Design Challenges for Secure Implantable Medical Devices
Implantable medical devices (IMDs) are increasingly being used to improve patients’ medical outcomes. Designers of IMDs already balance safety, reliability, complexity, power consumption, and cost. However, recent research has demonstrated that designers should also consider security and data privacy to protect patients from acts of theft or malice, especially as medical technology becomes increasingly connected to other systems via wireless communications or the Internet. This survey paper summarizes recent work on IMD security. It discusses sound security principles to follow and common security pitfalls to avoid. As trends in power efficiency, sensing, wireless systems, and biointerfaces make possible new and improved IMDs, they also underscore the importance of understanding and addressing security and privacy concerns in an increasingly connected world.
KeywordsInsulin Pump Threat Modeling Implantable Cardiac Defibrillator Software Radio Implantable Medical Device
This material is based upon work supported by the Armstrong Fund for Science; the National Science Foundation (NSF) under Grants 831244, 0923313, and 0964641; Cooperative Agreement 90TR0003/01 from the Department of Health and Human Services (DHHS); two NSF Graduate Research Fellowships; and a Sloan Research Fellowship. Its contents are solely the responsibility of the authors and do not necessarily represent the official views of DHHS or NSF.
- 1.R. J. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, 2008.Google Scholar
- 2.D. Arney, R. Jetley, P. Jones, I. Lee, and O. Sokolsky. Formal methods based development of a PCA infusion pump reference model: Generic infusion pump (GIP) project. In Proceedings of the 2007 Joint Workshop on High Confidence Medical Devices, Software, and Systems and Medical Device Plug-and-Play Interoperability, HCMDSS-MDPNP ’07, pages 23–33. IEEE Computer Society, 2007.Google Scholar
- 3.D. Arney, M. Pajic, J. M. Goldman, I. Lee, R. Mangharam, and O. Sokolsky. Toward patient safety in closed-loop medical device systems. In Proceedings of the 1st ACM/IEEE International Conference on Cyber-Physical Systems, ICCPS ’10, pages 139–148. ACM, 2010.Google Scholar
- 4.Baxa Corporation. Preventing cyber attacks. https://btsp.baxa.com/Sales%20Portal/ExactaMix/Preventing%20Cyber%20Attacks.pdf, Loaded Oct. 2012.
- 5.C. Beck, D. Masny, W. Geiselmann, and G. Bretthauer. Block cipher based security for severely resource-constrained implantable medical devices. In Proceedings of 4th International Symposium on Applied Sciences in Biomedical and Communication Technologies, ISABEL ’11, pages 62:1–62:5. ACM, October 2011.Google Scholar
- 6.M. Bishop. Computer Security: Art and Science. Addison-Wesley Professional, 2003.Google Scholar
- 7.S. Clark, T. Goodspeed, P. Metzger, Z. Wasserman, K. Xu, and M. Blaze. Why (special agent) johnny (still) can’t encrypt: a security analysis of the apco project 25 two-way radio system. In Proceedings of the 20th USENIX conference on Security. USENIX Association, 2011.Google Scholar
- 8.G. De Micheli, S. Ghoreishizadeh, C. Boero, F. Valgimigli, and S. Carrara. An integrated platform for advanced diagnostics. In Design, Automation & Test in Europe Conference & Exhibition, DATE ’11. IEEE, March 2011.Google Scholar
- 9.A. de Saint-Exupéry. Terre des Hommes. Editions Gallimard, 1939.Google Scholar
- 10.T. Denning, A. Borning, B. Friedman, B. T. Gill, T. Kohno, and W. H. Maisel. Patients, pacemakers, and implantable defibrillators: human values and security for wireless implantable medical devices. In Proc. International Conference on Human Factors in Computing Systems (CHI), 2010.Google Scholar
- 11.T. Denning, K. Fu, and T. Kohno. Absence makes the heart grow fonder: New directions for implantable medical device security. In Proceedings of USENIX Workshop on Hot Topics in Security (HotSec), July 2008.Google Scholar
- 12.X. Fan, G. Gong, K. Lauffenburger, and T. Hicks. FPGA implementations of the Hummingbird cryptographic algorithm. In Proceedings of the IEEE International Symposium on Hardware-Oriented Security and Trust, HOST ’10, pages 48–51, June 2010.Google Scholar
- 13.X. Fan, H. Hu, G. Gong, E. Smith, and D. Engels. Lightweight implementation of Hummingbird cryptographic algorithm on 4-bit microcontrollers. In International Conference for Internet Technology and Secured Transactions, ICITST ’09, pages 1–7, November 2009.Google Scholar
- 14.N. Ferguson, B. Schneier, and T. Kohno. Cryptography Engineering: Design Principles and Practical Applications. Wiley, 2010.Google Scholar
- 15.D. Foo Kune, J. Backes, S. S. Clark, D. B. Kramer, M. R. Reynolds, K. Fu, Y. Kim, and W. Xu. Ghost talk: mitigating EMI signal injection attacks against analog sensors. In Proceedings of the 34th Annual IEEE Symposium on Security and Privacy, May 2013.Google Scholar
- 16.K. Fu. Trustworthy medical device software. In Public Health Effectiveness of the FDA 510(k) Clearance Process: Measuring Postmarket Performance and Other Select Topics: Workshop Report, Washington, DC, July 2011. IOM (Institute of Medicine), National Academies Press.Google Scholar
- 17.S. Gollakota, N. Ahmed, N. Zeldovich, and D. Katabi. Secure in-band wireless pairing. In Proceedings of the 20th USENIX Security Symposium, August 2011.Google Scholar
- 18.S. Gollakota, H. Hassanieh, B. Ransford, D. Katabi, and K. Fu. They can hear your heartbeats: non-invasive security for implanted medical devices. In Proceedings of ACM SIGCOMM, Aug. 2011.Google Scholar
- 19.P. Gould and A. Krahn. Complications associated with implantable cardioverter–defibrillator replacement in response to device advisories. Journal of the American Medical Association (JAMA), 295(16):1907–1911, April 2006.Google Scholar
- 20.S. Guan, J. Gu, Z. Shen, J. Wang, Y. Huang, and A. Mason. A wireless powered implantable bio-sensor tag system-on-chip for continuous glucose monitoring. In Proceedings of the IEEE Biomedical Circuits and Systems Conference, BioCAS ’11, November 2011.Google Scholar
- 23.D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohno, and W. H. Maisel. Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses. In Proceedings of the 29th Annual IEEE Symposium on Security and Privacy, pages 129–142, May 2008.Google Scholar
- 24.D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohno, and W. H. Maisel. Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses. In Proceedings of the 29th IEEE Symposium on Security and Privacy, May 2008.Google Scholar
- 25.A. Hintz. Fingerprinting websites using traffic analysis. In R. Dingledine and P. Syverson, editors, Proceedings of the Privacy Enhancing Technologies workshop, PET ’02. Springer, LNCS 2482, April 2002.Google Scholar
- 26.G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley Professional, 2004.Google Scholar
- 27.S. Hosseini-Khayat. A lightweight security protocol for ultra-low power ASIC implementation for wireless implantable medical devices. In Proceedings of the 5th International Symposium on Medical Information Communication Technology, ISMICT ’11, pages 6–9, March 2011.Google Scholar
- 28.R. P. Jetley, P. L. Jones, and P. Anderson. Static analysis of medical device software using CodeSonar. In Proceedings of the 2008 Workshop on Static Analysis, SAW ’08, pages 22–29. ACM, 2008.Google Scholar
- 29.A. Kerckhoffs. La cryptographie militaire. Journal des Sciences Militaires, IX, Jan 1883.Google Scholar
- 31.A. K. Lenstra. Key lengths. In H. Bidgoli, editor, Handbook of Information Security, Volume 1: Key Concepts, Infrastructure, Standards and Protocols., page …John Wiley, 2006.Google Scholar
- 32.C. Li, A. Raghunathan, and N. K. Jha. Hijacking an insulin pump: security attacks and defenses for a diabetes therapy system. In Proceedings of the 13th IEEE International Conference on e-Health Networking, Applications, and Services, Healthcom ’11, June 2011.Google Scholar
- 33.G. McGraw. Software Security: Building Security In. Addison-Wesley Professional, 2006.Google Scholar
- 34.G. McGraw, S. Migues, and J. West. Building Security In Maturity Model, BSIMM4 edition, September 2012.Google Scholar
- 35.T. Mitre Corporation. Common vulnerabilities and exposures.Google Scholar
- 36.S. J. Murdoch, S. Drimer, R. Anderson, and M. Bond. Chip and PIN is broken. In Proc. IEEE Symposium on Security and Privacy (SP), May 2010.Google Scholar
- 37.K. Nohl, D. Evans, Starbug, and H. Plötz. Reverse-engineering a cryptographic RFID tag. In Proceedings of the 17th USENIX Security Symposium, pages 185–194, July 2008.Google Scholar
- 38.S. O’Driscoll, A. Poon, and T. Meng. A mm-sized implantable power receiver with adaptive link compensation. In Proceedings of the International Solid-State Circuits Conference, ISSCC ’09, pages 294–295,295a. IEEE, February 2009.Google Scholar
- 39.N. Paul, T. Kohno, and D. C. Klonoff. A review of the security of insulin pump infusion systems. Journal of Diabetes Science and Technology, 5(6):1557–1562, November 2011.Google Scholar
- 40.K. Poulsen. Hackers assault epilepsy patients via computer. Wired.com, http://www.wired.com/politics/security/news/2008/03/epilepsy, March 2008.
- 41.J. Rabaey, M. Mark, D. Chen, C. Sutardja, C. Tang, S. Gowda, M. Wagner, and D. Werthimer. Powering and communicating with mm-size implants. In Design, Automation & Test in Europe Conference & Exhibition, DATE ’11. IEEE, 2011.Google Scholar
- 42.J. Radcliffe. Hacking medical devices for fun and insulin: Breaking the human SCADA system. Black Hat Conference presentation slides, August 2011.Google Scholar
- 43.K. B. Rasmussen, C. Castelluccia, T. S. Heydt-Benjamin, and S. Čapkun. Proximity-based access control for implantable medical devices. In Proceedings of the 16th ACM Conference on Computer and Communications Security, pages 410–419, 2009.Google Scholar
- 44.P. Roberts. Blind attack on wireless insulin pumps could deliver lethal dose. Threatpost (blog post), http://threatpost.com/en_us/blogs/blind-attack-wireless-insulin-pumps-could-deliver-lethal-dose-102711, October 2011.
- 45.J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F. Cranor. Crying wolf: An empirical study of SSL warning effectiveness. In Proceedings USENIX Security Symposium, 2009.Google Scholar
- 46.D. Takahashi. Excuse me while I turn off your insulin pump. VentureBeat, http://venturebeat.com/2011/08/04/excuse-me-while-i-turn-off-your-insulin-pump/, August 2011.
- 47.U.S. Food and Drug Administration. 510(k) clearances. http://www.fda.gov/medicaldevices/productsandmedicalprocedures/deviceapprovalsandclearances/510kclearances/default.htm, Jun 2009.
- 48.U.S. Food and Drug Administration. Reminder from FDA: cybersecurity for networked medical devices is a shared responsibility. http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm189111.htm, Nov. 2009.
- 49.J. Viega and G. McGraw. Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley Professional, 2001.Google Scholar
- 50.F. Xu, Z. Qin, C. C. Tan, B. Wang, and Q. Li. IMDGuard: Securing implantable medical devices with the external wearable guardian. In Proceedings of the 30th IEEE International Conference on Computer Communications, INFOCOM ’11, pages 1862–1870, April 2011.Google Scholar