The following answers several frequently asked questions about our research paper entitled Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses.
Q. What is the Medical Device Security Center?
The Medical Device Security Center is a cross-disciplinary partnership between researchers at:
- the Beth Israel Deaconess Medical Center, Harvard Medical School,
- the University of Michigan, and
- the University of Washington.
Our mission is to help improve the understanding of and balance between security, privacy, safety, and effectiveness for next-generation medical and pervasive healthcare devices.
The center is directed by Prof. Kevin Fu (University of Michigan), Prof. Tadayoshi Kohno (University of Washington), and Dr. William H. Maisel (Beth Israel Deaconess Medical Center and Harvard Medical School).
Q. What are implantable medical devices (IMDs)?
Implantable Medical Devices (IMDs) monitor and treat physiological conditions within the body, and can help patients lead normal and healthy lives.
There are many different kinds of IMDs, including pacemakers, implantable cardiac defibrillators (ICDs), drug delivery systems, neurostimulators, swallowable camera capsules, and cochlear implants. These devices can help manage a broad range of ailments, including: cardiac arrhythmia; diabetes; chronic pain; Parkinson’s disease; obsessive compulsive disorder; depression; epilepsy; obesity; incontinence; and hearing loss.
IMDs pervasiveness continues to swell, with approximately twenty-five million U.S. citizens currently benefiting from therapeutic implants.
Q. What are pacemakers and implantable cardiac defibrillators (ICDs)?
Pacemakers and ICDs are both designed to treat abnormal heart conditions. About the size of a pager, each device is connected to the heart via electrodes and continuously monitors the heart rhythm.
Pacemakers automatically deliver low energy signals to the heart to cause the heart to beat when the heart rate slows. Modern ICDs include pacemaker functions, but can also deliver high voltage therapy to the heart muscle to shock dangerously fast heart rhythms back to normal.
Pacemakers and ICDs have saved innumerable lives, and there are millions of pacemaker and ICD patients in the U.S. today.
Q. Where do you see the technologies for these devices heading in the future?
The technologies underlying implantable medical devices are rapidly evolving, and it's impossible to predict exactly what such devices will be like in 5, 10, or 20 years. It is clear, however, that future devices may rely more heavily on wireless communications capabilities and advanced computation. IMDs may communicate with other devices in their environment, thereby enabling better care through telemedicine and remote patient health monitoring. There may also be multiple, inter-operating devices within a patient's body.
Given the anticipated evolution in IMD technologies, we believe that now is the right and critical time to focus on protecting the security and privacy of future implantable medical devices.
Q. Why is it important to study the security and privacy properties of existing implantable medical devices?
Despite recent large advances in IMD technologies, we still have little understanding of how medical device security and privacy interact with and affect medical safety and treatment efficacy. Established methods for providing safety and preventing unintentional accidents do not necessarily prevent intentional failures and other security and privacy problems. Balancing security and privacy with safety and efficacy will, however, become increasingly important as IMD technologies continue to evolve.
Prior to our work, we are unaware of any rigorous public scientific investigation into the observable characteristics of a real, common commercial IMD. Such a study is necessary in order to provide a foundation for understanding and addressing the security, privacy, safety, and efficacy goals of future implantable devices. Our research provides such a study.
The overall goals of our research were to: (1) assess the security and privacy properties of a real, common commercial IMD; (2) propose solutions to the identified weaknesses; (3) encourage the development of more robust security and privacy features for IMDs; and (4) improve the privacy and safety of IMDs for the millions of patients who enjoy their benefits.
Q. Can you summarize your findings with respect to the security and privacy of a common implantable cardiac defibrillator (ICD)?
As part of our research we evaluated the security and privacy properties of a common ICD. We investigate whether a malicious party could create his or her own equipment capable of wirelessly communicating with this ICD.
Using our own equipment (an antenna, radio hardware, and a PC), we found that someone could violate the privacy of patient information and medical telemetry. The ICD wirelessly transmits patient information and telemetry without observable encryption. The adversary's computer could intercept wireless signals from the ICD and learn information including: the patient's name, the patient's medical history, the patient's date of birth, and so on.
Using our own equipment (an antenna, radio hardware, and a PC), we found that someone could also turn off or modify therapy settings stored on the ICD. Such a person could render the ICD incapable of responding to dangerous cardiac events. A malicious person could also make the ICD deliver a shock that could induce ventricular fibrillation, a potentially lethal arrhythmia.
For all our experiments our antenna, radio hardware, and PC were near the ICD. Our experiments were conducted in a computer laboratory and utilized simulated patient data. We did not experiment with extending the distance between the antenna and the ICD.
Q. Do other implantable medical devices have similar issues?
We studied only a single implantable medical device. We currently have no reason to believe that any other implantable devices are any more or less secure or private.
Q. Can you summarize your approaches for defending against the security and privacy issues that you raise?
Our previous research (IEEE Pervasive Computing, January-March 2008) highlights a fundamental tension between (1) security and privacy for IMDs and (2) safety and effectiveness. Another goal we tackle in our research is the development of technological mechanisms for providing a balance between these properties. We propose three approaches for providing this balance, and we experiment with prototype implementations of our approaches. Our approaches build on the WISP technology from Intel Research.
Some IMDs, like pacemakers and ICDs, have non-replaceable batteries. When the batteries on these IMDs become low, the entire IMDs often need to be replaced. From a safety perspective, it is therefore critical to protect the battery life on these IMDs. Toward balancing security and privacy with safety and effectiveness, all three of our approaches use zero-power: they do not rely on the IMD's battery but rather harvest power from external radio frequency (RF) signals.
Our first zero-power approach utilizes an audible alert to warn patients when an unauthorized party attempts to wirelessly communicate with their IMD. Our second approach shows that it is possible to implement cryptographic (secure) authentication schemes using RF power harvesting. Our third zero-power approach presents a new method for communicating cryptographic keys ("sophisticated passwords") in a way that humans can physically detect (hear or feel). The latter approach allows the patient to seamlessly detect when a third party tries to communicate with their IMD.
We do not claim that our defenses are final designs that IMD manufacturers should immediately incorporate into commercial IMDs. Rather, we believe that our research helps establishes a potential foundation upon which the community can innovate other new defensive mechanisms for future IMD designs.
Q. Where were these results published?
Our results were published at the IEEE Symposium on Security and Privacy in May 2008. The IEEE is a leading professional association for the advancement of technology. The IEEE Symposium on Security and Privacy is one of the top scholarly conferences in the computer security research community. In 2008 the conference accepted 28 out of 249 submissions (11.2%). All papers were rigorously peer-reviewed by at least three members of the IEEE Security and Privacy committee.
Q. Should patients be concerned?
We strongly believe that nothing in our report should deter patients from receiving these devices if recommended by their physician. The implantable cardiac defibrillator is a proven, life-saving technology. We believe that the risk to patients is low and that patients should not be alarmed. We do not know of a single case where an IMD patient has ever been harmed by a malicious security attack. To carry out the attacks we discuss in our paper would require: malicious intent, technical sophistication, and the ability to place electronic equipment close to the patient. Our goal in performing this study is to improve the security, privacy, safety, and effectiveness of future IMDs.
Q. What have you done to ensure that these findings will not be used for malicious intent?
We specifically and purposefully omitted methodologic details from our paper, thereby preventing our findings from being used for anything other than improving patient security and privacy.