Design Challenges for Secure Implantable Medical Devices

  • Benjamin RansfordEmail author
  • Shane S. Clark
  • Denis Foo Kune
  • Kevin Fu
  • Wayne P. Burleson


Implantable medical devices (IMDs) are increasingly being used to improve patients’ medical outcomes. Designers of IMDs already balance safety, reliability, complexity, power consumption, and cost. However, recent research has demonstrated that designers should also consider security and data privacy to protect patients from acts of theft or malice, especially as medical technology becomes increasingly connected to other systems via wireless communications or the Internet. This survey paper summarizes recent work on IMD security. It discusses sound security principles to follow and common security pitfalls to avoid. As trends in power efficiency, sensing, wireless systems, and biointerfaces make possible new and improved IMDs, they also underscore the importance of understanding and addressing security and privacy concerns in an increasingly connected world.


Insulin Pump Threat Modeling Implantable Cardiac Defibrillator Software Radio Implantable Medical Device 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This material is based upon work supported by the Armstrong Fund for Science; the National Science Foundation (NSF) under Grants 831244, 0923313, and 0964641; Cooperative Agreement 90TR0003/01 from the Department of Health and Human Services (DHHS); two NSF Graduate Research Fellowships; and a Sloan Research Fellowship. Its contents are solely the responsibility of the authors and do not necessarily represent the official views of DHHS or NSF.


  1. 1.
    R. J. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, 2008.Google Scholar
  2. 2.
    D. Arney, R. Jetley, P. Jones, I. Lee, and O. Sokolsky. Formal methods based development of a PCA infusion pump reference model: Generic infusion pump (GIP) project. In Proceedings of the 2007 Joint Workshop on High Confidence Medical Devices, Software, and Systems and Medical Device Plug-and-Play Interoperability, HCMDSS-MDPNP ’07, pages 23–33. IEEE Computer Society, 2007.Google Scholar
  3. 3.
    D. Arney, M. Pajic, J. M. Goldman, I. Lee, R. Mangharam, and O. Sokolsky. Toward patient safety in closed-loop medical device systems. In Proceedings of the 1st ACM/IEEE International Conference on Cyber-Physical Systems, ICCPS ’10, pages 139–148. ACM, 2010.Google Scholar
  4. 4.
    Baxa Corporation. Preventing cyber attacks., Loaded Oct. 2012.
  5. 5.
    C. Beck, D. Masny, W. Geiselmann, and G. Bretthauer. Block cipher based security for severely resource-constrained implantable medical devices. In Proceedings of 4th International Symposium on Applied Sciences in Biomedical and Communication Technologies, ISABEL ’11, pages 62:1–62:5. ACM, October 2011.Google Scholar
  6. 6.
    M. Bishop. Computer Security: Art and Science. Addison-Wesley Professional, 2003.Google Scholar
  7. 7.
    S. Clark, T. Goodspeed, P. Metzger, Z. Wasserman, K. Xu, and M. Blaze. Why (special agent) johnny (still) can’t encrypt: a security analysis of the apco project 25 two-way radio system. In Proceedings of the 20th USENIX conference on Security. USENIX Association, 2011.Google Scholar
  8. 8.
    G. De Micheli, S. Ghoreishizadeh, C. Boero, F. Valgimigli, and S. Carrara. An integrated platform for advanced diagnostics. In Design, Automation & Test in Europe Conference & Exhibition, DATE ’11. IEEE, March 2011.Google Scholar
  9. 9.
    A. de Saint-Exupéry. Terre des Hommes. Editions Gallimard, 1939.Google Scholar
  10. 10.
    T. Denning, A. Borning, B. Friedman, B. T. Gill, T. Kohno, and W. H. Maisel. Patients, pacemakers, and implantable defibrillators: human values and security for wireless implantable medical devices. In Proc. International Conference on Human Factors in Computing Systems (CHI), 2010.Google Scholar
  11. 11.
    T. Denning, K. Fu, and T. Kohno. Absence makes the heart grow fonder: New directions for implantable medical device security. In Proceedings of USENIX Workshop on Hot Topics in Security (HotSec), July 2008.Google Scholar
  12. 12.
    X. Fan, G. Gong, K. Lauffenburger, and T. Hicks. FPGA implementations of the Hummingbird cryptographic algorithm. In Proceedings of the IEEE International Symposium on Hardware-Oriented Security and Trust, HOST ’10, pages 48–51, June 2010.Google Scholar
  13. 13.
    X. Fan, H. Hu, G. Gong, E. Smith, and D. Engels. Lightweight implementation of Hummingbird cryptographic algorithm on 4-bit microcontrollers. In International Conference for Internet Technology and Secured Transactions, ICITST ’09, pages 1–7, November 2009.Google Scholar
  14. 14.
    N. Ferguson, B. Schneier, and T. Kohno. Cryptography Engineering: Design Principles and Practical Applications. Wiley, 2010.Google Scholar
  15. 15.
    D. Foo Kune, J. Backes, S. S. Clark, D. B. Kramer, M. R. Reynolds, K. Fu, Y. Kim, and W. Xu. Ghost talk: mitigating EMI signal injection attacks against analog sensors. In Proceedings of the 34th Annual IEEE Symposium on Security and Privacy, May 2013.Google Scholar
  16. 16.
    K. Fu. Trustworthy medical device software. In Public Health Effectiveness of the FDA 510(k) Clearance Process: Measuring Postmarket Performance and Other Select Topics: Workshop Report, Washington, DC, July 2011. IOM (Institute of Medicine), National Academies Press.Google Scholar
  17. 17.
    S. Gollakota, N. Ahmed, N. Zeldovich, and D. Katabi. Secure in-band wireless pairing. In Proceedings of the 20th USENIX Security Symposium, August 2011.Google Scholar
  18. 18.
    S. Gollakota, H. Hassanieh, B. Ransford, D. Katabi, and K. Fu. They can hear your heartbeats: non-invasive security for implanted medical devices. In Proceedings of ACM SIGCOMM, Aug. 2011.Google Scholar
  19. 19.
    P. Gould and A. Krahn. Complications associated with implantable cardioverter–defibrillator replacement in response to device advisories. Journal of the American Medical Association (JAMA), 295(16):1907–1911, April 2006.Google Scholar
  20. 20.
    S. Guan, J. Gu, Z. Shen, J. Wang, Y. Huang, and A. Mason. A wireless powered implantable bio-sensor tag system-on-chip for continuous glucose monitoring. In Proceedings of the IEEE Biomedical Circuits and Systems Conference, BioCAS ’11, November 2011.Google Scholar
  21. 21.
    A. Guiseppi-Elie. An implantable biochip to influence patient outcomes following trauma-induced hemorrhage. Analytical and Bioanalytical Chemistry, 399(1):403–419, January 2011.CrossRefGoogle Scholar
  22. 22.
    D. Halperin, T. S. Heydt-Benjamin, K. Fu, T. Kohno, and W. H. Maisel. Security and privacy for implantable medical devices. IEEE Pervasive Computing, Special Issue on Implantable Electronics, 7(1):30–39, January 2008.CrossRefGoogle Scholar
  23. 23.
    D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohno, and W. H. Maisel. Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses. In Proceedings of the 29th Annual IEEE Symposium on Security and Privacy, pages 129–142, May 2008.Google Scholar
  24. 24.
    D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohno, and W. H. Maisel. Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses. In Proceedings of the 29th IEEE Symposium on Security and Privacy, May 2008.Google Scholar
  25. 25.
    A. Hintz. Fingerprinting websites using traffic analysis. In R. Dingledine and P. Syverson, editors, Proceedings of the Privacy Enhancing Technologies workshop, PET ’02. Springer, LNCS 2482, April 2002.Google Scholar
  26. 26.
    G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley Professional, 2004.Google Scholar
  27. 27.
    S. Hosseini-Khayat. A lightweight security protocol for ultra-low power ASIC implementation for wireless implantable medical devices. In Proceedings of the 5th International Symposium on Medical Information Communication Technology, ISMICT ’11, pages 6–9, March 2011.Google Scholar
  28. 28.
    R. P. Jetley, P. L. Jones, and P. Anderson. Static analysis of medical device software using CodeSonar. In Proceedings of the 2008 Workshop on Static Analysis, SAW ’08, pages 22–29. ACM, 2008.Google Scholar
  29. 29.
    A. Kerckhoffs. La cryptographie militaire. Journal des Sciences Militaires, IX, Jan 1883.Google Scholar
  30. 30.
    I. Lee, G. J. Pappas, R. Cleaveland, J. Hatcliff, and B. H. Krogh. High-confidence medical device software and systems. IEEE Computer, 39(4):33–38, 2006.CrossRefGoogle Scholar
  31. 31.
    A. K. Lenstra. Key lengths. In H. Bidgoli, editor, Handbook of Information Security, Volume 1: Key Concepts, Infrastructure, Standards and Protocols., page …John Wiley, 2006.Google Scholar
  32. 32.
    C. Li, A. Raghunathan, and N. K. Jha. Hijacking an insulin pump: security attacks and defenses for a diabetes therapy system. In Proceedings of the 13th IEEE International Conference on e-Health Networking, Applications, and Services, Healthcom ’11, June 2011.Google Scholar
  33. 33.
    G. McGraw. Software Security: Building Security In. Addison-Wesley Professional, 2006.Google Scholar
  34. 34.
    G. McGraw, S. Migues, and J. West. Building Security In Maturity Model, BSIMM4 edition, September 2012.Google Scholar
  35. 35.
    T. Mitre Corporation. Common vulnerabilities and exposures.Google Scholar
  36. 36.
    S. J. Murdoch, S. Drimer, R. Anderson, and M. Bond. Chip and PIN is broken. In Proc. IEEE Symposium on Security and Privacy (SP), May 2010.Google Scholar
  37. 37.
    K. Nohl, D. Evans, Starbug, and H. Plötz. Reverse-engineering a cryptographic RFID tag. In Proceedings of the 17th USENIX Security Symposium, pages 185–194, July 2008.Google Scholar
  38. 38.
    S. O’Driscoll, A. Poon, and T. Meng. A mm-sized implantable power receiver with adaptive link compensation. In Proceedings of the International Solid-State Circuits Conference, ISSCC ’09, pages 294–295,295a. IEEE, February 2009.Google Scholar
  39. 39.
    N. Paul, T. Kohno, and D. C. Klonoff. A review of the security of insulin pump infusion systems. Journal of Diabetes Science and Technology, 5(6):1557–1562, November 2011.Google Scholar
  40. 40.
    K. Poulsen. Hackers assault epilepsy patients via computer.,, March 2008.
  41. 41.
    J. Rabaey, M. Mark, D. Chen, C. Sutardja, C. Tang, S. Gowda, M. Wagner, and D. Werthimer. Powering and communicating with mm-size implants. In Design, Automation & Test in Europe Conference & Exhibition, DATE ’11. IEEE, 2011.Google Scholar
  42. 42.
    J. Radcliffe. Hacking medical devices for fun and insulin: Breaking the human SCADA system. Black Hat Conference presentation slides, August 2011.Google Scholar
  43. 43.
    K. B. Rasmussen, C. Castelluccia, T. S. Heydt-Benjamin, and S. Čapkun. Proximity-based access control for implantable medical devices. In Proceedings of the 16th ACM Conference on Computer and Communications Security, pages 410–419, 2009.Google Scholar
  44. 44.
    P. Roberts. Blind attack on wireless insulin pumps could deliver lethal dose. Threatpost (blog post),, October 2011.
  45. 45.
    J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F. Cranor. Crying wolf: An empirical study of SSL warning effectiveness. In Proceedings USENIX Security Symposium, 2009.Google Scholar
  46. 46.
    D. Takahashi. Excuse me while I turn off your insulin pump. VentureBeat,, August 2011.
  47. 47.
  48. 48.
    U.S. Food and Drug Administration. Reminder from FDA: cybersecurity for networked medical devices is a shared responsibility., Nov. 2009.
  49. 49.
    J. Viega and G. McGraw. Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley Professional, 2001.Google Scholar
  50. 50.
    F. Xu, Z. Qin, C. C. Tan, B. Wang, and Q. Li. IMDGuard: Securing implantable medical devices with the external wearable guardian. In Proceedings of the 30th IEEE International Conference on Computer Communications, INFOCOM ’11, pages 1862–1870, April 2011.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2014

Authors and Affiliations

  • Benjamin Ransford
    • 1
    Email author
  • Shane S. Clark
    • 2
  • Denis Foo Kune
    • 3
  • Kevin Fu
    • 3
  • Wayne P. Burleson
    • 4
  1. 1.Computer Science and EngineeringUniversity of WashingtonSeattleUSA
  2. 2.School of Computer ScienceUniversity of Massachusetts AmherstAmherstUSA
  3. 3.Computer Science and EngineeringUniversity of MichiganAnn ArborUSA
  4. 4.Department of Electrical and Computer EngineeringUniversity of MassachusettsAmherstUSA

Personalised recommendations