Security and Privacy for Implantable Medical Devices Presented by Tuo Yu 1

Implantable Medical Devices Implantable medical devices (IMDs) monitor and treat physiological conditions within the body.  Pacemakers  Implantable Cardiac Defibrillators (ICDs)  Drug delivery systems  Neurostimulators By 2008, 25 million US citizens reliant on them for life-critical functions. 2 groups.csail.mit.edu

Implantable Cardiac Defibrillators Sense cardiac events, execute therapies, and store measurements such as electrocardiograms. Healthcare professionals configure the settings on ICDs using an external device called a programmer. 3

At-home monitors wirelessly collect data from ICDs and relay it to a central repository, which is accessible to doctors. 4 ICD Implantable Cardiac Defibrillators

Criteria for IMDs Safety  The IMD should net much greater good than harm. Utility  The IMD should be useful to both clinicians and patients. Security Privacy 5

Motivation Providing safety doesn’t prevent security and privacy problems. Our understanding of how device security and privacy affect medical safety and treatment utility is still limited.  What should be the security and privacy design goals for IMDs? 6

Related Work “Security for Pervasive Healthcare”, (Venkatasubramanian et al., Security in Distributed, Grid, Mobile, and Pervasive Computing, 2007)  Efficient methods for securely communicating with medical sensors, including IMDs.  Controlling access to patient data after aggregation into a management plane.  Legislative approaches for improving security. Only considers the security and privacy of IMD data management by external applications. This paper focuses on the challenges and design criteria inherent in IMDs themselves. 7

A General Framework Present a general framework for evaluating the security and privacy of next-generation wireless IMDs.  Find inherent tensions between security, privacy and traditional goals such as safety and utility.  Present a set of possible research directions.  Provide a foundation for IMD manufacturers to evaluate, understand, and address the security and privacy challenges. 8

Criteria for IMDs Safety and utility goals Security and privacy goals 9

Safety and Utility Goals ①Data access. Data should be available to appropriate entities. ②Data accuracy. Measured and stored data should be accurate. 10 Example: a clock function abnormality

Safety and Utility Goals ③Device identification. An IMD should make its presence and type known to authorized entities. ④Auditable. In the event of a failure, the manufacturer should be able to audit the device’s operational history. ⑤Configurability. ⑥Updatable software. ⑦Resource efficient. … 11

Security and Privacy Goals ①Authorization. Personal authorization. Specific sets of people can perform specific tasks. 12 Tasks Patient APhysician APhysician B ConfigureX√√ Update SoftwareXX√ Read Log√√√

Security and Privacy Goals ①Authorization. Role-based authorization. An entity is authorized for a set of tasks on the basis of its role. 13 Tasks PatientPhysicians ConfigureX√ Update SoftwareXX Read Log√√

Security and Privacy Goals ①Authorization. IMD selection. When an external entity communicates with one or more IMDs, it must ensure it communicates with only the intended devices. 14

Security and Privacy Goals ②Availability. An adversary should not be able to mount a successful denial-of-service (DoS) attack against an IMD. 15

Security and Privacy Goals ③Device software and settings. Only authorized parties should be allowed to modify an IMD or to otherwise trigger specific device behavior. 16

Security and Privacy Goals ④Device-existence privacy. An unauthorized party should not be able to remotely determine that a patient has one or more IMDs. 17

Security and Privacy Goals Even if a device is revealed, ⑤Device-type privacy. IMDs’ type should still only be disclosed to authorized entities. ⑥Specific-device ID privacy. An adversary should not be able to wirelessly track individual IMDs. ⑦Bearer privacy. An adversary should not be able to exploit an IMD’s properties to identify the bearer or extract private information about the patient. 18

Security and Privacy Goals ⑧Measurement and log privacy. An unauthorized party should not be able to learn private information about the measurements or audit log data stored on the device. ⑨Data integrity. An adversary should not be able to tamper with past device measurements or log files or induce specious modifications into future data. 19

Classes of Adversaries Passive adversaries Active adversaries Coordinated adversaries Insiders Standard equipment (Commercial equipment, stolen programmer) Custom equipment (home-brewed equipment) 20

Tensions - Security vs Accessibility Scenario A Emergency room Accessibility Security  21 unconscious I need: Physiological Information IMD settings patient’s name ….

Tensions - Security vs Accessibility Scenario B IMDs use strong access-control and cryptographic mechanisms. Security Accessibility  22 unconscious No access to IMD !

Tensions - Security vs Device Resources Strong security mechanisms  Can be expensive in terms of both computational time and energy consumption.  Amplifies the effects of certain malicious DoS attacks.  Maintaining transaction logs potentially overflows a device’s onboard memory. 23

Tensions - Security vs Usability Long-distance wireless communication between IMDs and external devices  Usability : offers continuous at-home monitoring and flexibility in clinical settings.  Security  : increases exposure to both passive and active adversaries. Security mechanisms shouldn’t overly complicate user interfaces on the external devices. 24

Research directions ①Fine-grained access control 25 unconscious Primary-care facility or manufacturer Manufacturer, serial number, the patient’s primary-care facility Network

Research directions ①Fine-grained access control 26 unconscious Primary-care facility or manufacturer Network Request Review

Research directions ①Fine-grained access control 27 unconscious Primary-care facility or manufacturer Network Signed credential Approve

Research directions ①Fine-grained access control 28 unconscious Primary-care facility or manufacturer Access IMD Network

Ensure that the manufacturer or primary-care facility has ultimate control over which external devices can interact with a particular IMD. What if the network connection is severed? Research directions 29 unconscious Network

Research directions ②Open access with revocation and second-factor authentication  Revoke access from lost or stolen equipment through automatically expiring certificates.  This approach exposes IMDs to compromised equipment for short periods.  IMD programmers could require a secondary authentication token (e.g., a smart card) tied to a medical professional’s identity.  It might decrease usability and increase emergency response time. 30

Research directions ③Accountability Deter malicious activities by correlating them with a cryptographic audit log that can’t be undetectably modified.  Physicians could review the log when detecting certain anomalies in a patient’s care. 31

Research directions ④Patient awareness via secondary channels Use secondary channels to inform patients about their IMDs’ security status.  IMD issues a notification whenever it establishes a wireless connection with an external device or whenever a critical setting changes.  Does not directly prevent attacks but help detect attacks. 32

Research directions ⑤Authorization via secondary channels Use near-field communication for initial activation. After activation, the physician can program the device from a greater distance for a longer period of time. 33 Near-field activation

Research directions ⑤Authorization via secondary channels Use near-field communication for initial activation. After activation, the physician can program the device from a greater distance for a longer period of time. 34 Program the device

Research directions ⑤Authorization via secondary channels IMD ceases wireless communications when its sensors (e.g., built-in accelerometers) detects that its environment has changed significantly. 35

Research directions ⑤Authorization via secondary channels IMD ceases wireless communications when its sensors (e.g., built-in accelerometers) detects that its environment has changed significantly. 36

Research directions ⑥Shift computation to external devices Offload computation to external devices via client puzzles  Reduce a DoS attack’s efficacy. Use a resource-rich device to mediate communication between an IMD and an external programmer. 37 Mediator Lighter-weight symmetric encryption Expensive asymmetric encryption IMD Programmer

Conclusion This paper shows the inherent tensions between security, privacy and traditional goals such as safety and utility. This paper proposes research directions for mitigating the tensions between the various goals.  An ultimate solution will require experts from the medical and security communities and all other relevant communities to collaboratively make decisions on both mechanisms and policies. 38

Discussion 39 What if the token of the emergency room is leaked? Is it reasonable to consider the design criteria inherent in IMDs alone ? unconscious Primary-care facility or manufacturer Network Request Review

40 Thank you

Motivation “… to date, most devices have been isolated from networks and do not interoperate. This paradigm is changing now, creating new challenges in medical device design.” Providing safety doesn’t prevent security and privacy problems. Our understanding of how device security and privacy interact with and affect medical safety and treatment utility is still limited Paul Jones from the US Food and Drug Administration, personal communication, Aug. 2007