From Pacemakers to Infusion Pumps – Medical Implants Require New Cybersecurity Solutions
The unique security challenges of implantable medical devices.
July 13, 2022
Implantable medical devices have been saving lives since the first pacemaker was installed in 1958 – that’s over half a century. New breakthroughs are being made nearly every day. A few examples of implantable medical devices in use right now include deep brain stimulators for patients with epilepsy or Parkinson’s disease, drug delivery systems using infusion pumps and various sensors to collect and process vital signs
Increasingly, medical implants have connections to the internet. The connection allows healthcare providers to download data, and programmers to update the software.
That connection can make them vulnerable to attacks, which may be exacerbated by constraints of the device itself: limited computing power and battery capacity.
“We don’t want anyone to be able to hijack or to capture that transmission and get that data or interfere with what’s going on,” said IEEE Member Rebecca Herold.
TINY, ENCRYPTED COMMUNICATIONS
Communications between an implantable device and the laptop, phone, tablet, or device it is connected to often aren’t encrypted. The devices themselves are small, and may not have enough computing power to employ certain types of encryption.
But that may be changing as awareness of potential security risks grows.
Researchers are now actively exploring the use of the body’s own data to form the cryptographic key that both devices will use to establish secure communications. In an article in IEEE Access, for example, researchers discuss the use of electrocardiogram data as a benchmark for communications between medical sensors. The use of signals from the body, a form of biometrics, allows the establishment of a secure connection with limited computing resources.
BATTERY ATTACKS
Implants are also susceptible to attacks on their batteries, which can come in two forms.
An attacker can request the implant to establish a secure channel using incorrect credentials, which causes implants to run part of an energy-consuming authentication protocol. This drains the battery. In another attack, the bad actor generates electromagnetic noise in order to cause high error rates at the implant transceiver. This increases its energy consumption due to an increased number of free transmissions. The increased noise may also force the implant to increase its transmission power, which reduces battery life.
“The major risk is the interruption of the operation of the implant,” said IEEE Member Jéferson Nobre. “Since these attacks can be performed using legitimate tasks, defense can be performed using timeout or behavior anomaly detection.”
While these types of attacks are largely theoretical, they have been shown to be feasible through several demonstrations by security researchers. And in some cases, individuals have even had wireless connectivity to their implants disabled to prevent the attack.
“It’s one of the easiest to mount highly effective attacks,” said Shally Gupta, an IEEE Graduate Student Member.
Gupta said to defend against these attacks device makers are increasingly turning to zero-power defense strategies – defenses that don’t rely on the device’s battery power. One example turns the attack on its head.
The strategy was recently described in an article published on IEEE Access: “The Implantable Medical Device (IMD) first harvests energy from wireless messages received from the external entity and then performs the authentication operation using this free energy. The IMD does not switch to its main battery for subsequent operations until and unless the external entity is authenticated.”
“This ensures that the IMD does not deplete its battery responding to bogus messages from entities,” Gupta said.
LEARN MORE:
If you’d like to learn more about how cybersecurity vulnerabilities in medical devices are discovered and managed, check out this webinar from the IEEE Standards Association.
Video Transcript
What is a battery denial of service attack? How can they be defended against?
Rebecca Herold, IEEE Member: “Now, this type of attack is often launched by making continuous authentication requests from the adversary to the device itself. It’s effective because all these requests require power in order to respond to them, right … to check, to see if the authentication is valid and then to make sure that it gives the proper response back to it. So by doing this ongoing reaction to all these different types of authentication requests, it uses up the power in the device. The power runs out of energy. It goes down.
So the risk, well, if the attack is successful, the device will run out of energy and stop working. So imagine if that implantable is actually something that the patient is using, it depends upon for their health or to actually even live.”
Bits, Bytes, Buildings and Bridges: Digital-Driven Infrastructure
Impact of Technology in 2024
Emerging AI Cybersecurity Challenges and Solutions
The Skies are Unlimited
Smart Cities 2030: How Tech is Reshaping Urbanscapes
Impact of Technology 2023
Cybersecurity for Life-Changing Innovations
Smarter Wearables Healthier Life
Infrastructure In Motion
The Impact of Tech in 2022 and Beyond
Cybersecurity, Technology and Protecting Our World
How Technology Helps us Understand Our Health and Wellness
The Resilience of Humanity
Harnessing and Sustaining our Natural Resources
Creating Healthy Spaces Through Technology
Exceptional Infrastructure Challenges, Technology and Humanity
The Global Impact of IEEE's 802 Standards
Scenes of our Cyber Lives: The Security Threats and Technology Solutions Protecting Us
How Millennial Parents are Embracing Health and Wellness Technologies for Their Generation Alpha Kids
Space Exploration, Technology and Our Lives
Global Innovation and the Environment
How Technology, Privacy and Security are Changing Each Other (And Us)
Find us in booth 31506, LVCC South Hall 3 and experience the Technology Moon Walk
Virtual and Mixed Reality
How Robots are Improving our Health
IEEE Experts and the Robots They are Teaching
See how millennial parents around the world see AI impacting the lives of their tech-infused offspring
Take the journey from farm to table and learn how IoT will help us reach the rising demand for food production
Watch technical experts discuss the latest cyber threats
Explore how researchers, teachers, explorers, healthcare and medical professionals use immersive technologies
Follow the timeline to see how Generation AI will be impacted by technology
Learn how your IoT data can be used by experiencing a day in a connected life
Listen to technical experts discuss the biggest security threats today
See how tech has influenced and evolved with the Games
Enter our virtual home to explore the IoT (Internet of Things) technologies
Explore an interactive map showcasing exciting innovations in robotics
Interactively explore A.I. in recent Hollywood movies
Get immersed in technologies that will improve patients' lives