Upload
swathipushpa
View
218
Download
0
Embed Size (px)
Citation preview
8/4/2019 b1kohFINAL2
1/11
2008 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or
for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be
obtained from the IEEE.
For more information, please see www. ieee.org/web/publications/rights/index.html.
MOBILE AND UBIQUITOUS SYSTEMSwww.computer.org/pervasive
Security and Privacy for Implantable Medical Devices
Daniel Halperin, Thomas S. Heydt-Benjamin, Kevin Fu, Tadayoshi Kohno, and William H.Maisel
Vol. 7, No. 1JanuaryMarch 2008
This material is presented to ensure timely dissemination of scholarly and technicalwork. Copyright and all rights therein are retained by authors or by other copyrightholders. All persons copying this information are expected to adhere to the termsand constraints invoked by each author's copyright. In most cases, these works
may not be reposted without the explicit permission of the copyright holder.
8/4/2019 b1kohFINAL2
2/11
30 PERVASIVEcomputing Published by the IEEE CS n1536-1268/08/$25.002008IEEE
I m p l a n t a b l e e l e c t r o n I c s
seuiy nd pivyf Ilnble medilDevie
Protecting implantable medical devices against attack without
compromising patient health requires balancing security and privacy
goals with traditional goals such as safety and utility.
Implantable medical devices monitor and
treat physiological conditions within the
body. These devicesincluding pace-
makers, implantable cardiac debrilla-
tors (ICDs), drug delivery systems, and
neurostimulatorscan help manage a broad
range o ailments, such as cardiac arrhythmia,
diabetes, and Parkinsons disease (see the Pace-
makers and Implantable Cardiac Debrillators
sidebar). IMDs pervasivenesscontinues to swell, with upward
o 25 million US citizens cur-
rently reliant on them or lie-
critical unctions.1 Growth is
spurred by geriatric care o the
aging baby-boomer generation,
and new therapies continually
emerge or chronic conditions
ranging rom pediatric type 1
diabetes to anorgasmia and
other sexual dysunctions.
Moreover, the latest IMDs
support delivery o telemetry
or remote monitoring over
long-range, high-bandwidth
wireless links, and emerging devices will com-
municate with other interoperating IMDs.
Despite these advances in IMD technolo-
gies, our understanding o how device security
and privacy interact with and aect medical
saety and treatment ecacy is still limited.
Established methods or providing saety and
preventing unintentional accidents (such as ID
numbers and redundancy) dont prevent inten-
tional ailures and other security and privacy
problems (such as replay attacks). Balancing
security and privacy with saety and ecacy
will become increasingly important as IMD
technologies evolve. To quote Paul Jones rom
the US Food and Drug Administration, The
issue o medical device security is in its inancy.
This is because, to date, most devices have been
isolated rom networks and do not interoperate.
This paradigm is changing now, creating newchallenges in medical device design(personal
communication, Aug. 2007).
We present a general ramework or evaluat-
ing the security and privacy o next-generation
wireless IMDs. Whereas others have considered
specic mechanisms or improving device secu-
rity and privacy, such as the use o physiological
values as encryption keys or inter-IMD commu-
nication (see the Related Work in Implantable-
Medical-Device Security sidebar),2we ask a
broader question: What should be the security
and privacy design goals or IMDs? When we
evaluate these goals in the broader context o
practical, clinical deployment scenarios, we nd
inherent tensions between them and traditional
goals such as saety and utility. To urther com-
plicate matters, the balance between security,
privacy, saety, and utility might dier depend-
ing on the IMD in question. We also present a
set o possible research directions or mitigating
these tensions. Our ramework and ollow-on
research will help provide a oundation or IMD
manuacturersas well as regulatory bodies
such as the FDAto evaluate, understand, and
Daniel Halperin
and Tadayoshi KohnoUniversity of Washington
Thomas S. Heydt-Benjaminand Kevin FuUniversity of Massachusetts
Amherst
William H. MaiselBeth Israel Deaconess
Medical Center
and Harvard Medical School
8/4/2019 b1kohFINAL2
3/11
JANUARYMARCH2008 PERVASIVEcomputing 31
address the security and privacy chal-lenges created by next-generation wire-
less IMDs.
ciei f ilnbleedil devie
We suggest several candidate crite-
ria or IMDs. A particular criterions
applicability might vary, depending on
the type o IMD.
sfey nd uiliy gl
Traditional IMD design goalsinclude saetythe IMD should net
much greater good than harmand
utilitythe IMD should be useul to
both clinicians and patients. For our
purposes, these goals encompass other
goals, such as reliability and treatment
ecacy. Our survey o utility and saety
goals or IMDs ocuses on those that
potentially confict with IMD security
and privacy.
Data access.Data should be availableto appropriate entities. For example,
many devices must report measured
data to healthcare proessionals or cer-
tain physiological values to patients.
In emergency situations, IMDs can
provide useul inormation to medical
proessionals when other records might
be unavailable. Many existing devices
present inormation such as a patients
name and sometimes a stored diagnosis
and history o treatments. They could
also contain medical characteristics
such as allergies and medications.
Data accuracy.Measured and stored
data should be accurate. For patient
monitoring and treatment, this data
includes not only measurements o
physiological events but also a notion
o when those events occurred.
Device identifcation.An IMD should
make its presence and type known to
authorized entities. A caregiver re-
quently needs to be aware o an IMDspresence. For example, an ICD should
be deactivated beore surgery. For this
reason, the FDA recently considered
attaching remotely readable RFID tags
to implanted devices.3
Conigurability. Authorized entities
should be able to change appropriate
IMD settings. For example, doctors
should be able to choose which thera-
pies an ICD will deliver, and patients
with devices such as open-loop insu-lin pumps need partial control over the
settings.
Updatable sotware.Authorized entities
should be able to upgrade IMD rm-
ware and applications. Appropriately
engineered updates can be the saest
way to recall certain classes o IMDs
because the physical explantation o
some devicessuch as pacemakers
and ICDscan lead to serious inec-
tion and death.
Multidevice coordination. Although
some examples o inter-IMD commu-
nications exist (such as contralateral
routing o signal [CROS] hearing aids),
projected uture IMD uses involve
more advanced coordinated activities.4
For example, a uture closed-loop insu-
lin delivery system might automatically
adjust an implanted insulin pumps set-
tings on the basis o a continuous glu-
cose monitors readings.
Auditable.In the event o a ailure, the
manuacturer should be able to audit
the devices operational history. The
data necessary or the audit might di-
er rom the data exposed to healthcareproessionals and patients via typical
data access.
Resource efcient. To maximize device
lietime, IMDs should minimize power
consumption. Newer IMDs enhanced
with wireless communications will
expend more energy than their passive
predecessors, so they must minimize
computation and communication.
IMD sotware should also minimize
data storage requirements.
seuiy nd ivy gl
To understand the unique challenges
o balancing security and privacy with
saety and eectiveness, we rst review
how the standard principles o com-
puter securityincluding condential-
ity, integrity, and availabilityextend
to IMDs. We ocus on security and pri-
vacy goals or IMDs themselves, deer-
ring to other works or a discussion o
how to protect a patients IMD data
ater its stored on a back-end server
(see the Related Work in Implantable-
Medical-Device Security sidebar).
Authorization.Many goals o secure
IMD design revolve around authoriza-
tion, which has several broad catego-
ries:
Personal authorization. Specifc sets o
people can perorm specifc tasks. For
example, patients or primary-care phy-
sicians might be granted specifc rights
ater authentication o their personal
identities. Depending on the authen-
tication scheme, these rights might be
Intheeventoaailure,themanuacturer
shouldbeabletoaudittheimplantablemedical
devicesoperationalhistory.
8/4/2019 b1kohFINAL2
4/11
32 PERVASIVEcomputing www.computer.org/pervasive
Implantable electronIcs
delegatable to other entities.
Role-based authorization. An entity
is authorized or a set o tasks on the
basis o its role, such as physician or
ambulance computer. The device
manuacturer might also have special
role-based access to the device.
IMD selection. When an external
entity communicates with one or more
IMDs, it must ensure it communicates
with only the intended devices.
Authorization and authentication in a
medical setting can be highly sensitive to
context. For example, a device might be
congured to relax authorization rules
i it detects an emergency condition,
under the assumption that the patient
will suer less harm rom weakly autho-
rized (or even anonymous) intervention
than rom no intervention. Such context
awareness or IMDs is related to the
criticality-aware access-control model.5
Regardless o policy, an IMD should
BothpacemakersandICDsaredesignedtotreatabnormalheartconditions.Aboutthesizeoapager,eachdeviceis
connectedtotheheartviaelectrodesandcontinuouslymoni-
torstheheartrhythm.Pacemakersautomaticallydeliverlow-
energysignalstothehearttocausethehearttobeatwhenthe
heartrateslows.ModernICDsincludepacemakerunctions
butcanalsodeliverhigh-voltagetherapytotheheartmuscleto
shockdangerouslyastheartrhythmsbacktonormal.Pacemak-
ersandICDshavesavedinnumerablelives, 1andthenumbero
ICDimplantswillsoonexceed250,000annually. 2
Internals
PacemakersandICDstypicallyconsistoasealed,battery-powered,sensor-ladenpulsegenerator;severalsteroid-tipped,
wireelectrodes(leads)thatconnectthegeneratortothemyo-
cardium(heartmuscle);andacustomultralow-powermicro-
processor,typicallywithabout128KbytesoRAMortelemetry
storage.3Thedevicesprimaryunctionistosensecardiac
events,executetherapies,andstoremeasurementssuchas
electrocardiograms.Healthcareproessionalsconguretheset-tingsonpacemakersandICDsusinganexternaldevicecalleda
programmer.
PacemakersandICDsotencontainhigh-capacitylithium-
basedbatteriesthatlastvetosevenyears. 4Rechargeable
batteriesareextremelyrare,orpractical,economic,andsaety
reasons.Devicelietimedependsonthetreatmentsrequired.
Whereaspacingpulsesconsumeonlyabout25 J,eachICD
shockconsumes14to40J.4Asingledebrillationcanreduce
theICDslietimebyweeks.
Wireless communications
PreviousgenerationsopacemakersandICDscommunicatedatlowrequencies(near175kHz)withashortreadrange(8cm)
andusedlow-bandwidth(50Kbitspersecond)inductivecou-
plingtorelaytelemetryandmodiytherapies.5Moderndevices
usetheMedicalImplantCommunicationsService,whichoper-
atesinthe402-to405-MHzbandandallowsormuchhigher
bandwidth(250Kbps)andlongerreadrange(speciedattwo
telephony orinerne Proocol
nework
Bae aon
server
Phycancompuer
iP neworkWireless
Fire A. Recet ipatabe cardiac defbriatr prvide e itri via wiree bae tati tat reay data t dctr
wit Web acce.
peke nd Ilnble cdi Defibill
8/4/2019 b1kohFINAL2
5/11
JANUARYMARCH2008 PERVASIVEcomputing 33
have the technological means to enorce
the authorization goals.
Availability. An adversary should not be
able to mount a successul denial-o-ser-
vice (DoS) attack against an IMD. For
example, an adversary should not be
able to drain a devices battery, overfow
its internal data storage media, or jam
any IMD communications channel.
Device sotware and settings. Only
authorized parties should be allowed to
modiy an IMD or to otherwise trigger
specic device behavior (or example,
an outsider should not be able to trigger
an ICDs test mode, which could induce
heart ailure). Physicians or device man-
uacturers should place bounds on the
settings available to patients to prevent
them rom accidentally or intention-
ally harming themselves (or instance,
patients should not be able to increase
morphine delivery rom an implanted
tovemeters).5AsgureAillustrates,majorpacemakerandICDmanuacturersnowproduceat-homemonitorsthatwirelessly
collectdataromimplanteddevicesandrelayittoacentral
repositoryoveradialupconnection.Therepositoryisaccessible
todoctorsviaanSSL-protectedWebsite.
ReliabilityAlthoughpacemakersandICDsotensavelives,theycan
occasionallymalunction.Saetyissuesinvolvingthesedevices
havereceivedmuchattention.Since1990theUSFoodand
DrugAdministrationhasissueddozensoproductadvisories
aectinghundredsothousandsopacemakersandICDs.6
Thesestatisticsshowthat41percentodevicerecallswereduetomalunctionsinrmware(216,533outo523,145devices).
Additionaldeviceprogrammingglitchesremain,asevidenced
byaclockunctionabnormalitythatwerecentlyobservedina
clinicalsetting(seegureB).
Theseproblemsexistenceunderscorespotentialhazards
thatcomewithincreasinglysophisticatedimplantablemedical
devices.Pastabnormalitiessuracedunderaccidentalcircum-stances.Thepotentialorintentionallymaliciousbehaviorcalls
oradeeperinvestigationintoIMDsaetyromasecurityand
privacyperspective.
RefeRences
1.W.Maisel,SaetyIssuesInvolvingMedicalDevices,J. Am. Medical
Assoc.,vol.294,no.8,2005,pp.955958.
2.M.Carlsonetal.,RecommendationsromtheHeartRhythmSociety
TaskForceonDevicePerormancePoliciesandGuidelines,Heart
Rhythm,vol.3,no.10,2006,pp.12501273.
3.C.IsraelandS.Barold,PacemakerSystemsasImplantableCardiac
RhythmMonitors,Am. J. Cardiology,Aug.2001,pp.442445.
4.J.Webster,ed.,Design of Cardiac Pacemakers,IEEEPress,1995.
5.H.Savcietal.,MICSTransceivers:RegulatoryStandardsandApplica-
tions[MedicalImplantCommunicationsService],Proc. IEEE South-
eastCon 2005,IEEEPress,2005,pp.179182.
6.W.Maiseletal.,RecallsandSaetyAlerts
InvolvingPacemakersandImplantable
Cardioverter-DebrillatorGenerators,J.
Am. Medical Assoc.,vol.286,no.7,2001,
pp.793799.
Fire B. A reprt r a patiet
rtie ICD cec. Trt te
device ietie, 1,230 arrytia
epide ave ccrred ad bee
ataticay recrded (c 1).
Epide wit ier ber ccr
ater epide wit wer ber.
Yet, te ICD icrrecty te te
date ad tie r epide 1,229 ad
1,230, reprti te a ccrri
i 2005 we tey actay ccrred
i 2007.
8/4/2019 b1kohFINAL2
6/11
34 PERVASIVEcomputing www.computer.org/pervasive
Implantable electronIcs
pump). Similarly, the physician can
have access to modiy most device set-
tings but should not have unrestricted
access to the audit logs or debug modes.
IMDs should only accept authorized
rmware updates.
Device-existence privacy. An unau-
thorized party should not be able to
remotely determine that a patient has
one or more IMDs. An adversary might
be a potential employer willing to dis-
criminate against the ill, a member o an
organized-crime group seeking to sell a
valuable device, or, in the case o mili-
tary personnel, an enemy operative.
Device-type privacy. I a device reveals
its existence, its type should still only be
disclosed to authorized entities. Patients
might not wish to broadcast that they
have a particular device or many rea-
sons. For example, the device might
treat a condition with a social stigma,
it might be associated with a terminal
condition, or it might be extremely
expensive.
Specifc-device ID privacy. An adversary
should not be able to wirelessly track
individual IMDs. This is analogous to
the concern about the use o persistent
identiers in RFIDs,6 Bluetooth,7 and
802.11 media access control (MAC)
addresses8to compromise an individ-
uals location privacy.
Measurement and log privacy. Con-
sistent with standard medical privacy
practices, an unauthorized party should
not be able to learn private inormation
about the measurements or audit log
data stored on the device. The adversary
should also not be able to learn private
inormation about ongoing telemetry.
Bearer privacy. An adversary should not
be able to exploit an IMDs properties
to identiy the bearer or extract private
(nonmeasurement) inormation about
the patient. This inormation includes
a patients name, medical history, or
detailed diagnoses.
Data integrity. An adversary should
Muchresearchocusesonsecuringcomputer-basedmedicaldevicesagainstunintentionalailures,suchas
accidentsinradiationtreatmentsromtheTherac-25.1Interest
inprotectingthesedevicesagainstintentionalailuresisincreas-
ing.Inasurveyocurrentsecuritydirectionsinpervasivehealth-
care,KrishnaVenkatasubramanianandSandeepGuptaocuson
theseaspects:2
ecientmethodsorsecurelycommunicatingwithmedical
sensors,includingIMDs(suchasBioSecsuseophysiological
valuesascryptographickeys);
controllingaccesstopatientdataateraggregationintoa
managementplane(MarciMeingast,TanyaRoosta,andShankarSastryprovideanotherdiscussion3);and
legislativeapproachesorimprovingsecurity.
AlthoughothersconsiderthesecurityandprivacyoIMDdata
managementbyexternalapplications,ourresearchocuseson
thechallengesanddesigncriteriainherentinIMDsthemselves.
EvenwhenocusingsolelyonIMDs,wendundamentaltensions
betweenthesecurity,privacy,saety,andutilitygoalsparticu-
larlywhenevaluatingthesegoalsinthebroadercontextorealistic
usagescenarios.Simplyusingsecurecommunicationsprotocols
cantsolvethesetensions.Findingasuitablebalancebetween
thesetensionsisnontrivial.JohnHalamkaandhiscolleaguesbeganthisprocessinthecontextotheVeriChipRFIDtag,alow-
endimplantabledevice.4TheyconcludedthattheVeriChiptag
shouldntbeusedorcertainsecurity-sensitivepurposes.Jason
Hongandhiscolleagues considermodelsortacklingtheproblemobalancedprivacyorubiquitouscomputingsystems.5
Althoughmanyotheissuesweraiseareapplicabletonon-
IMDmedicaldevices,IMDshaveuniquecharacteristics.For
example,replacingcertainIMDsthroughsurgerycanberisky,
andevendeadly,6socertainIMDsshouldhavelongbatterylives
orberemotelyrechargeable.Additionally,unlikeothermedical
devices,IMDsaredesignedtobepartoapatientseveryday,
nonclinicalactivities,thusincreasingtheopportunityorsecu-
rityorprivacyviolations.
RefeRences
1.N.G.LevesonandC.S.Turner,AnInvestigationotheTherac-25Accidents,Computer,vol.26,no.7,1993,pp.1841.
2.K.VenkatasubramanianandS.Gupta,SecurityorPervasiveHealth-
care,Security in Distributed, Grid, Mobile, and Pervasive Computing,Y.
Xiao,ed.,CRCPress,2007,pp.349366.
3.M.Meingast,T.Roosta,andS.Sastry,SecurityandPrivacyIssues
withHealthCareInormationTechnology,Proc. Intl Conf. Eng. Medi-
cine and Biology Soc.(EMBS06),IEEEPress,2006,pp.54535458.
4. J.Halamkaetal.,TheSecurityImplicationsoVeriChipCloning,J.
Am. Medical Informatics Assoc.,vol.13,no.6,2006,pp.601607.
5. J.Hongetal.,PrivacyRiskModelsorDesigningPrivacy-Sensitive
UbiquitousComputingSystems,Proc. 5th Conf. Designing Interactive
Systems(DIS04),ACMPress,2004,pp.91100.
6. P.GouldandA.Krahn,ComplicationsAssociatedwithImplantable
Cardioverter-DebrillatorReplacementinResponsetoDeviceAdviso-
ries,J. Am. Medical Assoc.,vol.295,no.16,2006,pp.19071911.
reled Wk in Ilnble-medil-Devie seuiy
8/4/2019 b1kohFINAL2
7/11
JANUARYMARCH2008 PERVASIVEcomputing 35
not be able to tamper with past devicemeasurements or log les or induce spe-
cious modications into uture data.
No one should be able to change when
an event occurred, modiy its physi-
ological properties, or delete old events
and insert new ones. A patients name,
diagnoses, and other stored data should
be tamper-proo.
cle f dveie
No treatment o security is complete
without a discussion o adversarialresources. For our purposes, the set o
adversaries includes, but isnt limited
to, these:
Passive adversaries. Such adversar-
ies eavesdrop on signals (both inten-
tional and side-channel) transmitted
by the IMD and by other entities
communicating with the IMD.
Active adversaries. These adversar-
ies can also interere with legitimate
communications and initiate mali-cious communications with IMDs
and external equipment.
Coordinated adversaries. Two or
more adversaries might coordinate
their activitiesor example, one
adversary would be near a patient
and another near a legitimate IMD
programmer.
Insiders. Insiders can be poten-
tial adversaries. Examples include
healthcare proessionals, sotware
developers, hardware engineers, and,
in some cases, patients themselves.
We urther subdivide each o these
categories by the equipment the adver-
saries use:
Standard equipment. Adversaries
might use commercial equipment or
malicious purposes. For instance,
they might steal a device program-
mer rom a clinic.
Custom equipment. Adversaries
might develop home-brewed equip-ment or eavesdropping or active
attacks. This equipment could have
additional ampliication, iltering,
and directional antennas, and isnt
limited to legal bounds on transmit-
ter power or other parameters.
teninAs we mentioned earlier, inherent
tensions exist between some security
and privacy goals and traditional goals
such as utility and saety.
seuiy veu eibiliy
Consider two scenarios.
In the rst scenario, an unconscious
patient with one or more IMDs enters
an emergency room, perhaps in a or-
eign country or developing region.
Emergency-room personnel quickly
determine the types o IMDs the patient
has. The sta then use standard equip-
ment to interrogate the IMDs, extract
critical physiological inormation, andtreat the patient, including altering IMD
settings and even rmware as appropri-
ate. Because the patient is alone and has
no orm o identication, the sta also
extracts the patients name and other
pertinent inormation rom the data
stored on the IMDs.
This scenario corresponds to the cur-
rent technology in deployed IMDs and
external programmers.
In the second scenario, a patient
explicitly controls which individu-
alsor specic external devicescan
interact with his or her IMDs. The
IMDs use strong access-control and
cryptographic mechanisms to prevent
unauthorized exposure o data andunauthorized changes to settings. The
IMDs also use mechanisms to provide
bearer, specic-device ID, device-type,
and device-existence privacy.
In this scenario, most o our security
criteria are met.
Notice how these two scenarios are
diametrically opposed. I a patients
IMDs use strong security mechanisms,
as outlined in the second scenario, the
equipment in an unamiliar emergency
room wont be authorized to discover,access, or otherwise interact with the
patients IMDs. The emergency-room
technicians wouldnt have access to
inormation about the patients physi-
ological state immediately beore his or
her admittance to the hospital. Without
knowledge o IMD existence, admin-
istered care could be dangerous, and
the inability to alter settings or deac-
tivate IMDs might prevent necessary
treatment because some IMDs (such as
ICDs) might need to be deactivated toavoid risk o injury to the surgeons.
The most natural approach or pro-
viding access to an IMD in emergency
situations would be to incorporate back
doors or emergency-room equipment.
However, an adversary could exploit
the back doors.
seuiy veu devie eue
Strong security mechanisms, such as
public-key cryptography, can be expen-
sive in terms o both computational
time and energy consumption. As with
general sensor networks, the use o
cryptography can thereore create ten-
sion between security and some IMDs
Theuseocryptographycancreatetension
betweensecurityandsomeimplantablemedical
deviceslongevityandperormancegoals.
8/4/2019 b1kohFINAL2
8/11
36 PERVASIVEcomputing www.computer.org/pervasive
Implantable electronIcs
longevity and perormance goals. More-over, increasing resource use or secure
communications can ampliy the eects
o certain malicious DoS attacks, such
as repeated attempts to authenticate.
For security, IMDs might also wish to
keep detailed records o all transactions
with external devices (we elaborate on
this later). These transaction logs could
potentially overfow a devices onboard
memory, particularly under DoS attacks
or when an adversary explicitly seeks to
exhaust a devices memory.
seuiy veu ubiliy
The standard tension between security
and usability also applies to IMDs. From
a usability perspective, long-distance
wireless communication between IMDs
and external devices oers many advan-
tages, including continuous at-home
monitoring and fexibility in clinical set-
tings. But, rom a security perspective,
wider-range wireless communications
increases exposure to both passive andactive adversaries. In the Medical Implant
Communications Service (MICS) band,
an attacker with limited resources might
extend the specications ve-meter dis-
tance using a directional antenna and an
inexpensive amplier.
Furthermore, the careul addition
o new security mechanisms shouldnt
overly complicate user interaces on
the external devices, particularly when
healthcare proessionals must make
quick decisions during emergency care.
reeh dieinAlthough completely eliminating
tensions between the various goals
or IMDs might be impossible, severaldirections deserve urther research
and exploration. We conne ourselves
primarily to a high-level examination
o these directions, some o which we
plan to build on in uture research. We
ocus on security- and privacy-related
research; other advances in technology
(such as longer battery lives or saer
methods or device replacement) might
also mitigate some tensions.
Fine-gined e nlThe two scenarios we described dem-
onstrate a tension between open access
to devices during emergency situations
and the use o prespeciied access-
control lists. In the rst scenario, emer-
gency caregivers will be able to com-
municate with a patients IMD, but so
will an adversary. Conversely, the lat-
ter scenario could prevent adversarial
access to an IMD but will also lock out
an emergency caregiver.
I we assume that emergency tech-nicians external programmers will
always be connected to the Internet,
easing the tension between these two
goals might be possible. The program-
mer could rst interrogate the patients
IMD to learn the devices manuacturer,
model, serial number, and possibly the
patients primary-care acility. The pro-
grammer could then contact the manu-
acturer or primary-care acility. The
manuacturer or primary-care acility
could review the request and, much like
the Grey system,9 issue a signed creden-
tial granting the programmer the rights
to access specic IMD unctions or a
specied time period.
This approach would help ensurethat the manuacturer or primary-care
acility has ultimate control over which
external devices can interact with a par-
ticular IMD. However, this approach
isnt conducive to specic-device ID
privacy. It might also introduce saety
concerns i the Internet connection
between the emergency technicians
programmer and the device manuac-
turer or primary-care acility is slow,
severed, or otherwise aulty.
oen e wih evin
nd end-f uheniin
The medical community might decide
that its sucient to always allow com-
mercial medical equipment to access
IMDs i it is possible to revoke or limit
access rom lost or stolen equipment. For
example, revocation could occur implic-
itly through automatically expiring cer-
ticates or IMD programmers. These
certicates should be hard to re-obtain
without proper medical credentials,should be stored in secure hardware,
and might be distributed hierarchically
in a clinic. However, this approach
exposes IMDs to compromised equip-
ment or short periods, requires them to
have a secure and robust notion o time,
and opens a caregiver to potential DoS
attacks through the certicate distribu-
tion system. The requirement to coor-
dinate the use o such an inrastructure
across international boundaries or it to
unction on a global scale might limit
its potential.
IMD programmers could also
require a secondary authentication
token, such as a smart card, tied to a
medical proessionals identity. Requir-
ing such tokens could urther limit
unauthorized parties use o legitimate
medical equipment, although it might
also decrease usability and increase
emergency response time. Alterna-
tively, manuacturers might be able to
extend sophisticated ederated iden-
Fromasecurityperspective,wider-range
wirelesscommunicationsincreasesexposureto
bothpassiveandactiveadversaries.
8/4/2019 b1kohFINAL2
9/11
JANUARYMARCH2008 PERVASIVEcomputing 37
tity management rameworks to IMDenvironments. However, they must bal-
ance these systems with, or example,
resource limitations and the size o the
trusted computing base.
aunbiliy
Although preventing malicious
activities at all times is impossible, it
might be possible to deter such activi-
ties by correlating them with an exter-
nal programmer or entity. Specically,
all IMD setting modications, as wellas all data accesses, could be recorded
securely on the IMD (in addition to
any logs stored on the programmer)
that is, in a cryptographic audit log
that cant be undetectably modied.10
Physicians could review this log during
clinic visits or ater detecting certain
anomalies in a patients care. Although
current IMDs keep audit logs or the
purposes o investigating potential
malunctions, we havent seen any pub-
lic discussion o their cryptographicsecurity.
Such an audit log would, however, be
meaningless i an external device could
claim any identity it choosesthe
serial number o an external device or
programmer shouldnt by itsel act as
an identity. Rather, we recommend that
legitimate external devices use secure
hardware to store credentialsinclud-
ing private keys and the corresponding
signed certicatesand authenticate
themselves to the IMDs beore each
transaction. Together, the secure audit
logs and the secure identiers could let
an IMD auditor associate individual
transactions with the devices perorm-
ing them. With second-actor authenti-
cation, as we proposed earlier, an audi-
tor could also correlate transactional
history with a particular healthcare
proessional.
To address potential DoS attacks
against the audit logs memory size, the
IMDs could periodically ofoad veri-
able portions o the audit log to trustedexternal devices.
pien wene
vi endy hnnel
Some IMDs provide an audible alert
to signal battery depletion. We recom-
mend using secondary channels to also
inorm patients about their IMDs
security status. An IMD could issue a
notication whenever it establishes a
wireless connection with an external
programmer or whenever a critical set-ting changes. As with secure audit logs,
these noticationsbeeps or vibrations,
or instancewont directly prevent
accidental programming or attacks.However, they might help mitigate acci-
dents or deter attacks because the alerts
would inorm the patient (and possi-
bly bystanders) o the situation and let
them react. Other examples o possible
secondary channels include an at-home
monitor, watch, or phoneall o which
could relay urther visual, auditory, or
tactile inormation about anomalous
security events. Tensions do, however,
remain between the use o these second-
ary channels and patient privacy.
auhizin
vi endy hnnel
Environmental and other second-
ary elements could serve as actors in
authorization. Many existing ICDs,
or example, use near-eld communi-
cation (such as a wand near the chest)
or initial activation. Ater activation,
the physician can program the device
rom a greater distance or a longer
period o time. A programming ses-
sions extended range and longevityincrease exposure or patients because
their IMDs might still be receptive to
long-range wireless communications
ater they leave the clinic. Periodically
requiring a resumption o near-eld
communications between the IMD and
an authorized external device might
thereore be appropriate.
A second approach is to use the built-
in accelerometers already in some IMDs.
For example, an IMD could cease wire-
less communications when it detectsthat its environment has changed sig-
nicantly, perhaps because the patient
stood up rom the examining table or
otherwise let the clinical setting. Bythemselves, both approaches will only
limitnot preventprolonged expo-
sure to adversarial actions.
A separate approach might be to
encrypt the communications between
the programmer and the IMD, using
an encryption key imprinted on a card
or a medical-alert bracelet. Here, visual
access to the card or bracelet acts as a
secondary authorization channel. This
approach might, however, lead to saety
concerns i a patient orgets his or her
card or bracelet and needs urgent emer-
gency care.
shif uin
exenl devie
An adversary might use crypto-
graphic mechanisms to mount a DoS
attack against the IMDs processor,
communications, or battery. A wealth
o research exists on improving net-
work security protocols eiciency
under resource constraintssuch as
Itmightbepossibletodetermalicious
activitiesbycorrelatingthem
withanexternalprogrammerorentity.
8/4/2019 b1kohFINAL2
10/11
38 PERVASIVEcomputing www.computer.org/pervasive
Implantable electronIcs
computation ofoading via client puz-
zles11and its worth exploring how to
extend existing DoS limitation methods
rom conventional networks to IMDs.
Although these methods might reduce
a DoS attacks ecacy, they might still
leave IMDs vulnerable to resource
depletion at a lower rate.
Another approach might be to use a
resource-rich device to mediate com-
munication between an IMD and
an external programmer, much like
proposed RFID proxies mediate com-
munication between RFID readers
and RFID tags.12,13 The communica-
tion between the IMD and the media-
torperhaps a smart phone, watch,
or beltcould use lighter-weight sym-
metric encryption and authentication
schemes, whereas the communication
between the mediator and the externalprogrammer could use more expensive
asymmetric cryptographic techniques.
Increasing the number o devices and
protocols involved, however, increases
the size o the overall systems trusted
computing base, which might make
the system harder to secure. For saety,
when the trusted mediator isnt present,
it might be appropriate or the IMD to
ail-open, meaning that caregivers
but also adversariescould interact
with the IMD.
Weve proposed research
directions or miti-
gating the tensions
between the various
goals. However, an ultimate solution
will require experts rom the medical
and security communities, industry,
regulatory bodies, patient advocacy
groups, and all other relevant commu-
nities to collaboratively make decisionson both mechanisms and policies. Our
research team is actively exploring the
above-mentioned research directions,
and we are developing cryptographic
and energy-centric methods or pro-
viding security and privacy at low cost
and without diminishing the ecacy o
primary treatments.
ACknoWlEDgmEnTs
WethankShaneClark,BenessaDeend,David
Eiselen,BarryKaras,WillMorgan,andtheanony-mousreviewersortheireedbackandassistance.
USNationalScienceFoundationgrantsCNS-
0435065,CNS-0520729,andCNS-0627529and
agitromIntelsupportedthisresearch.
REFEREnCEs
1. K. Hanna et al., eds., Innovation andInvention in Medical Devices: WorkshopSummary, US Natl Academy o Sciences,2001.
2. S. Cherukuri, K. Venkatasubramanian,and S. Gupta, BioSec: A Biometric-
theAuThoRs
Daniel HalperinisaPhDcandidateincomputerscienceandengineeringat
theUniversityoWashington.Hisresearchinterestsincludewirelessnetwork-
ing,withacurrentocusoninnovativeusesosotware-denedradios,and
practicalsecurityandprivacyinthewiredandwirelessdigitalandphysicaldomains.HereceivedhisBSincomputerscienceandmathematicsromHar-
veyMuddCollege.HesamemberotheACM,AmericanMathematicalSoci-
ety,andUsenix.ContacthimattheUniv.oWashington,Dept.oComputer
ScienceandEng.,Box352350,Seattle,WA98195;[email protected].
edu.
Thoma s. Heydt-BenjaminisaPhDcandidateincomputerscienceatthe
UniversityoMassachusettsAmherst.Hisresearchinterestsincludetopicsin
computersecurityandprivacyasappliedtomobileandubiquitoussystems.
HereceivedhisMSincomputerscienceromtheUniversityoMassachusetts
Amherst.HesamemberotheACM,theIEEE,theInternationalFinancial
CryptographyAssociation(IFCA),andtheInternationalAssociationorCryp-
tologicResearch.ContacthimattheComputerScienceBldg.,140Governors
Dr.,Amherst,MA01003;[email protected].
Kevin fuisanassistantproessorincomputerscienceattheUniversityo
MassachusettsAmherst,wherehestheprincipalinvestigatorotheRFID
ConsortiumonSecurityandPrivacy.Hisresearchinterestsincludethesecurity
andprivacyopervasivetechnologyincludingRFID,implantablemedical
devices,andlesystems.HereceivedhisPhDinelectricalengineeringand
computerscienceromtheMassachusettsInstituteoTechnology.Hesa
memberoUsenix,theIEEE,andtheACM.ContacthimattheComputerSci-
enceBldg.,140GovernorsDr.,Amherst,MA01003;[email protected].
Tadayohi KohnoisanassistantproessorintheUniversityoWashingtons
DepartmentoComputerScienceandEngineering.Hisresearchinterests
includeprotectingconsumersecurityandprivacyintheaceoevolvingtech-
nologies,rangingromelectronicvotingmachinestopervasivehealthcare
devices.HereceivedhisPhDincomputerscienceromtheUniversityoCali-ornia,SanDiego.HesamemberotheACM,theInternationalAssociationor
CryptologicResearch,theIEEE,andUsenix.ContacthimattheUniv.oWash-
ington,Dept.oComputerScienceandEng.,Box352350,Seattle,WA98195;
William H. Maielisthedirectorothepacemakeranddebrillatorserviceat
BethIsraelDeaconessMedicalCenterandanassistantproessoromedicine
atHarvardMedicalSchool.Hisresearchinterestsinvolvethesaeandeec-
tiveuseocardiovascularmedicaldevicesparticularlyrhythmmanagement
devicessuchaspacemakersandimplantabledebrillators.HereceivedhisMD
romCornellUniversityMedicalCollegeandhisMPHromtheHarvardSchool
oPublicHealth.ContacthimattheCardiovascularDivision,BethIsraelDea-
conessMedicalCenter,185PilgrimRd.,Baker4,Boston,MA02215;wmaisel@
bidmc.harvard.edu.
8/4/2019 b1kohFINAL2
11/11
JANUARYMARCH2008 PERVASIVEcomputing 39
Based Approach or Securing Communi-cation in Wireless Networks o BiosensorsImplanted in the Human Body, Proc.Intl Conf. Parallel Processing (ICPP)Workshops, IEEE CS Press, 2003, pp.432439.
3. US Food and Drug Administration,Unique Device Identication; Requestor Comments, Federal Register, vol.71, no. 155, 2006, pp. 46,233 46,236;www.da.gov/OHRMS/DOCKETS/98r/06-6870.htm.
4. T. Drew and M. Gini, Implantable Medi-cal Devices as Agents and Part o Multi-
agent Systems, Proc. 5th Intl Joint Conf.Autonomous Agents and Multiagent Sys-tems (Aamas 06), ACM Press, 2006, pp.15341541.
5. S. Gupta, T. Mukherjee, and K. Venkata-subramanian, Criticality Aware AccessControl Model or Pervasive Applications,Proc. 4th Ann. IEEE Intl Conf. Perva-sive Computing and Comm. (Percom 06),
IEEE CS Press, 2006, pp. 251257.
6. A. Juels, RFID Security and Privacy: AResearch Survey, IEEE J. Selected Areasin Comm., Feb. 2006, pp. 381394.
7. M. Jakobsson and S. Wetzel, SecurityWeaknesses in Bluetooth, Progress inCryptologyCT-RSA 2001: The Cryp-tographers Track at RSA Conf. 2001,LNCS 2020, Springer, 2001, pp. 176191.
8. M. Gruteser and D. Grunwald, AMethodological Assessment o Loca-tion Privacy Risks in Wireless HotspotNetworks, First Intl Conf. Security in
Pervasive Computing, Springer, 2003, pp.1024.
9. L. Bauer et al., Device-Enabled Autho-rization in the Grey System, Proc. 8thIntl Conf. Information Security (ISC 05),Springer, 2005, pp. 431445.
10. B. Schneier and J. Kelsey, CryptographicSupport or Secure Logs on Untrusted
Machines, Proc. Usenix Security Symp.,Usenix Press, 1998, pp. 5362.
11. A. Juels and J. Brainard, Client Puzzles:A Cryptographic Countermeasure againstConnection Depletion Attacks, Proc. Net-work and System Security Symp. (NDSS99), Internet Soc., 1999, pp. 151165.
12. A. Juels, P. Syverson, and D. Bailey,High-Power Proxies or EnhancingRFID Privacy and Utility, PrivacyEnhancing Technologies, LNCS 3856,Springer, 2005, pp. 210226.
13. M. Rieback, B. Crispo, and A. Tanen-
baum, RFID Guardian: A Battery-Pow-ered Mobile Device or RFID PrivacyManagement, Proc. 10th AustralasianConf. Information Security and Privacy(Acisp 05), LNCS 3574, Springer, 2005,pp. 184194.
Formoreinormationonthisoranyothercom-
putingtopic,pleasevisitourDigitalLibraryat
www.computer.org/csdl.
a d v e r t i s e r i n d e x J a n U a r Y M a r c h 2 0 0 8
Advrtir/Produt Pag numbr
Prcom 2008 covr 3
Advrtiig Prol
MarianAndersonAdvertisingCoordinatorPhone:+17148218380Fax:+17148214010Email:[email protected]
SandyBrownIEEEComputerSociety,BusinessDevelopmentManagerPhone:+17148218380Fax:+17148214010Email:[email protected]
Advrtiig sal Rprtativ
MidAtlantic(product/recruitment)DawnBeckerPhone: +17327720160Fax: +17327720164Email:[email protected]
NewEngland(product)JodyEstabrookPhone: +19782440192
Fax: +19782440103Email:[email protected]
NewEngland(recruitment)JohnRestchackPhone: +12124197578Fax: +12124197589Email:[email protected]
Connecticut(product)StanGreeneldPhone: +12039382418Fax: +12039383211Email:[email protected](product)SteveLoerch
Phone: +18474984520Fax +18474985911Email:[email protected]
Northwest(product)LoriKehoePhone: +16504583051Fax: +16504583052
Email:[email protected]
SouthernCA(product)MarshallRubinPhone: +18188882407Fax: +18188884907Email:[email protected]
Northwest/SouthernCA(recruitment)TimMattesonPhone: +13108364064Fax: +13108364067Email:[email protected]
Midwest(product)DaveJonesPhone: +17084425633Fax: +17084427620Email:[email protected]
WillHamiltonPhone: +12693812156Fax: +12693812556
Email:[email protected]
JoeDiNardoPhone: +14402482456Fax: +14402482594Email:[email protected]
Southeast(recruitment)ThomasM.FlynnPhone: +17706452944Fax: +17709934423Email:[email protected]
Midwest/Southwest(recruitment)DarcyGiovingoPhone: +1847498-4520Fax: +1847498-5911Email:[email protected]
Southeast(product)BillHollandPhone: +17704356549
Fax: +17704350243Email:[email protected]
Japan(recruitment)TimMattesonPhone: +13108364064Fax: +13108364067Email:[email protected]
Europe(product)HilaryTurnbullPhone: +441875825700Fax: +441875825701Email:[email protected]