pattern recognition. Another technique proposed in IEEE INFOCOM 2011 [9], uses an external wearable guardian to protect the pacemaker in non-emergency situation. In case of emergency or guardian failure, health professionals can use ECG to recover the key shared between the guardian and the IMD. Fu et al [6] provide more on various threat models and list current challenges in implementing security for IMDs for people interested in further research on this topic.
Next, the HCI aspect of IMD is equally important and requires attention while implementing security measures. An important issue is what measures are acceptable to doctors and patients in terms of usability, safety and even appearance. Is a beeping speaker on one’s chest, proposed as one security technique in [1], acceptable to patient? In research conducted by Denning et al [10], they interviewed 13 individuals that had been using pacemakers. They presented various security measures to them: such as password visibly tattooed to the body, password tattooed to the body that is only visible under UV light, wristband that stops all unauthenticated communication unless it is removed, a similar wristband with added functionality such as that makes 911 call in case of emergency, and critically aware IMD that provides access to anyone during the case of emergency. Majority of the participants were opposed to the idea of body modification (tattoo) due to personal values. Behavioral modification (wristband) also received some opposition but extra feature on it made it more palatable. Finally, many individuals were skeptical about the critically aware IMD as they provided access to anyone during the case of emergency. So, all in all, wristband with extra feature emerged as a winner. Some people had problem with it as it disclosed other people and constantly reminded themselves of their condition.
I think this is an interesting design space where more efficient and amenable design is yet to emerge. Now that the FDA has acknowledged that security of IMD is a growing concern[11], I am curiously waiting to see what type of recommendation and regulation FDA would be put in place and what IMD manufacturers would finally incorporate as a security feature.
References:
[1] Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi Kohno, and William H. Maisel. 2008. Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses. In Proceedings of the 2008 IEEE Symposium on Security and Privacy (SP ’08). IEEE Computer Society, Washington, DC
[2] http://www.sciencedaily.com/releases/2008/03/080312134128.htm
[3] http://securitymanagement.com/news/implantable-medical-devices-hacks-and-countermeasures-008878
[4] http://mullingsgroup.com/the-hack-able-body-are-device-makers-doing-enough-to-shield-patients-from-hackers/
[5] http://www.nytimes.com/2008/03/12/business/12heart-web.html
[6] Wayne Burleson, Shane S. Clark, Benjamin Ransford, and Kevin Fu. 2012. Design challenges for secure implantable medical devices. In Proceedings of the 49th Annual Design Automation Conference (DAC ’12). ACM, New York
[7] Fei Hu, Qi Hao, and Marcin Lukowiak. 2011. Implantable medical device communication security: pattern vs. signal encryption. In Proceedings of the 2nd USENIX conference on Health security and privacy (HealthSec’11). USENIX Association, Berkeley, CA, USA
[8] Hei, Xiali, and Xiaojiang Du. Biometric-based two-level secure access control for implantable medical devices during emergencies. In INFOCOM, 2011 Proceedings IEEE, 2011
[9] Xu, Fengyuan, Zhengrui Qin, Chiu C. Tan, Baosheng Wang, and Qun Li. IMDGuard: Securing implantable medical devices with the external wearable guardian. In INFOCOM, 2011 Proceedings IEEE, 2011
[10] Denning, Tamara, Alan Borning, Batya Friedman, Brian T. Gill, Tadayoshi Kohno, and William H. Maisel. Patients, pacemakers, and implantable defibrillators: Human values and security for wireless implantable medical devices. In Proceedings of the 28th international conference on Human factors in computing systems, ACM, 2010.
[11] http://www.databreachtoday.com/fda-tackling-medical-device-security-a-5210