Security for Implantable Medical Devices (IMDs)

Security for Implantable Medical Devic es (IMDs)

Abstract

Market Trends

Challenges / Constraints in making IMDs secure

Published Solutions

Threat Analysis

Conclusion

ReferencesReferences

3

3

5

5

7

7

88

Table of Contents

© 2014, HCL Technologies. Reproduction Prohibited. This document is protected under Copyright by the Author, all rights reserved.

Security for Implantable Medical Devices (IMDs) | 3


Abstract

Market Trends

Why IMDs?

Implantable Medical Devices (IMDs) have significantly transformed the medical devices industry. Any device inserted directly into a patient’s body would be very useful in monitoring his/her vital signs, especially in certain conditions such as arrhythmias and diabetes. Such constant monitoring helps relay real-time information in case of life-threatening situations. It also ensures that the patient receives medical attention quickly.

Active IMDs are devices that need a power source for their functioning. They connect with the external world wirelessly and Active IMDs are devices that need a power source for their functioning. They connect with the external world wirelessly and help in monitoring a patient’s condition, remotely. This presents a great advantage for patients, as these devices help to extend and enhance the quality of life. For physicians this means real-time tracking of the patient’s condition. This helps the doctor to change the course of therapy based on the patient’s current condition, and reduces response time. This way the doctor need not wait for the patient to come to him/her for a checkup. However, active IMDs come with an expensive caveat – security.

Researchers have demonstrated that security is highly compromised in the case of IMDs. Any hacker with malicious intent Researchers have demonstrated that security is highly compromised in the case of IMDs. Any hacker with malicious intent can gain access to this device and cause great damage to the life of the person wearing the IMD. Hence, it is imperative that security is inbuilt and that an ecosystem is created to protect human lives.

In this whitepaper, the context is set with the types of potential security attacks and guidance from various regulatory In this whitepaper, the context is set with the types of potential security attacks and guidance from various regulatory bodies. It then discusses the challenges and constraints in securing IMDs, followed by solutions that address security threats. The whitepaper also covers factors, such as hackers’ challenges and the advantages that influence the threat impact. As security for IMDs is a niche field, there is a lot of scope for innovation.

The role of active IMDs is critical in providing timely medical care whenever a patient needs it. It relays vital information to physicians about the patient’s condition. This, in turn, allows doctors to take proactive action and thus help save lives.

Artificial Cardiac Pacemakers, Implantable Cardioverter Defibrillators (ICDs), Neurostimulators and Insulin Pumps are some of the popular active IMDs. Active IMDs equipped with a wireless interface helps in monitoring a patient’s condition remotely while adjusting the therapy based on the patient’s condition at any given time. Using these wireless IMDs, physicians can get real-time data on the patient’s condition and administer the therapy remotely. The major benefit for a patient lies in effort, time and cost savings due to a reduction in planned or unplanned hospital visits.

How do IMDs work?

Problems in the current context

An IMD’s primary interface with the external world is through a device called the IMD Programmer. This device is responsible for gathering a patient’s medical information from the IMD and providing commands for therapy to the IMD. With the introduction of Medical Implant Communication Services (MICS) in 1999, the FCC allocated the 402-405 MHz band for this purpose. The latest range of IMDs also makes use of telemetry to beam long-range, high-bandwidth data across remote locations.

The benefits of wireless connectivity and remote monitoring come with associated security risks. The devices meant to protect people’s lives, if compromised by hackers, can cause security breaches and severe damage to the patients. It can even cause their death under certain circumstances. Some of the ways the security and efficacy of IMDs being breached are listed below:



Confidentiality:

Integrity:

Availability:

A hacker can use custom equipment to mimic an IMD Programmer, interface with the IMD and access any patient’s personal details and up-to-date health information. These details run the risk of being altered to disastrous effect, and hence should be accessible only by authorized personnel.

A hacker can connect with the IMD and modify the health information stored in the device, raising false alarms or making the physicians diagnose the situation wrongly. The hacker can also send prescriptive commands to the device to disrupt and degrade the therapy.

In the DOS (Denial of Service) form of attack, a hacker can keep sending queries to the device repeatedly in order to drain the battery quickly, severely impacting/nullifying the device’s functioning. Typically, an IMD’s battery life spans a few years. DOS attacks can drain the battery in a few hours.

Daniel Halperin, from the University of Washington, along with other researchers, published a paper in the IEEE Symposium on Security and Privacy, in 2008. They established the possibilities of cyber attacks on IMDs with pacemaker technology. They demonstrated cyber attack aspects such as breaching confidentiality (unauthorized access to patient data) and integrity (wrong therapy settings).

At the Black Hat Conference in Las Vegas in 2011, security researcher Jerome Radcliffe, a diabetic himself, demonstrated the vulnerability of the insulin pump by taking complete control of his own IMD, remotely. He could command the pump to deliver insulin every three minutes or stop insulin delivery at will just from a distance of 100 feet.

At the Breakpoint conference in Melbourne in October 2012, Barnaby Jack of security vendor IOActive demonstrated the ways in which IMDs could be compromised. He used a laptop 50 feet away from the patient to deliver a deadly, 830-volt shock. He said that there was also a possibility of infecting the vendor’s servers, which in turn could infect the vendor’s implanted IMDs, and thus enable the opportunity to commit mass murder.

There has been no reported attack on any medical device so far. However, several researchers have demonstrated in separate instances, the possibilities of such attacks using commercially available IMDs.

The U.S. Government Accountability Office (GAO) did a study to determine whether wireless IMDs are protected against information security risks that could affect their safety and effectiveness. In its August 2012 report, the GAO recommended that the Food and Drug Administration (FDA) develop and implement a plan expanding its focus on information security risks.

As per FDA reports, there has been no real security attack. However, the FDA came up with a safety communication in June 2013. Cyber security is a focus area for the medical device industry as it concerns potential loss of human lives and sensitive health information. As of today, it is still a nascent technology.

Challenges to make IMDs secure

Published Solutions



There are several unique challenges / constraints in securing IMDs against cyber attacks. The scenario is different from securing networks, servers and computers.

The major challenge in making IMDs secure is the resource constraint with regard to the processing power, battery, and memory. The situation becomes more complex with the varying mix of security, privacy, efficacy and safety associated with different types of IMDs. Any solution should take care of these constraints.

A typical solution attempting to prevent unauthorized access to an IMD may involve a complex encryption / decryption algorithm. Typically, such algorithms require significant processing power. Similarly, if algorithms to detect intrusions run algorithm. Typically, such algorithms require significant processing power. Similarly, if algorithms to detect intrusions run on the IMDs on a continual basis, the battery will drain quickly. Replacing the battery necessitates another surgery, which involves money, effort, pain, and even a risk to life itself. Such algorithms can be executed on the IMD programmers. However, the programmer itself may not have a powerful CPU.

The second challenge is to secure already implanted IMDs. Security can be designed into new devices as technologies The second challenge is to secure already implanted IMDs. Security can be designed into new devices as technologies evolve, even with the constraints stated above. However, over 4 million IMDs (pacemakers and CRM devices alone) have already been implanted in patients’ bodies, worldwide. Another 700,000 devices are implanted every year [1]. As most of these devices were designed several years ago, the required security features relevant in today’s context were not built in at that time. There needs to be a solution to protect already implanted IMDs and the patients.

Another unique challenge is that the security feature built around IMDs, should have the ability to be disabled by previously Another unique challenge is that the security feature built around IMDs, should have the ability to be disabled by previously unauthorized yet competent people such as doctors of a different hospital. Imagine a scenario where the patient is in a critical situation, unable to communicate, and is admitted to a different hospital. The doctors there should be able to use their IMD Programmers and communicate with the device. If the device prevents unauthorized access at that time, the doctor cannot provide the necessary treatment, thus presenting a real danger to the patient. Security designers have to take these kinds of emergency scenarios into account while designing a solution.

Several solutions have been reported in the literature. These solutions take into account the challenges and constraints posed by IMDs. An external device is a part of many of these solutions. Such external devices can be worn by the patient or kept near the IMD that it is protecting. The following solutions are covered in this section.

In SIGCOMM ’11, researchers from MIT and the University of Massachusetts-Amherst presented an innovative solution [8], which does not require any modifications to already implanted IMDs. They used commercially available IMDs and IMD Programmers for the study. They proposed an external device called the “IMD Shield” that acts as a gateway for the IMD. It Programmers for the study. They proposed an external device called the “IMD Shield” that acts as a gateway for the IMD. It can be worn by the patient, like a necklace, ensuring proximity to the device it would be protecting. Communication from IMD to IMD Programmer and vice versa is handled by the shield. The IMD continues to operate the way it was originally designed, and the shield is built with two antennas – one to receive and the other to jam. It receives the patient’s health info from the IMD to forward to the IMD Programmer. It simultaneously jams signals from the IMD, thus

IMD Shield

H2H (Heart-to-Heart)

NFC Interface

Conducted Communication through Surface ECG Electrodes

IMD Shield



preventing an intruder device from accessing the patient’s medicalinformation. It jams signals coming from an intruder device, thereby corrupting the info and preventing the IMD from responding to unauthorized commands. Since the shield and IMD Programmer are external devices, their design can be modified as the threat scenario evolves in the future.

Researchers at Rice University along with a team at RSA Securities have come up with a solution [9], called “Heart-to-Heart” (H2H). This solution will address the challenge related to medical emergencies. It involves using the patient’s heartbeat as the password. In this method, a special type of IMD Programmer authenticates itself with the IMD by touching the patient’s body and taking the reading of the heartbeat. It also asks the IMD to take the reading of the heartbeat.

B Kim et al [10] have proposed the use of NFC interface (13.56 MHz frequency band) for all communications between the IMD and the external world through a smart phone with NFC. They proposed a passive NFC tag that harvests energy from the reader’s magnetic field. The major advantage of the NFC interface is its short communication range, limited to about 4-5 cm in free space. They used pork as a substitute to emulate human-like tissue and found that the communication range was reduced by 5-8 mm due to absorption, but still the range was over 4 cm. This ensures that a hacker cannot unleash the attack from a distance of a few meters, which is possible with other interfaces such as MICS or Bluetooth. The only attack from a distance of a few meters, which is possible with other interfaces such as MICS or Bluetooth. The only disadvantage of the NFC based solution is that it will be available only in the new IMDs under development. Some vendors have started making use of NFC technology for the interface between the IMD and the Programmer. IMDs with NFC are expected to arrive in the market in a couple of years.

The IMD Programmer and IMD take independent, time-synchronous ECG readings. The IMD compares the two results. If the results are nearly equal, it grants access to the IMD Programmer. Since the readings are taken in real-time, a hacker will not be able to replay and trick the IMD into getting the access. This solution can be applicable only to new IMDs or to already implanted IMDs that allow a wireless firmware upgrade.

Heart-to-Heart:

NFC Interface:

In a remarkable breakthrough in pacemaking, the St. Jude Medical Nanostim Leadless Pacemaker can be implanted inside the heart using a minimally invasive procedure, thereby eliminating the need for surgery [7]. In addition, there is no wireless interface. The communication with the external world is by way of conducted communication through Surface ECG Electrodes [7]. Electrodes will be placed on the chest of the patient and through ECG monitoring, the readings will be taken and the settings will be adjusted, if required. This ensures that a hacker cannot attack remotely.

Conducted Communication through Surface ECG Electrodes:

MD

Leadless Pacemaker nside Heart

MD Shield Prorammer

SecureCommunication

MD Prorammer

Prorammer

Figure 2: Heart - to - heart protocol

Figure 3: Leadless Pacemaker

Figure 1: IMD Shield


Threat Analysis

Conclusion


If there has been no real attack so far, it could be due to the challenges that hackers may be facing. The following factors lead one to believe that the researchers’ concerns may be far-fetched and that the probability of threats may be low.

With the growing usage and complexity of IMDs, there are associated vulnerabilities that compromise the confidentiality, integrity, and availability aspects of these gadgets. The FDA has recognized the issue. Vendors have started taking care of security issues in their new implementations.

In this paper, the various possible types of attack and their impact on the patient’s life have been presented. The unique challenges in securing IMDs due to their inherent nature and the usage scenarios have also been explained. Though there have been no reported vulnerabilities, regulatory bodies have taken note of the possibilities and started working with manufacturers and security experts to strengthen cyber security in IMDs. A few solutions taking care of CIA aspects manufacturers and security experts to strengthen cyber security in IMDs. A few solutions taking care of CIA aspects published in the literature have been presented. In addition, the challenges and advantages from the hackers’ point of view have been presented.

However, the following factors paint a different picture.

From these perspectives, it is imperative that IMDs are adequately secured.

In typical non-IMD cyber attacks, a hacker can be far away from the victim, from the comfort of their workplace at the time of their choice. In the case of an IMD attack, the hacker or the equipment they use to hack should be close to the victim. This requires meticulous preparation, such as visiting the area and identifying the hiding place for the attack. This limitation could act as a major deterrent, thereby reducing the number of hackers who will “invest” in this area.

The usage of wireless IMDs is concentrated in a few developed countries. When compared to non-IMD cyber attacks, the geographic spread of IMD attack is quite limited.

A typical non-IMD hacker derives pride, pleasure and money in hacking the victim’s email accounts or bank accounts. While their acts are legally crimes, they may not consider themselves criminals. However, when it comes to hacking IMDs, they know that they are playing with the victim’s life. Only those hackers with atrociously criminal intent would be getting into this field, thereby limiting the IMD hacker population.

Any solution against cyber attacks has to go through the rigorous compliance testing mandated by regulatory bodies such as the FDA. This results in delaying the deployment by around 5-7 years. Hackers do not have this limitation and they can deploy newly found attacks immediately.

Due to the cost of an IMD, and surgery and maintenance expenses, the rich and famous are more likely to be implanted, making them high-value targets. For instance, the doctors who replaced former U.S. Vice President Dick Cheney's heart defibrillator in 2007 asked the manufacturer to disable the wireless feature, fearing that terrorists might hack the device and try to kill him [11].

Proximity:

Geographic Spread:

Ethical Aspect:

Advantage Hackers:

High Value Targets:

Conducted communication and NFC interface based devices are likely to be the earliest solutions that will be available to

patients in the near future. All other solutions are in the conceptual stage with the researchers still in discussion with

vendors to implement the solution in upcoming devices.

Cyber security for IMDs is a nascent technology where a lot needs to be done before the potential threats become real. It is

hoped that the reader finds this ecosystem overview helpful.


St. Jude Medical Announces Acquisition and CE Mark Approval of World's First Leadless Pacemaker, October 14, 2013

http://investors.sjm.com/phoenix.zhtml?c=73836&p=irol-newsArticle_Print&ID=1863989

Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses by Kevin Fu et al.

http://scholarworks.umass.edu/cgi/viewcontent.cgi?article=1067&context=cs_faculty_pubs

Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System by Jerome Radcliffe, presented at Black Hat Technical Security

Conference: USA 2011. http://cs.uno.edu/~dbilar/BH-US-2011/materials/Radcliffe/BH_US_11_Radcliffe_Hacking_Medical_Devices_WP.pdf

"Broken Hearts": How plausible was the Homeland pacemaker hack? by Barnaby Jack. "Broken Hearts": How plausible was the Homeland pacemaker hack? by Barnaby Jack.

http://blog.ioactive.com/2013/02/broken-hearts-how-plausible-was.html

FDA Should Expand Its Consideration of Information Security for Certain Types of Devices, GAO, August 2012.

http://www.gao.gov/assets/650/647767.pdf

FDA Safety Communication: Cyber security for Medical Devices and Hospital Networks, June 13, 2013

http://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm356423.htm

Leadless cardiac pacemaker with conducted communication,

http://www.google.com/patents/WO2013058958A1http://www.google.com/patents/WO2013058958A1

They Can Hear Your Heartbeats: Non-Invasive Security for Implantable Medical Devices, presented at SIGCOMM ’11 by Shyamnath et al.

http://groups.csail.mit.edu/netmit/IMDShield/paper.pdf

Heart-to-Heart (H2H): Authentication for Implanted Medical Devices, by Masoud Rostami et al, to be presented at CCS’13, November 4–8, 2013, Berlin, Germany

http://www.aceslab.org/sites/default/files/H2H.pdf

In-Vivo NFC: Remote Monitoring of Implanted Medical Devices with Improved Privacy, by Kim B et al, SenSys ’12, November 6-9, 2012, Toronto, Canada

http://dl.acm.org/citation.cfm?id=2426691&dl=ACM&coll=DL&CFID=376029119&CFTOKEN=76995657

Cheney's defibrillator was modified to prevent hacking, by Dana Ford, CNN, October 24, 2013 Cheney's defibrillator was modified to prevent hacking, by Dana Ford, CNN, October 24, 2013

http://www.cnn.com/2013/10/20/us/dick-cheney-gupta-interview/

Ashok Kumar VHCL Engineering and R&D Services

Designed By: Mayuri Infomedia

This whitepaper is published by HCL Engineering and R&D Services.

The views and opinions in this article are for informational purposes only and should not be considered as a substitute for professional business advice. The use herein of any trademarks is not an assertion of ownership of such trademarks by HCL nor intended to imply any association between HCL and lawful owners of such trademarks.

For more information about HCL Engineering and R&D Services,Please visit http://www.hcltech.com/engineering-rd-services

Copyright@ HCL TechnologiesAll rights reserved.All rights reserved.

References

Author Info

Technology

Security for Implantable Medical Devices (IMDs)