Communications - June 2009

to think of numerous ways to cause intentional malfunctions in an IMD. Few desktop computers have failures as consequential as that of an IMD. Intentional malfunctions can actually kill people, and are more difficult to prevent than accidental malfunctions. For instance, lifesaving therapies were silently modified and disabled via radio communication on an implantable defibrillator that had passed premarket approval by regulators. ³ In my research lab, the same device was reprogrammed with an unauthenticated radio-based command to induce a shock that causes ventricular fibrillation (a fatal heart rhythm).

Manufacturers point out that IMDs have used radio communication for decades, and that they are not aware of any unreported security problems. Spam and viruses were also not prevalent on the Internet during its many-decade nascent period. Firewalls, encryption, and proprietary techniques did not stop the eventual onslaught. It would be foolish to assume IMDs are any more immune to malware. For instance, if malware were to cause an IMD to continuously wake from power-saving mode, the battery would wear out quickly. The malware creator need not be physically present, but could expose a patient to risks of unnecessary surgery that could lead to infection or death. Much like Macintosh users can take comfort in that most current malware takes aim at the Windows

platform, patients can take comfort in that IMDs seldom rely on such widely targeted software for now.

Consequences and Causes: Privacy A second risk is violation of patient privacy. Today’s IMDs contain detailed medical information and sensory data (including vital signs, patient name, date of birth, therapies, and medical diagnosis). Data can be read from an IMD by passively listening to radio communication. With newer IMDs providing nominal read ranges of several meters, eavesdropping will become easier. The privacy risks are similar to that of online medical records.

Remedies

Improving IMD security and privacy requires a proper mix of technology and regulation.

Remedy: technology Technological approaches to improving IMD security and privacy include judicious use of cryptography and limiting unnecessary exposure to would-be hackers. IMDs that rely on radio communication or have pathways to the Internet must resist a determined adversary. ⁵ IMDs can last upward of 20 years, and doctors are unlikely to surgically replace an IMD just because a less-vulnerable one becomes available. Thus, technologists must think 20 to 25 years out. Cryptographic systems

available today may not last 25 years.

It is tempting to consider software updates as a remedy for maintaining the security of IMDs. Because software updates can lead to unexpected malfunctions with serious consequences, pacemaker and defibrillator patients make an appointment with a health-care provider to receive firmware updates in a clinic. Thus, it could take too long to patch a security hole.

Beyond cryptography, several steps could reduce exposure to potential misuse. When and where should an IMD permit radio-based, remote reprogramming of therapies (such as changing the magnitude of defibrillation shocks)? When and where should an IMD permit radio-based, remote collection of telemetry (for example, vital signs)? Well-designed cryptographic authentication and authorization make these two questions solvable. Does a pacemaker really need to accept requests for reprogramming and telemetry in all locations from street corners to subway stations? The answer is no. Limit unnecessary exposure.

equipment used to attack an implantable cardiac defibrillator (iCD).

Remedy: Regulation

Premarket approval for life-sustaining IMDs should explicitly evaluate security and privacy—leveraging the body of knowledge from secure systems and security metrics communities. Manufacturers have already deployed hundreds of thousands of IMDs without voluntarily including reasonable technology to prevent the unauthorized induction of a fatal heart rhythm. Thus, future regulation should provide incentives for improved security and privacy in IMDs.

Regulatory aspects of protecting privacy are more complicated, especially in the United States. Although the U.S. Food and Drug Administration has acknowledged deleterious effects of privacy violations on patient health, there is no ongoing process or

2

explicit requirement that a manufacturer demonstrate adequate privacy protection. The FDA has no legal remit from Congress to directly regulate privacy (the FDA does not administer HIPAA privacy regulations).