legislation, one part regulation, and one part technology.
First, legislators should mandate stronger security during premarket approval of life-sustaining IMDs that rely on either radio communication or computer networking. Action at premarket approval is crucial because unnecessary surgical replacement directly exposes patients to risk of infection and death. Moreover, the threat models and risk retention chosen by the manufacturer should be made public so that health-care providers and patients can make informed decisions when selecting an IMD. Legislation should avoid mandating specific technical approaches, but instead should provide incentives and penalties for manufacturers to improve IMD security.
Second, legislators should give regulators the authority to require adequate privacy controls before allowing an IMD to reach the market. The FDA writes that privacy violations can affect patient health, 2 and yet the FDA has no direct authority to regulate privacy of medical devices. IMDs increasingly store large amounts of sensitive medical information and fixing a privacy flaw after deployment is especially difficult on an IMD. Moreover, security and privacy are often intertwined. Inadequate security can lead to inadequate privacy, and inadequate privacy can lead to inadequate security. Thus, device regulators have the unique vantage point for not only determining safety and effectiveness, but also determining security and privacy.
Third, regulators such as the FDA should draw upon industry, the health-care community, and academics to conduct a thorough and open review of security and privacy metrics
for IMDs. Today’s guidelines are so ambiguous that an implantable car-dioverter defibrillator with no apparent authentication whatsoever has been implanted in hundreds of thousands of patients. 3
Fourth, technologists should ensure that IMDs do not continue to repeat the mistakes of history by underestimating the adversary, using outdated threat models, and neglecting to use cryptographic controls. 5 In addition, technologists should not dismiss the importance of usable security and human factors.
There is no doubt that IMDs save lives. Patients prescribed such devices are much safer with the device than without, but IMDs are no more immune to security and privacy risks than any other computing device. Yet the consequences for IMD patients can be fatal. Tragically, it took seven cyanide poisonings in the 1982 Chicago Tylenol poisoning case for the pharmaceutical industry to redesign the physical security of its product distribution to resist tampering by a determined adversary. The security and privacy problems of IMDs are obvious, and the consequences just as deadly. We’d better get it right today, because surgically replacing an insecure IMD is much more difficult than an automated Windows update.
References
1. epilepsy foundation. epilepsy foundation takes action against hackers. march 31, 2008; http:// www.epilepsyfoundation.org/aboutus/pressroom/ action_against_hackers.cfm.
22. fDa evaluation of automatic class iii Designation Verichip™ health information microtransponder system, october 2004; http://www.sec.gov/archives/ edgar/data/924642/000106880004000587/ex99p2.txt.
33. halperin, D. et al. Pacemakers and implantable cardiac defibrillators: software radio attacks and zero-power defenses. in Proceedings of the 29th Annual IEEE Symposium on Security and Privacy, may 2008.
4. halperin, D. et al. security and privacy for implantable medical devices. in IEEE Pervasive Computing, Special Issue on Implantable Electronics (Jan. 2008).
55. schneier, b. security in the real world: how to evaluate security technology. Computer Security Journal 15 , 4 (apr. 1999); http://www.schneier.com/ essay-031.html.
6. Webster, J.g., ed. Design of Cardiac Pacemakers. ieee Press, 1995.
Kevin Fu ( kevinfu@cs.umass.edu) is an assistant professor of computer science at the university of massachusetts amherst.
this work was supported by nsf grant cns-0831244.
copyright held by author.
June 16–18 Conference on the Future of the Internet 2009, seoul republic of Korea, Contact: Craig Partridge, Phone: 517-324-3425, Email: craig@bbn.com
June 19–20
International symposium on
memory management,
Dublin, Ireland,
sponsored: sIGPlan,
Contact: Elliot K Kolodner,
Email: kolodner@il.ibm.com
June 19–20
aCm sIGPlan/sIGBED 2009
Conference on languages,
Compilers, and tools for
Embedded systems,
Dublin, Ireland,
sponsored: sIGPlan,
Contact: Christoph Kirsch,
Email: ck@cs.uni-salzburg.at
June 20–24
the 36th annual
International symposium on
Computer architecture,
austin, tX,
sponsored: sIGarCh,
Contact: stephen W. Keckler,
Phone: 512-471-9763,
Email: sheckler@cs.utexas.edu
June 22
Fourth International Workshop
on mobility in the Evolving
Internet architecture,
Krakow, Poland,
Contact: Prof. Xiaoming,
Email: fu@cs.uni-goettingen.de
June 22–23 second International Workshop on Future multimedia networking, Coimbra, Portugal, Contact: Eduardo Cerquiera, Email: ecoelho@dei.uc.pt
June 22–25
23rd aCm/IEEE/sCs Workshop
on Principles of advanced and
Distributed simulation,
lake Placid, ny,
Contact: Carl tropper,
Email: carl@cs.mcgill.ca
June 23–26
12th International symposium
on Component Based software
Engineering,
East stroudsburg, Pa,
sponsored: sIGsoFt,
Contact: Christine hofmeister,
Email: Christine.hofmeister@
gmail.com
References:
http://www.epilepsyfoundation.org/aboutus/pressroom/action_against_hackers.cfm
http://www.sec.gov/archives/edgar/data/924642/000106880004000587/ex99p2.txt
http://www.schneier.com/essay-031.html
mailto:fu@cs.uni-goettingen.de
mailto:Christine.hofmeister@gmail.com
http://www.epilepsyfoundation.org/aboutus/pressroom/action_against_hackers.cfm
http://www.epilepsyfoundation.org/aboutus/pressroom/action_against_hackers.cfm
http://www.sec.gov/archives/edgar/data/924642/000106880004000587/ex99p2.txt
Archives