Entry Date:
February 28, 2012

IMD Shield: Securing Implantable Medical Devices

Principal Investigator Dina Katabi


Wireless communication has become an intrinsic part of modern implantable medical devices (IMDs). Recent work, however, has demonstrated that wireless connectivity can be exploited to compromise the confidentiality of IMDs’ transmitted data or to send unauthorized commands to IMDs—even commands that cause the device to deliver an electric shock to the patient. The key challenge in addressing these attacks stems from the difficulty of modifying or replacing already-implanted IMDs. Thus, in this project, we explore the feasibility of protecting an implantable device from such attacks without modifying the device itself. We present a physicallayer solution that delegates the security of an IMD to a personal base station called the shield. The shield uses a novel radio design that can act as a jammer-cum-receiver. This design allows it to jam the IMD’s messages, preventing others from decoding them while being able to decode them itself. It also allows the shield to jam unauthorized commands -- even those that try to alter the shield’s own transmissions. We implement our design in a software radio and evaluate it with commercial IMDs. We find that it effectively provides confidentiality for private data and protects the IMD from unauthorized commands.

The past few years have produced innovative health-oriented networking and wireless communication technologies, ranging from low-power medical radios that harvest body energy to wireless sensor networks for in-home monitoring and diagnosis. Today, such wireless systems have become an intrinsic part of many modern medical devices. In particular, implantable medical devices (IMDs), including pacemakers, cardiac defibrillators, insulin pumps, and neurostimulators all feature wireless communication Adding wireless connectivity to IMDs has enabled remote monitoring of patients’ vital signs and improved care providers’ ability to deliver timely treatment, leading to a better health care system.

Recent work at the computer science department in UMASS, has shown that such wireless connectivity can be exploited to compromise the confidentiality of the IMD’s transmitted data or to send the IMD unauthorized commands— even commands that cause the IMD to deliver an electric shock to the patient. In other systems, designers use cryptographic methods to provide confidentiality and prevent unauthorized access. However, adding cryptography directly to IMDs themselves is difficult for the following reasons:

• Inalterability: In the U.S. alone, there are millions of people who already have wireless IMDs, and about 300,000 such IMDs are implanted every year. Once implanted, an IMD can last up to 10 years, and replacing it requires surgery that carries risks of major complications. Incorporating cryptographic mechanims into existing IMDs may be infeasible because of limited device memory and hence can only be achieved by replacing the IMDs. This is not an option for people who have IMDs or may acquire them in the near future.

• Safety: It is crucial to ensure that health care professionals always have immediate access to an implanted device. However, if cryptographic methods are embedded in the IMD itself, the device may deny a health care provider access unless she has the right credentials. Yet, credentials might not be available in scenarios where the patient is at a different hospital, the patient is unconscious, or the cryptographic key storage is damaged or unreachable. Inability to temporarily adjust or disable an IMD could prove fatal in emergency situations.

• Maintainability: Software bugs are particularly problematic for IMDs because they can lead to device recalls. In the last eight years, about 1.5 million software-based medical devices were recalled. Between 1999 and 2005, the number of recalls of software-based medical devices more than doubled; more than 11% of all medical-device recalls during this time period were attributed to software failures. Such recalls are costly and could require surgery if the model is already implanted. Thus, it is desirable to limit IMDs’ software to only medically necessary functions.

This project explores the feasibility of protecting IMDs without modifying them by implementing security mechanisms entirely on an external device. Such an approach enhances the security of IMDs for patients who already have them, empowers medical personnel to access a protected IMD by removing the external device or powering it off, and does not in itself increase the risk of IMD recalls.