Security for Implantable Medical Devices

Interesting study: "Patients, Pacemakers, and Implantable Defibrillators: Human Values and Security for Wireless Implantable Medical Devices," Tamara Denning, Alan Borning, Batya Friedman, Brian T. Gill, Tadayoshi Kohno, and William H. Maisel.

Abstract: Implantable medical devices (IMDs) improve patients' quality of life and help sustain their lives. In this study, we explore patient views and values regarding their devices to inform the design of computer security for wireless IMDs. We interviewed 13 individuals with implanted cardiac devices. Key questions concerned the evaluation of 8 mockups of IMD security systems. Our results suggest that some systems that are technically viable are nonetheless undesirable to patients. Patients called out a number of values that affected their attitudes towards the systems, including perceived security, safety, freedom from unwanted cultural and historical associations, and self-image. In our analysis, we extend the Value Sensitive Design value dams and flows technique in order to suggest multiple, complementary systems; in our discussion, we highlight some of the usability, regulatory, and economic complexities that arise from offering multiple options. We conclude by offering design guidelines for future security systems for IMDs.

Posted on April 15, 2010 at 1:55 PM • 10 Comments

Comments

AppSecApril 15, 2010 2:57 PM

Don't confuse IMDs with WMDs..

The government might have to come scouring your body for them.

bitmongerApril 16, 2010 8:51 AM

Isn't possible to have a physical switch of some sort to enable wireless control?

Maybe a pressure driven switch that could be triggered with a syringe.

There would still be a risk while the patent's device was in that mode, but that seems like a better idea than this password of death thing.

vedaalApril 16, 2010 9:02 AM

The disturbing part about the article is that the authors didn't interview the medical personnel who need the information about the device to clinically intervene.

For a first responder, there is no effective substitute for a necklace or bracelet identification.

Here is a case in point:

A few years ago, there was someone who had a defibrillator pacemaker who had a respiratory arrest from smoke inhalation.
(Fortunately, he did OK and recovered without problems).
As I quickly ventilated him by mask and ambu bag, his heart rate, which was totally paced, started to increase rapidly, all with paced beats. As I temporarily slowed the ventilation to examine the rhythm, the pacing beats slowed. I asked the other responder to check the bracelet, and sure enough, it said:
"PPM/AICD DDDRD. Hyperventilation is interpreted by the pacemaker as a need for increased cardiac output and the pacemaker rate will increase. This is NOT a malfunction. Maintain respiratory rate between 12 to 15 for normal pacing."

(here is a listing of helpful pacemaker defibrillator acronyms:

http://emedicine.medscape.com/article/780825-overview )

A simple security solution, not entertained by the authors, would be to have the code transmittable by placing a magnet over a selective end of the pacemaker.

(Pacemakers have a distinctive outline and are easy to see and feel close to the surface of the chest wall.
Normally, all pacemakers have a 'Reed switch', - a simple small iron element that will rise toward a magnet, thereby breaking the continuity of a circuit within the pacemaker. The circuit transmits an inhibitory signal, telling the pacemaker not to fire when it senses a normal heartbeat. During operations with electrocautery, the electric signal is interpreted as 'norma'l cardiac electric activity, and the pacemaker is inhibited and stops. Standard practice is to place a magnet over the pacemaker, and allow it to fire in asynchronous mode. (Still needs constant monitoring if the person 'does' have underlying heartbeats, as it may cause dangerous arrhythmias if the paced beat fall onto a specific vulnerable portion of a normal beat.)

A similar 'Reed Switch circuit' could be placed in a far end of the pacemaker (far away enough that it wouldn't affect the 'pacing ' part.) in a distinctively shaped potion of the pacemaker, (i.e. a rounded triangular end easily felt in the dark by any responder.)

The circuit would be 'inhibitory', and keep the unit from transmitting the required activiation code. Once a magnet is placed near the triangular tip, the inhibitory circuit would be broken, and the activation code would be wirelessly transmitted, and any necessary intervention could then be wirelessly programmed into the pacemaker (or other implantable device with external wireless programmability.)

BTW,

Have never met 'any' pacemaker patient who objected to wearing a bracelet or necklace.

MoJoApril 16, 2010 12:44 PM

Eventually medical devices like pacemakers will become commodity items. People will pay more for higher end ones, and people will copy their design and software.

One day some unlucky patient will go to wipe is arse and find the following message printed on the paper:

"Warning: You may be the victim of software counterfeiting. This copy of Cardiac Systems RhythmMaster Pro 2027 has an invalid product key. Please contact the place of purchase, or your pacemaker may experience reduced functionality (such as not beating) after the 3 day trial period expires."

Davi OttenheimerApril 16, 2010 7:37 PM

haha, love this line: "Our results suggest that some systems that are technically viable are nonetheless undesirable to patients."

we used to say PEBKAC for that sort or issue (problem exists between keyboard and chair). i guess now you would say PEBBAM or PEBHAM?

Clive RobinsonApril 17, 2010 4:56 AM

First thing we need to mention and get out of the way is "not required implantation".

Having just had a thallium /gamma camera heart scan I got chatting to the consultant in the "wait time" and we got talking about IMD's and the big big population percentage difference in the number of implants in the UK and the US.

Believe it or not something like one third of IMD's put in patients in the US really have no medically discernible benefit, and a around another third have very little medical justification (I need to get access to the paper he told me about to get the actual figures etc).

Thus it would appear that in the US a significant number of people are undergoing a significant medical procedure that has greater short term risk than benefit. Apparently a lot of the reasoning is not based on the risk or benefit to the patient but the risk and benefit to the doctors and insurers involved.

So at the moment this is more germain to the US than other countries, however the likes of Taiwan are rapidly catching up.

It is difficult to get accurate figures for the actual number of patients with IMD's but the "market estimate" for the US is between thirty and fifty million patients and an 8.3 % year on year increase. However I have a feeling the market forecast is all based on one set of market research and regurgitated in many reports so treat the figures with caution.

[google bits of the following phrase to see why I think this,

"US demand for implantable medical devices will increase 8.3 percent annually to $48 billion in 2014. Although weakened in the past few years by product recalls and safety controversies, especially in the cardiac implant segment, growth will remain strong."
]

So I had to dig around a bit. The upper figure (50million) is based on the number of devices manufactured and the expected life time (20-30years), however some people get IMD's updated more frequently (than others get new cars...). Part of this may well be due to reliability and other issues with some previous designs of IMD's being replaced around a rather low 7years (a little under a third of the expected design life).

The IEEE has a special interest group covering IMD's and one report (ISBN: 978-1-4244-1335-5) from late 2007 indicates it is now a mature market and has had an evolution quite similar to that of Mobile Phone development.

If true then the effective price of IMD's is going to drop fairly quickly to the point where it is insignificant against the cost of the surgery involved. Which will in it's turn bring the price of the surgery down and possibly it's reliability up.

The consequence of this is that IMD's put in next year could still be in a live human in 2040.

Indirect Access Computer Malware in it's various forms was effectively unknown until Win3.11/95 and it only stopped being "egoware" and become sophisticated in the last five to ten years. Would you put a PC with only the original first release of Win95 on the Internet today?

By the way it is not just IMD's where this is a very this long product life -v- poor security is a real issue. Various Bills/laws are being prepared in the name of "the environment" where your electrical appliances will be remotely controlled by the utility companies for a whole host of reasons. The quite predictable outcome of this will be that such devices will be in situ for 20-30years, and that once inplace the power supply networks will quite rapidly become more brtittle and that unless the appropriate security precautions are taken there will be a "major incident" wake up call like that related to drugs packaging and the cyanide laced Tylenol that caused at least seven deaths in the Chicago area back in 82.

Thus one of the reasons given for the increase in IMD being implanted is "patient safety" that is IMD -v- Drugs. This is not just incidents of drugs being either fake or tampered with, it is also as seen with antibiotics that the efficacy of new drugs is diminishing. Another reason is the failure of other passive implants (stents with built in drugs). And the "health care industry cost savings" there are some in the insurance industry that regard IMD's as being the less costly solution when compared to longterm use of expensive drugs followed by surgery with a much higher price, due in part to the rapid rise in the number of people in the US living to over 70 (that is the one off cost of the device and surgery today compared to the cost of 20 years on ever more costly drugs and proportionately much higher cost surgery).

Whatever the reason the growth rate in implantation is expected to be a little under 10% year on year for the foreseeable future and around 10% of the US population already having had two IMD's implanted. It does not take much maths to realize that it won't be to long before having an IMD at 50 in the US will be the norm rather than the exception.

Two of the people (William H. Maisel, Tadayoshi Kohno) who wrote the paper Bruce linked to also wrote an article (behind a pay wall http://content.nejm.org/cgi/content/extract/362/13/1164 ) for the New England Journal of Medicine which give a more general overview of what the issues are with IMD's -v- Drug treatment and computer security.

For a more risk oriented view Kevin Fu (assistant professor of Computer Science at the University of Massachusetts Amherst) wrote an article in June 09 for the Communications of the ACM Inside Risks column ( http://www.csl.sri.com/users/neumann/insiderisks08.html#218 ).

However neither gives figures for expected number of people to have an IMD implanted over the coming years. Which is a pity as we know the likelihood of something happening goes up with the number of susceptible systems, often geometrically so. That is there is usually a tipping point where the probability becomes a certainty.

As a not so odd turn up for the books it is actually this concern for patient safety (IMD's over drugs) and security of the patients personal privacy with Wireless IMD's in the recent US Health Care Bill that gave rise to scare mongering about,

"Obama Health Care Bill To Include Implantable Microchips In People"

( http://www.puppetgov.com/2010/03/30/obama-health-care-bill-to-include-implantable-microchips-in-people/ ).

It is without doubt a complex and politically fraught area of medicine within the US and soon will be only marginaly less so outside of the US.

someblokeApril 19, 2010 6:26 AM

@Clive Robinson

"Would you put a PC with only the original first release of Win95 on the Internet today?"

Security issues wouldn't stop me from doing so. Windows 95 machines are so rare these days that they are very unlikely targets. That and the fact that they won't run any of the latest and greatest 'applications of interest' in terms of vulnerabilities to yer friendly neighbourhood cyber-scumbag - i.e. latest browsers, recent versions of Adobe Reader, Flash etc etc.

The fact that I don't have any disks for Win 95 anymore coupled with the fact that a Win 95 machine won't run any of the software I want to run are more pressing concerns...

But from a security perspective, I'd have no qualms about doing so.

Kevin Foley MDApril 19, 2010 11:50 PM

Many important technical points here: implantable devices (pacers/icd's) exist in complement with their smart controllers (called 'programmers'--external luggable computers). To receive instructions or telemeter out data, the implant has to recognize codes from the appropriate manufacturer programmer--multiple instances of RF interference may exist, but the chances of reprogramming an implant with an inappropriate device are astronomically slim. Most patients carry an ID card listing the nature of their implanted device, have a medical alert bracelet indicating this information, or a few phone calls can locate the information and contact the appropriate manufacturers representative to interrogate the device. Chest xrays usually show information identifying the manufacturer of the device. Just trying to interrogate an implant with different programmers usually will identify the device. Different manufacturers use different proprietary communication protocols--previous efforts to build a 'universal' programmer have been unsuccessful. Trying to have the implant discern emergency conditions (other than an implanted defib delivering a shock) seems extremely unrealistic. This whole article seems to me to be people trying to come up with crazy solutions for a non-existent problem.

Clive RobinsonApril 20, 2010 7:28 AM

@ Kevin Foley MD,

"Different manufacturers use different proprietary communication protocols--previous efforts to build a 'universal' programmer have been unsuccessful. Trying to have the implant discern emergency conditions (other than an implanted defib delivering a shock) seems extremely unrealistic. This whole article seems to me to be people trying to come up with crazy solutions for a non-existent problem."

That is the state of the implant market today, with devices designed as much as ten years ago going into people.

Two things seem fairly certain,

1, The number of implants going in is going to rise faster than the price drops.

2, Economy of scale will be forced onto the device manufactures.

The result of this is almost always a standard at the interface level (or a collapsing market).

So within a very few years there will be a standard for the communications (in exactly the same way as the Hayes AT protocol did for dial up modems).

The simple reason for this is that these devices are supposed to have a 20-30year life expectancy. If the different manufactures all brought out a couple of incompatible products each year, there would be so many controllers that there would be no room in the ER / A&E for the patients...

Thus rather than "people trying to come up with crazy solutions for a non-existent problem", I would say they have a fairly good idea of what is likely to happen and want to apply hard won experience in other fields to prevent the same problems re-occurring in this field.

In general science and engineering move forward by "borrowing from related fields of endeavor" the medical profession is almost universally "conservative" in it's out look (and rightly so). Which almost always means the technical issues have been "knocked out" by others in the other fields of endeavor.

After a third of a century involved with designing leading edge systems in quite a few fields of endeavor (including medical electronics) I can see what the authors are saying has considerable merit and what they appear to be trying to do is quite commendable.

As has often been commented "trying to re-invent the wheel" will save you time, but no where near as much as not "following the lemmings over the cliff". That is you don't have to learn by your own mistakes, it is far quicker to learn by others mistakes and not make them yourself...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.