to think of numerous ways to cause
intentional malfunctions in an IMD.
Few desktop computers have failures as consequential as that of an
IMD. Intentional malfunctions can
actually kill people, and are more
difficult to prevent than accidental
malfunctions. For instance, lifesaving
therapies were silently modified and
disabled via radio communication on
an implantable defibrillator that had
passed premarket approval by regulators.
3 In my research lab, the same device was reprogrammed with an unauthenticated radio-based command to
induce a shock that causes ventricular
fibrillation (a fatal heart rhythm).
Manufacturers point out that IMDs
have used radio communication for
decades, and that they are not aware
of any unreported security problems.
Spam and viruses were also not prevalent on the Internet during its many-decade nascent period. Firewalls, encryption, and proprietary techniques
did not stop the eventual onslaught.
It would be foolish to assume IMDs
are any more immune to malware. For
instance, if malware were to cause an
IMD to continuously wake from power-saving mode, the battery would wear
out quickly. The malware creator need
not be physically present, but could expose a patient to risks of unnecessary
surgery that could lead to infection
or death. Much like Macintosh users
can take comfort in that most current
malware takes aim at the Windows
platform, patients can take comfort in
that IMDs seldom rely on such widely
targeted software for now.
Consequences and Causes:
A second risk is violation of patient
privacy. Today’s IMDs contain detailed
medical information and sensory data
(including vital signs, patient name,
date of birth, therapies, and medical
diagnosis). Data can be read from an
IMD by passively listening to radio
communication. With newer IMDs
providing nominal read ranges of several meters, eavesdropping will become easier. The privacy risks are similar to that of online medical records.
Improving IMD security and privacy
requires a proper mix of technology
Technological approaches to improving IMD security and privacy include
judicious use of cryptography and limiting unnecessary exposure to would-be hackers. IMDs that rely on radio
communication or have pathways to
the Internet must resist a determined
5 IMDs can last upward of 20
years, and doctors are unlikely to surgically replace an IMD just because a
less-vulnerable one becomes available.
Thus, technologists must think 20 to
25 years out. Cryptographic systems
available today may not last 25 years.
It is tempting to consider software
updates as a remedy for maintaining
the security of IMDs. Because software
updates can lead to unexpected malfunctions with serious consequences,
pacemaker and defibrillator patients
make an appointment with a health-care provider to receive firmware updates in a clinic. Thus, it could take
too long to patch a security hole.
Beyond cryptography, several steps
could reduce exposure to potential
misuse. When and where should an
IMD permit radio-based, remote reprogramming of therapies (such as
changing the magnitude of defibrillation shocks)? When and where should
an IMD permit radio-based, remote
collection of telemetry (for example,
vital signs)? Well-designed cryptographic authentication and authorization make these two questions solvable. Does a pacemaker really need to
accept requests for reprogramming
and telemetry in all locations from
street corners to subway stations? The
answer is no. Limit unnecessary exposure.
equipment used to attack an implantable cardiac defibrillator (iCD).
Premarket approval for life-sustaining
IMDs should explicitly evaluate security and privacy—leveraging the body
of knowledge from secure systems
and security metrics communities.
Manufacturers have already deployed
hundreds of thousands of IMDs without voluntarily including reasonable
technology to prevent the unauthorized induction of a fatal heart rhythm.
Thus, future regulation should provide incentives for improved security
and privacy in IMDs.
Regulatory aspects of protecting
privacy are more complicated, especially in the United States. Although
the U.S. Food and Drug Administration has acknowledged deleterious
effects of privacy violations on patient
health, there is no ongoing process or
explicit requirement that a manufacturer demonstrate adequate privacy
protection. The FDA has no legal remit from Congress to directly regulate
privacy (the FDA does not administer
HIPAA privacy regulations).
PhotograPh by ben ransforD
Call to action
My call to action consists of two parts