b1kohFINAL2

8/4/2019 b1kohFINAL2

1/11

2008 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or

for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be

obtained from the IEEE.

For more information, please see www. ieee.org/web/publications/rights/index.html.

MOBILE AND UBIQUITOUS SYSTEMSwww.computer.org/pervasive

Security and Privacy for Implantable Medical Devices

Daniel Halperin, Thomas S. Heydt-Benjamin, Kevin Fu, Tadayoshi Kohno, and William H.Maisel

Vol. 7, No. 1JanuaryMarch 2008

This material is presented to ensure timely dissemination of scholarly and technicalwork. Copyright and all rights therein are retained by authors or by other copyrightholders. All persons copying this information are expected to adhere to the termsand constraints invoked by each author's copyright. In most cases, these works

may not be reposted without the explicit permission of the copyright holder.


2/11

30 PERVASIVEcomputing Published by the IEEE CS n1536-1268/08/$25.002008IEEE

I m p l a n t a b l e e l e c t r o n I c s

seuiy nd pivyf Ilnble medilDevie

Protecting implantable medical devices against attack without

compromising patient health requires balancing security and privacy

goals with traditional goals such as safety and utility.

Implantable medical devices monitor and

treat physiological conditions within the

body. These devicesincluding pace-

makers, implantable cardiac debrilla-

tors (ICDs), drug delivery systems, and

neurostimulatorscan help manage a broad

range o ailments, such as cardiac arrhythmia,

diabetes, and Parkinsons disease (see the Pace-

makers and Implantable Cardiac Debrillators

sidebar). IMDs pervasivenesscontinues to swell, with upward

o 25 million US citizens cur-

rently reliant on them or lie-

critical unctions.1 Growth is

spurred by geriatric care o the

aging baby-boomer generation,

and new therapies continually

emerge or chronic conditions

ranging rom pediatric type 1

diabetes to anorgasmia and

other sexual dysunctions.

Moreover, the latest IMDs

support delivery o telemetry

or remote monitoring over

long-range, high-bandwidth

wireless links, and emerging devices will com-

municate with other interoperating IMDs.

Despite these advances in IMD technolo-

gies, our understanding o how device security

and privacy interact with and aect medical

saety and treatment ecacy is still limited.

Established methods or providing saety and

preventing unintentional accidents (such as ID

numbers and redundancy) dont prevent inten-

tional ailures and other security and privacy

problems (such as replay attacks). Balancing

security and privacy with saety and ecacy

will become increasingly important as IMD

technologies evolve. To quote Paul Jones rom

the US Food and Drug Administration, The

issue o medical device security is in its inancy.

This is because, to date, most devices have been

isolated rom networks and do not interoperate.

This paradigm is changing now, creating newchallenges in medical device design(personal

communication, Aug. 2007).

We present a general ramework or evaluat-

ing the security and privacy o next-generation

wireless IMDs. Whereas others have considered

specic mechanisms or improving device secu-

rity and privacy, such as the use o physiological

values as encryption keys or inter-IMD commu-

nication (see the Related Work in Implantable-

Medical-Device Security sidebar),2we ask a

broader question: What should be the security

and privacy design goals or IMDs? When we

evaluate these goals in the broader context o

practical, clinical deployment scenarios, we nd

inherent tensions between them and traditional

goals such as saety and utility. To urther com-

plicate matters, the balance between security,

privacy, saety, and utility might dier depend-

ing on the IMD in question. We also present a

set o possible research directions or mitigating

these tensions. Our ramework and ollow-on

research will help provide a oundation or IMD

manuacturersas well as regulatory bodies

such as the FDAto evaluate, understand, and

Daniel Halperin

and Tadayoshi KohnoUniversity of Washington

Thomas S. Heydt-Benjaminand Kevin FuUniversity of Massachusetts

Amherst

William H. MaiselBeth Israel Deaconess

Medical Center

and Harvard Medical School


3/11

JANUARYMARCH2008 PERVASIVEcomputing 31

address the security and privacy chal-lenges created by next-generation wire-

less IMDs.

ciei f ilnbleedil devie

We suggest several candidate crite-

ria or IMDs. A particular criterions

applicability might vary, depending on

the type o IMD.

sfey nd uiliy gl

Traditional IMD design goalsinclude saetythe IMD should net

much greater good than harmand

utilitythe IMD should be useul to

both clinicians and patients. For our

purposes, these goals encompass other

goals, such as reliability and treatment

ecacy. Our survey o utility and saety

goals or IMDs ocuses on those that

potentially confict with IMD security

and privacy.

Data access.Data should be availableto appropriate entities. For example,

many devices must report measured

data to healthcare proessionals or cer-

tain physiological values to patients.

In emergency situations, IMDs can

provide useul inormation to medical

proessionals when other records might

be unavailable. Many existing devices

present inormation such as a patients

name and sometimes a stored diagnosis

and history o treatments. They could

also contain medical characteristics

such as allergies and medications.

Data accuracy.Measured and stored

data should be accurate. For patient

monitoring and treatment, this data

includes not only measurements o

physiological events but also a notion

o when those events occurred.

Device identifcation.An IMD should

make its presence and type known to

authorized entities. A caregiver re-

quently needs to be aware o an IMDspresence. For example, an ICD should

be deactivated beore surgery. For this

reason, the FDA recently considered

attaching remotely readable RFID tags

to implanted devices.3

Conigurability. Authorized entities

should be able to change appropriate

IMD settings. For example, doctors

should be able to choose which thera-

pies an ICD will deliver, and patients

with devices such as open-loop insu-lin pumps need partial control over the

settings.

Updatable sotware.Authorized entities

should be able to upgrade IMD rm-

ware and applications. Appropriately

engineered updates can be the saest

way to recall certain classes o IMDs

because the physical explantation o

some devicessuch as pacemakers

and ICDscan lead to serious inec-

tion and death.

Multidevice coordination. Although

some examples o inter-IMD commu-

nications exist (such as contralateral

routing o signal [CROS] hearing aids),

projected uture IMD uses involve

more advanced coordinated activities.4

For example, a uture closed-loop insu-

lin delivery system might automatically

adjust an implanted insulin pumps set-

tings on the basis o a continuous glu-

cose monitors readings.

Auditable.In the event o a ailure, the

manuacturer should be able to audit

the devices operational history. The

data necessary or the audit might di-

er rom the data exposed to healthcareproessionals and patients via typical

data access.

Resource efcient. To maximize device

lietime, IMDs should minimize power

consumption. Newer IMDs enhanced

with wireless communications will

expend more energy than their passive

predecessors, so they must minimize

computation and communication.

IMD sotware should also minimize

data storage requirements.

seuiy nd ivy gl

To understand the unique challenges

o balancing security and privacy with

saety and eectiveness, we rst review

how the standard principles o com-

puter securityincluding condential-

ity, integrity, and availabilityextend

to IMDs. We ocus on security and pri-

vacy goals or IMDs themselves, deer-

ring to other works or a discussion o

how to protect a patients IMD data

ater its stored on a back-end server

(see the Related Work in Implantable-

Medical-Device Security sidebar).

Authorization.Many goals o secure

IMD design revolve around authoriza-

tion, which has several broad catego-

ries:

Personal authorization. Specifc sets o

people can perorm specifc tasks. For

example, patients or primary-care phy-

sicians might be granted specifc rights

ater authentication o their personal

identities. Depending on the authen-

tication scheme, these rights might be

Intheeventoaailure,themanuacturer

shouldbeabletoaudittheimplantablemedical

devicesoperationalhistory.


4/11

32 PERVASIVEcomputing www.computer.org/pervasive

Implantable electronIcs

delegatable to other entities.

Role-based authorization. An entity

is authorized or a set o tasks on the

basis o its role, such as physician or

ambulance computer. The device

manuacturer might also have special

role-based access to the device.

IMD selection. When an external

entity communicates with one or more

IMDs, it must ensure it communicates

with only the intended devices.

Authorization and authentication in a

medical setting can be highly sensitive to

context. For example, a device might be

congured to relax authorization rules

i it detects an emergency condition,

under the assumption that the patient

will suer less harm rom weakly autho-

rized (or even anonymous) intervention

than rom no intervention. Such context

awareness or IMDs is related to the

criticality-aware access-control model.5

Regardless o policy, an IMD should

BothpacemakersandICDsaredesignedtotreatabnormalheartconditions.Aboutthesizeoapager,eachdeviceis

connectedtotheheartviaelectrodesandcontinuouslymoni-

torstheheartrhythm.Pacemakersautomaticallydeliverlow-

energysignalstothehearttocausethehearttobeatwhenthe

heartrateslows.ModernICDsincludepacemakerunctions

butcanalsodeliverhigh-voltagetherapytotheheartmuscleto

shockdangerouslyastheartrhythmsbacktonormal.Pacemak-

ersandICDshavesavedinnumerablelives, 1andthenumbero

ICDimplantswillsoonexceed250,000annually. 2

Internals

PacemakersandICDstypicallyconsistoasealed,battery-powered,sensor-ladenpulsegenerator;severalsteroid-tipped,

wireelectrodes(leads)thatconnectthegeneratortothemyo-

cardium(heartmuscle);andacustomultralow-powermicro-

processor,typicallywithabout128KbytesoRAMortelemetry

storage.3Thedevicesprimaryunctionistosensecardiac

events,executetherapies,andstoremeasurementssuchas

electrocardiograms.Healthcareproessionalsconguretheset-tingsonpacemakersandICDsusinganexternaldevicecalleda

programmer.

PacemakersandICDsotencontainhigh-capacitylithium-

basedbatteriesthatlastvetosevenyears. 4Rechargeable

batteriesareextremelyrare,orpractical,economic,andsaety

reasons.Devicelietimedependsonthetreatmentsrequired.

Whereaspacingpulsesconsumeonlyabout25 J,eachICD

shockconsumes14to40J.4Asingledebrillationcanreduce

theICDslietimebyweeks.

Wireless communications

PreviousgenerationsopacemakersandICDscommunicatedatlowrequencies(near175kHz)withashortreadrange(8cm)

andusedlow-bandwidth(50Kbitspersecond)inductivecou-

plingtorelaytelemetryandmodiytherapies.5Moderndevices

usetheMedicalImplantCommunicationsService,whichoper-

atesinthe402-to405-MHzbandandallowsormuchhigher

bandwidth(250Kbps)andlongerreadrange(speciedattwo

telephony orinerne Proocol

nework

Bae aon

server

Phycancompuer

iP neworkWireless

Fire A. Recet ipatabe cardiac defbriatr prvide e itri via wiree bae tati tat reay data t dctr

wit Web acce.

peke nd Ilnble cdi Defibill


5/11


have the technological means to enorce

the authorization goals.

Availability. An adversary should not be

able to mount a successul denial-o-ser-

vice (DoS) attack against an IMD. For

example, an adversary should not be

able to drain a devices battery, overfow

its internal data storage media, or jam

any IMD communications channel.

Device sotware and settings. Only

authorized parties should be allowed to

modiy an IMD or to otherwise trigger

specic device behavior (or example,

an outsider should not be able to trigger

an ICDs test mode, which could induce

heart ailure). Physicians or device man-

uacturers should place bounds on the

settings available to patients to prevent

them rom accidentally or intention-

ally harming themselves (or instance,

patients should not be able to increase

morphine delivery rom an implanted

tovemeters).5AsgureAillustrates,majorpacemakerandICDmanuacturersnowproduceat-homemonitorsthatwirelessly

collectdataromimplanteddevicesandrelayittoacentral

repositoryoveradialupconnection.Therepositoryisaccessible

todoctorsviaanSSL-protectedWebsite.

ReliabilityAlthoughpacemakersandICDsotensavelives,theycan

occasionallymalunction.Saetyissuesinvolvingthesedevices

havereceivedmuchattention.Since1990theUSFoodand

DrugAdministrationhasissueddozensoproductadvisories

aectinghundredsothousandsopacemakersandICDs.6

Thesestatisticsshowthat41percentodevicerecallswereduetomalunctionsinrmware(216,533outo523,145devices).

Additionaldeviceprogrammingglitchesremain,asevidenced

byaclockunctionabnormalitythatwerecentlyobservedina

clinicalsetting(seegureB).

Theseproblemsexistenceunderscorespotentialhazards

thatcomewithincreasinglysophisticatedimplantablemedical

devices.Pastabnormalitiessuracedunderaccidentalcircum-stances.Thepotentialorintentionallymaliciousbehaviorcalls

oradeeperinvestigationintoIMDsaetyromasecurityand

privacyperspective.

RefeRences

1.W.Maisel,SaetyIssuesInvolvingMedicalDevices,J. Am. Medical

Assoc.,vol.294,no.8,2005,pp.955958.

2.M.Carlsonetal.,RecommendationsromtheHeartRhythmSociety

TaskForceonDevicePerormancePoliciesandGuidelines,Heart

Rhythm,vol.3,no.10,2006,pp.12501273.

3.C.IsraelandS.Barold,PacemakerSystemsasImplantableCardiac

RhythmMonitors,Am. J. Cardiology,Aug.2001,pp.442445.

4.J.Webster,ed.,Design of Cardiac Pacemakers,IEEEPress,1995.

5.H.Savcietal.,MICSTransceivers:RegulatoryStandardsandApplica-

tions[MedicalImplantCommunicationsService],Proc. IEEE South-

eastCon 2005,IEEEPress,2005,pp.179182.

6.W.Maiseletal.,RecallsandSaetyAlerts

InvolvingPacemakersandImplantable

Cardioverter-DebrillatorGenerators,J.

Am. Medical Assoc.,vol.286,no.7,2001,

pp.793799.

Fire B. A reprt r a patiet

rtie ICD cec. Trt te

device ietie, 1,230 arrytia

epide ave ccrred ad bee

ataticay recrded (c 1).

Epide wit ier ber ccr

ater epide wit wer ber.

Yet, te ICD icrrecty te te

date ad tie r epide 1,229 ad

1,230, reprti te a ccrri

i 2005 we tey actay ccrred

i 2007.


6/11



pump). Similarly, the physician can

have access to modiy most device set-

tings but should not have unrestricted

access to the audit logs or debug modes.

IMDs should only accept authorized

rmware updates.

Device-existence privacy. An unau-

thorized party should not be able to

remotely determine that a patient has

one or more IMDs. An adversary might

be a potential employer willing to dis-

criminate against the ill, a member o an

organized-crime group seeking to sell a

valuable device, or, in the case o mili-

tary personnel, an enemy operative.

Device-type privacy. I a device reveals

its existence, its type should still only be

disclosed to authorized entities. Patients

might not wish to broadcast that they

have a particular device or many rea-

sons. For example, the device might

treat a condition with a social stigma,

it might be associated with a terminal

condition, or it might be extremely

expensive.

Specifc-device ID privacy. An adversary

should not be able to wirelessly track

individual IMDs. This is analogous to

the concern about the use o persistent

identiers in RFIDs,6 Bluetooth,7 and

802.11 media access control (MAC)

addresses8to compromise an individ-

uals location privacy.

Measurement and log privacy. Con-

sistent with standard medical privacy

practices, an unauthorized party should

not be able to learn private inormation

about the measurements or audit log

data stored on the device. The adversary

should also not be able to learn private

inormation about ongoing telemetry.

Bearer privacy. An adversary should not

be able to exploit an IMDs properties

to identiy the bearer or extract private

(nonmeasurement) inormation about

the patient. This inormation includes

a patients name, medical history, or

detailed diagnoses.

Data integrity. An adversary should

Muchresearchocusesonsecuringcomputer-basedmedicaldevicesagainstunintentionalailures,suchas

accidentsinradiationtreatmentsromtheTherac-25.1Interest

inprotectingthesedevicesagainstintentionalailuresisincreas-

ing.Inasurveyocurrentsecuritydirectionsinpervasivehealth-

care,KrishnaVenkatasubramanianandSandeepGuptaocuson

theseaspects:2

ecientmethodsorsecurelycommunicatingwithmedical

sensors,includingIMDs(suchasBioSecsuseophysiological

valuesascryptographickeys);

controllingaccesstopatientdataateraggregationintoa

managementplane(MarciMeingast,TanyaRoosta,andShankarSastryprovideanotherdiscussion3);and

legislativeapproachesorimprovingsecurity.

AlthoughothersconsiderthesecurityandprivacyoIMDdata

managementbyexternalapplications,ourresearchocuseson

thechallengesanddesigncriteriainherentinIMDsthemselves.

EvenwhenocusingsolelyonIMDs,wendundamentaltensions

betweenthesecurity,privacy,saety,andutilitygoalsparticu-

larlywhenevaluatingthesegoalsinthebroadercontextorealistic

usagescenarios.Simplyusingsecurecommunicationsprotocols

cantsolvethesetensions.Findingasuitablebalancebetween

thesetensionsisnontrivial.JohnHalamkaandhiscolleaguesbeganthisprocessinthecontextotheVeriChipRFIDtag,alow-

endimplantabledevice.4TheyconcludedthattheVeriChiptag

shouldntbeusedorcertainsecurity-sensitivepurposes.Jason

Hongandhiscolleagues considermodelsortacklingtheproblemobalancedprivacyorubiquitouscomputingsystems.5

Althoughmanyotheissuesweraiseareapplicabletonon-

IMDmedicaldevices,IMDshaveuniquecharacteristics.For

example,replacingcertainIMDsthroughsurgerycanberisky,

andevendeadly,6socertainIMDsshouldhavelongbatterylives

orberemotelyrechargeable.Additionally,unlikeothermedical

devices,IMDsaredesignedtobepartoapatientseveryday,

nonclinicalactivities,thusincreasingtheopportunityorsecu-

rityorprivacyviolations.

RefeRences

1.N.G.LevesonandC.S.Turner,AnInvestigationotheTherac-25Accidents,Computer,vol.26,no.7,1993,pp.1841.

2.K.VenkatasubramanianandS.Gupta,SecurityorPervasiveHealth-

care,Security in Distributed, Grid, Mobile, and Pervasive Computing,Y.

Xiao,ed.,CRCPress,2007,pp.349366.

3.M.Meingast,T.Roosta,andS.Sastry,SecurityandPrivacyIssues

withHealthCareInormationTechnology,Proc. Intl Conf. Eng. Medi-

cine and Biology Soc.(EMBS06),IEEEPress,2006,pp.54535458.

4. J.Halamkaetal.,TheSecurityImplicationsoVeriChipCloning,J.

Am. Medical Informatics Assoc.,vol.13,no.6,2006,pp.601607.

5. J.Hongetal.,PrivacyRiskModelsorDesigningPrivacy-Sensitive

UbiquitousComputingSystems,Proc. 5th Conf. Designing Interactive

Systems(DIS04),ACMPress,2004,pp.91100.

6. P.GouldandA.Krahn,ComplicationsAssociatedwithImplantable

Cardioverter-DebrillatorReplacementinResponsetoDeviceAdviso-

ries,J. Am. Medical Assoc.,vol.295,no.16,2006,pp.19071911.

reled Wk in Ilnble-medil-Devie seuiy


7/11


not be able to tamper with past devicemeasurements or log les or induce spe-

cious modications into uture data.

No one should be able to change when

an event occurred, modiy its physi-

ological properties, or delete old events

and insert new ones. A patients name,

diagnoses, and other stored data should

be tamper-proo.

cle f dveie

No treatment o security is complete

without a discussion o adversarialresources. For our purposes, the set o

adversaries includes, but isnt limited

to, these:

Passive adversaries. Such adversar-

ies eavesdrop on signals (both inten-

tional and side-channel) transmitted

by the IMD and by other entities

communicating with the IMD.

Active adversaries. These adversar-

ies can also interere with legitimate

communications and initiate mali-cious communications with IMDs

and external equipment.

Coordinated adversaries. Two or

more adversaries might coordinate

their activitiesor example, one

adversary would be near a patient

and another near a legitimate IMD

programmer.

Insiders. Insiders can be poten-

tial adversaries. Examples include

healthcare proessionals, sotware

developers, hardware engineers, and,

in some cases, patients themselves.

We urther subdivide each o these

categories by the equipment the adver-

saries use:

Standard equipment. Adversaries

might use commercial equipment or

malicious purposes. For instance,

they might steal a device program-

mer rom a clinic.

Custom equipment. Adversaries

might develop home-brewed equip-ment or eavesdropping or active

attacks. This equipment could have

additional ampliication, iltering,

and directional antennas, and isnt

limited to legal bounds on transmit-

ter power or other parameters.

teninAs we mentioned earlier, inherent

tensions exist between some security

and privacy goals and traditional goals

such as utility and saety.

seuiy veu eibiliy

Consider two scenarios.

In the rst scenario, an unconscious

patient with one or more IMDs enters

an emergency room, perhaps in a or-

eign country or developing region.

Emergency-room personnel quickly

determine the types o IMDs the patient

has. The sta then use standard equip-

ment to interrogate the IMDs, extract

critical physiological inormation, andtreat the patient, including altering IMD

settings and even rmware as appropri-

ate. Because the patient is alone and has

no orm o identication, the sta also

extracts the patients name and other

pertinent inormation rom the data

stored on the IMDs.

This scenario corresponds to the cur-

rent technology in deployed IMDs and

external programmers.

In the second scenario, a patient

explicitly controls which individu-

alsor specic external devicescan

interact with his or her IMDs. The

IMDs use strong access-control and

cryptographic mechanisms to prevent

unauthorized exposure o data andunauthorized changes to settings. The

IMDs also use mechanisms to provide

bearer, specic-device ID, device-type,

and device-existence privacy.

In this scenario, most o our security

criteria are met.

Notice how these two scenarios are

diametrically opposed. I a patients

IMDs use strong security mechanisms,

as outlined in the second scenario, the

equipment in an unamiliar emergency

room wont be authorized to discover,access, or otherwise interact with the

patients IMDs. The emergency-room

technicians wouldnt have access to

inormation about the patients physi-

ological state immediately beore his or

her admittance to the hospital. Without

knowledge o IMD existence, admin-

istered care could be dangerous, and

the inability to alter settings or deac-

tivate IMDs might prevent necessary

treatment because some IMDs (such as

ICDs) might need to be deactivated toavoid risk o injury to the surgeons.

The most natural approach or pro-

viding access to an IMD in emergency

situations would be to incorporate back

doors or emergency-room equipment.

However, an adversary could exploit

the back doors.

seuiy veu devie eue

Strong security mechanisms, such as

public-key cryptography, can be expen-

sive in terms o both computational

time and energy consumption. As with

general sensor networks, the use o

cryptography can thereore create ten-

sion between security and some IMDs

Theuseocryptographycancreatetension

betweensecurityandsomeimplantablemedical

deviceslongevityandperormancegoals.


8/11



longevity and perormance goals. More-over, increasing resource use or secure

communications can ampliy the eects

o certain malicious DoS attacks, such

as repeated attempts to authenticate.

For security, IMDs might also wish to

keep detailed records o all transactions

with external devices (we elaborate on

this later). These transaction logs could

potentially overfow a devices onboard

memory, particularly under DoS attacks

or when an adversary explicitly seeks to

exhaust a devices memory.

seuiy veu ubiliy

The standard tension between security

and usability also applies to IMDs. From

a usability perspective, long-distance

wireless communication between IMDs

and external devices oers many advan-

tages, including continuous at-home

monitoring and fexibility in clinical set-

tings. But, rom a security perspective,

wider-range wireless communications

increases exposure to both passive andactive adversaries. In the Medical Implant

Communications Service (MICS) band,

an attacker with limited resources might

extend the specications ve-meter dis-

tance using a directional antenna and an

inexpensive amplier.

Furthermore, the careul addition

o new security mechanisms shouldnt

overly complicate user interaces on

the external devices, particularly when

healthcare proessionals must make

quick decisions during emergency care.

reeh dieinAlthough completely eliminating

tensions between the various goals

or IMDs might be impossible, severaldirections deserve urther research

and exploration. We conne ourselves

primarily to a high-level examination

o these directions, some o which we

plan to build on in uture research. We

ocus on security- and privacy-related

research; other advances in technology

(such as longer battery lives or saer

methods or device replacement) might

also mitigate some tensions.

Fine-gined e nlThe two scenarios we described dem-

onstrate a tension between open access

to devices during emergency situations

and the use o prespeciied access-

control lists. In the rst scenario, emer-

gency caregivers will be able to com-

municate with a patients IMD, but so

will an adversary. Conversely, the lat-

ter scenario could prevent adversarial

access to an IMD but will also lock out

an emergency caregiver.

I we assume that emergency tech-nicians external programmers will

always be connected to the Internet,

easing the tension between these two

goals might be possible. The program-

mer could rst interrogate the patients

IMD to learn the devices manuacturer,

model, serial number, and possibly the

patients primary-care acility. The pro-

grammer could then contact the manu-

acturer or primary-care acility. The

manuacturer or primary-care acility

could review the request and, much like

the Grey system,9 issue a signed creden-

tial granting the programmer the rights

to access specic IMD unctions or a

specied time period.

This approach would help ensurethat the manuacturer or primary-care

acility has ultimate control over which

external devices can interact with a par-

ticular IMD. However, this approach

isnt conducive to specic-device ID

privacy. It might also introduce saety

concerns i the Internet connection

between the emergency technicians

programmer and the device manuac-

turer or primary-care acility is slow,

severed, or otherwise aulty.

oen e wih evin

nd end-f uheniin

The medical community might decide

that its sucient to always allow com-

mercial medical equipment to access

IMDs i it is possible to revoke or limit

access rom lost or stolen equipment. For

example, revocation could occur implic-

itly through automatically expiring cer-

ticates or IMD programmers. These

certicates should be hard to re-obtain

without proper medical credentials,should be stored in secure hardware,

and might be distributed hierarchically

in a clinic. However, this approach

exposes IMDs to compromised equip-

ment or short periods, requires them to

have a secure and robust notion o time,

and opens a caregiver to potential DoS

attacks through the certicate distribu-

tion system. The requirement to coor-

dinate the use o such an inrastructure

across international boundaries or it to

unction on a global scale might limit

its potential.

IMD programmers could also

require a secondary authentication

token, such as a smart card, tied to a

medical proessionals identity. Requir-

ing such tokens could urther limit

unauthorized parties use o legitimate

medical equipment, although it might

also decrease usability and increase

emergency response time. Alterna-

tively, manuacturers might be able to

extend sophisticated ederated iden-

Fromasecurityperspective,wider-range

wirelesscommunicationsincreasesexposureto

bothpassiveandactiveadversaries.


9/11


tity management rameworks to IMDenvironments. However, they must bal-

ance these systems with, or example,

resource limitations and the size o the

trusted computing base.

aunbiliy

Although preventing malicious

activities at all times is impossible, it

might be possible to deter such activi-

ties by correlating them with an exter-

nal programmer or entity. Specically,

all IMD setting modications, as wellas all data accesses, could be recorded

securely on the IMD (in addition to

any logs stored on the programmer)

that is, in a cryptographic audit log

that cant be undetectably modied.10

Physicians could review this log during

clinic visits or ater detecting certain

anomalies in a patients care. Although

current IMDs keep audit logs or the

purposes o investigating potential

malunctions, we havent seen any pub-

lic discussion o their cryptographicsecurity.

Such an audit log would, however, be

meaningless i an external device could

claim any identity it choosesthe

serial number o an external device or

programmer shouldnt by itsel act as

an identity. Rather, we recommend that

legitimate external devices use secure

hardware to store credentialsinclud-

ing private keys and the corresponding

signed certicatesand authenticate

themselves to the IMDs beore each

transaction. Together, the secure audit

logs and the secure identiers could let

an IMD auditor associate individual

transactions with the devices perorm-

ing them. With second-actor authenti-

cation, as we proposed earlier, an audi-

tor could also correlate transactional

history with a particular healthcare

proessional.

To address potential DoS attacks

against the audit logs memory size, the

IMDs could periodically ofoad veri-

able portions o the audit log to trustedexternal devices.

pien wene

vi endy hnnel

Some IMDs provide an audible alert

to signal battery depletion. We recom-

mend using secondary channels to also

inorm patients about their IMDs

security status. An IMD could issue a

notication whenever it establishes a

wireless connection with an external

programmer or whenever a critical set-ting changes. As with secure audit logs,

these noticationsbeeps or vibrations,

or instancewont directly prevent

accidental programming or attacks.However, they might help mitigate acci-

dents or deter attacks because the alerts

would inorm the patient (and possi-

bly bystanders) o the situation and let

them react. Other examples o possible

secondary channels include an at-home

monitor, watch, or phoneall o which

could relay urther visual, auditory, or

tactile inormation about anomalous

security events. Tensions do, however,

remain between the use o these second-

ary channels and patient privacy.

auhizin

vi endy hnnel

Environmental and other second-

ary elements could serve as actors in

authorization. Many existing ICDs,

or example, use near-eld communi-

cation (such as a wand near the chest)

or initial activation. Ater activation,

the physician can program the device

rom a greater distance or a longer

period o time. A programming ses-

sions extended range and longevityincrease exposure or patients because

their IMDs might still be receptive to

long-range wireless communications

ater they leave the clinic. Periodically

requiring a resumption o near-eld

communications between the IMD and

an authorized external device might

thereore be appropriate.

A second approach is to use the built-

in accelerometers already in some IMDs.

For example, an IMD could cease wire-

less communications when it detectsthat its environment has changed sig-

nicantly, perhaps because the patient

stood up rom the examining table or

otherwise let the clinical setting. Bythemselves, both approaches will only

limitnot preventprolonged expo-

sure to adversarial actions.

A separate approach might be to

encrypt the communications between

the programmer and the IMD, using

an encryption key imprinted on a card

or a medical-alert bracelet. Here, visual

access to the card or bracelet acts as a

secondary authorization channel. This

approach might, however, lead to saety

concerns i a patient orgets his or her

card or bracelet and needs urgent emer-

gency care.

shif uin

exenl devie

An adversary might use crypto-

graphic mechanisms to mount a DoS

attack against the IMDs processor,

communications, or battery. A wealth

o research exists on improving net-

work security protocols eiciency

under resource constraintssuch as

Itmightbepossibletodetermalicious

activitiesbycorrelatingthem

withanexternalprogrammerorentity.


10/11



computation ofoading via client puz-

zles11and its worth exploring how to

extend existing DoS limitation methods

rom conventional networks to IMDs.

Although these methods might reduce

a DoS attacks ecacy, they might still

leave IMDs vulnerable to resource

depletion at a lower rate.

Another approach might be to use a

resource-rich device to mediate com-

munication between an IMD and

an external programmer, much like

proposed RFID proxies mediate com-

munication between RFID readers

and RFID tags.12,13 The communica-

tion between the IMD and the media-

torperhaps a smart phone, watch,

or beltcould use lighter-weight sym-

metric encryption and authentication

schemes, whereas the communication

between the mediator and the externalprogrammer could use more expensive

asymmetric cryptographic techniques.

Increasing the number o devices and

protocols involved, however, increases

the size o the overall systems trusted

computing base, which might make

the system harder to secure. For saety,

when the trusted mediator isnt present,

it might be appropriate or the IMD to

ail-open, meaning that caregivers

but also adversariescould interact

with the IMD.

Weve proposed research

directions or miti-

gating the tensions

between the various

goals. However, an ultimate solution

will require experts rom the medical

and security communities, industry,

regulatory bodies, patient advocacy

groups, and all other relevant commu-

nities to collaboratively make decisionson both mechanisms and policies. Our

research team is actively exploring the

above-mentioned research directions,

and we are developing cryptographic

and energy-centric methods or pro-

viding security and privacy at low cost

and without diminishing the ecacy o

primary treatments.

ACknoWlEDgmEnTs

WethankShaneClark,BenessaDeend,David

Eiselen,BarryKaras,WillMorgan,andtheanony-mousreviewersortheireedbackandassistance.

USNationalScienceFoundationgrantsCNS-

0435065,CNS-0520729,andCNS-0627529and

agitromIntelsupportedthisresearch.

REFEREnCEs

1. K. Hanna et al., eds., Innovation andInvention in Medical Devices: WorkshopSummary, US Natl Academy o Sciences,2001.

2. S. Cherukuri, K. Venkatasubramanian,and S. Gupta, BioSec: A Biometric-

theAuThoRs

Daniel HalperinisaPhDcandidateincomputerscienceandengineeringat

theUniversityoWashington.Hisresearchinterestsincludewirelessnetwork-

ing,withacurrentocusoninnovativeusesosotware-denedradios,and

practicalsecurityandprivacyinthewiredandwirelessdigitalandphysicaldomains.HereceivedhisBSincomputerscienceandmathematicsromHar-

veyMuddCollege.HesamemberotheACM,AmericanMathematicalSoci-

ety,andUsenix.ContacthimattheUniv.oWashington,Dept.oComputer

ScienceandEng.,Box352350,Seattle,WA98195;[email protected].

edu.

Thoma s. Heydt-BenjaminisaPhDcandidateincomputerscienceatthe

UniversityoMassachusettsAmherst.Hisresearchinterestsincludetopicsin

computersecurityandprivacyasappliedtomobileandubiquitoussystems.

HereceivedhisMSincomputerscienceromtheUniversityoMassachusetts

Amherst.HesamemberotheACM,theIEEE,theInternationalFinancial

CryptographyAssociation(IFCA),andtheInternationalAssociationorCryp-

tologicResearch.ContacthimattheComputerScienceBldg.,140Governors

Dr.,Amherst,MA01003;[email protected].

Kevin fuisanassistantproessorincomputerscienceattheUniversityo

MassachusettsAmherst,wherehestheprincipalinvestigatorotheRFID

ConsortiumonSecurityandPrivacy.Hisresearchinterestsincludethesecurity

andprivacyopervasivetechnologyincludingRFID,implantablemedical

devices,andlesystems.HereceivedhisPhDinelectricalengineeringand

computerscienceromtheMassachusettsInstituteoTechnology.Hesa

memberoUsenix,theIEEE,andtheACM.ContacthimattheComputerSci-

enceBldg.,140GovernorsDr.,Amherst,MA01003;[email protected].

Tadayohi KohnoisanassistantproessorintheUniversityoWashingtons

DepartmentoComputerScienceandEngineering.Hisresearchinterests

includeprotectingconsumersecurityandprivacyintheaceoevolvingtech-

nologies,rangingromelectronicvotingmachinestopervasivehealthcare

devices.HereceivedhisPhDincomputerscienceromtheUniversityoCali-ornia,SanDiego.HesamemberotheACM,theInternationalAssociationor

CryptologicResearch,theIEEE,andUsenix.ContacthimattheUniv.oWash-

ington,Dept.oComputerScienceandEng.,Box352350,Seattle,WA98195;

[email protected].

William H. Maielisthedirectorothepacemakeranddebrillatorserviceat

BethIsraelDeaconessMedicalCenterandanassistantproessoromedicine

atHarvardMedicalSchool.Hisresearchinterestsinvolvethesaeandeec-

tiveuseocardiovascularmedicaldevicesparticularlyrhythmmanagement

devicessuchaspacemakersandimplantabledebrillators.HereceivedhisMD

romCornellUniversityMedicalCollegeandhisMPHromtheHarvardSchool

oPublicHealth.ContacthimattheCardiovascularDivision,BethIsraelDea-

conessMedicalCenter,185PilgrimRd.,Baker4,Boston,MA02215;wmaisel@

bidmc.harvard.edu.


11/11


Based Approach or Securing Communi-cation in Wireless Networks o BiosensorsImplanted in the Human Body, Proc.Intl Conf. Parallel Processing (ICPP)Workshops, IEEE CS Press, 2003, pp.432439.

3. US Food and Drug Administration,Unique Device Identication; Requestor Comments, Federal Register, vol.71, no. 155, 2006, pp. 46,233 46,236;www.da.gov/OHRMS/DOCKETS/98r/06-6870.htm.

4. T. Drew and M. Gini, Implantable Medi-cal Devices as Agents and Part o Multi-

agent Systems, Proc. 5th Intl Joint Conf.Autonomous Agents and Multiagent Sys-tems (Aamas 06), ACM Press, 2006, pp.15341541.

5. S. Gupta, T. Mukherjee, and K. Venkata-subramanian, Criticality Aware AccessControl Model or Pervasive Applications,Proc. 4th Ann. IEEE Intl Conf. Perva-sive Computing and Comm. (Percom 06),

IEEE CS Press, 2006, pp. 251257.

6. A. Juels, RFID Security and Privacy: AResearch Survey, IEEE J. Selected Areasin Comm., Feb. 2006, pp. 381394.

7. M. Jakobsson and S. Wetzel, SecurityWeaknesses in Bluetooth, Progress inCryptologyCT-RSA 2001: The Cryp-tographers Track at RSA Conf. 2001,LNCS 2020, Springer, 2001, pp. 176191.

8. M. Gruteser and D. Grunwald, AMethodological Assessment o Loca-tion Privacy Risks in Wireless HotspotNetworks, First Intl Conf. Security in

Pervasive Computing, Springer, 2003, pp.1024.

9. L. Bauer et al., Device-Enabled Autho-rization in the Grey System, Proc. 8thIntl Conf. Information Security (ISC 05),Springer, 2005, pp. 431445.

10. B. Schneier and J. Kelsey, CryptographicSupport or Secure Logs on Untrusted

Machines, Proc. Usenix Security Symp.,Usenix Press, 1998, pp. 5362.

11. A. Juels and J. Brainard, Client Puzzles:A Cryptographic Countermeasure againstConnection Depletion Attacks, Proc. Net-work and System Security Symp. (NDSS99), Internet Soc., 1999, pp. 151165.

12. A. Juels, P. Syverson, and D. Bailey,High-Power Proxies or EnhancingRFID Privacy and Utility, PrivacyEnhancing Technologies, LNCS 3856,Springer, 2005, pp. 210226.

13. M. Rieback, B. Crispo, and A. Tanen-

baum, RFID Guardian: A Battery-Pow-ered Mobile Device or RFID PrivacyManagement, Proc. 10th AustralasianConf. Information Security and Privacy(Acisp 05), LNCS 3574, Springer, 2005,pp. 184194.

Formoreinormationonthisoranyothercom-

putingtopic,pleasevisitourDigitalLibraryat

www.computer.org/csdl.

a d v e r t i s e r i n d e x J a n U a r Y M a r c h 2 0 0 8

Advrtir/Produt Pag numbr

Prcom 2008 covr 3

Advrtiig Prol

MarianAndersonAdvertisingCoordinatorPhone:+17148218380Fax:+17148214010Email:[email protected]

SandyBrownIEEEComputerSociety,BusinessDevelopmentManagerPhone:+17148218380Fax:+17148214010Email:[email protected]

Advrtiig sal Rprtativ

MidAtlantic(product/recruitment)DawnBeckerPhone: +17327720160Fax: +17327720164Email:[email protected]

NewEngland(product)JodyEstabrookPhone: +19782440192

Fax: +19782440103Email:[email protected]

NewEngland(recruitment)JohnRestchackPhone: +12124197578Fax: +12124197589Email:[email protected]

Connecticut(product)StanGreeneldPhone: +12039382418Fax: +12039383211Email:[email protected](product)SteveLoerch

Phone: +18474984520Fax +18474985911Email:[email protected]

Northwest(product)LoriKehoePhone: +16504583051Fax: +16504583052

Email:[email protected]

SouthernCA(product)MarshallRubinPhone: +18188882407Fax: +18188884907Email:[email protected]

Northwest/SouthernCA(recruitment)TimMattesonPhone: +13108364064Fax: +13108364067Email:[email protected]

Midwest(product)DaveJonesPhone: +17084425633Fax: +17084427620Email:[email protected]

WillHamiltonPhone: +12693812156Fax: +12693812556

Email:[email protected]

JoeDiNardoPhone: +14402482456Fax: +14402482594Email:[email protected]

Southeast(recruitment)ThomasM.FlynnPhone: +17706452944Fax: +17709934423Email:[email protected]

Midwest/Southwest(recruitment)DarcyGiovingoPhone: +1847498-4520Fax: +1847498-5911Email:[email protected]

Southeast(product)BillHollandPhone: +17704356549

Fax: +17704350243Email:[email protected]

Japan(recruitment)TimMattesonPhone: +13108364064Fax: +13108364067Email:[email protected]

Europe(product)HilaryTurnbullPhone: +441875825700Fax: +441875825701Email:[email protected]

Documents

b1kohFINAL2