2. Table of Contents
What are IMD's?
IMD Architecture
Security Requirements
SECURITY SOLUTIONS FOR SUPPORTING EMERGENCY ACCESS
SECURITY SCHEMES FOR SUPPORTING REGULAR CHECK-ups
SECURITY SCHEMES FOR ADDRESSING IMD RESOURCE CONSTRAINTS
FUTURE WORK & CONCLUSION
2
3. What are IMD’s?
• Implantable Medical Devices (IMD) are
miniaturized computer systems used for
monitoring and treating various medical
conditions.
• Modern IMD’s are wireless.
• They are configured using external radio wave
programmers e.g., parameter configuration and
data extraction.
• This exposes it to security attacks because the
wireless communication channels between the
IMD and the programmer are in cleartext and
hence are not protected cryptographically.
3
Programmer
IMD
5. IMD Architecture • Adding a wireless module to the
IMD has facilitated a convenient
way to configure its relevant
parameters, resulting in efficient
remote monitoring of the patient.
• a device programmer to
communicate with the IMD
through the wireless channel
• Recent studies, however, have
shown that an attacker can use
the insecure wireless link to
manipulate the operations
performed on an IMD by sending
unauthorized commands thereby
compromising the patient’s
security and privacy.
5
6. Security Requirements
Potential threats that need to be dealt with and trade-offs that need to be considered in the
IMD security design.
• Threat Modelling
• Passive Eavesdroppers : Listens to an IMD’s wireless transmissions, can capture and
decode transmitted data with off-the-shelf or custom-built radio equipment.
Compromises privacy and confidentiality of patient.
• Active Adversaries : Replay recorded control commands, or generate new radio
commands, to an IMD, aiming at modifying the IMD’s settings or triggering data
transmissions actively. More harmful. Eg: stopping the required insulin injection or
injecting more than the required dose to the patients.
6
7. Power Denial of Service (DoS)
• An Active Adversary attack which severely impacts the IMDs more than any other types of sensor
nodes due to the IMD’s limited battery power.
• An IMD has limited battery life of 5-10 years.
• Each communication consumes some power and memory.
• Continuous authentication requests from the attacker would lead to battery being compromised
or even be depleted.
Attacker IMD
dummy auth req
7
8. Security Requirements
• Trade-offs in Security Design
• Security vs. Accessibility: The design of IMD security safeguards should
balance requirements between security and device accessibility in an
emergency situation.
• Emergency Situation vs. Normal Circumstance: The need of emergency
treatment for chronic patients bearing IMDs will not happen frequently.
Security solutions proposed for supporting the emergency access usually
require extra resources.
• Strong Security vs. Limited Resources: The IMD security design should achieve
a trade-off between robust security and its resource constraints. A strong
security mechanism, which has capabilities of authentication, encryption,
non-repudiation, authorization, etc., will consume plenty of resources which
are limited in the IMD.
8
9. Introduction
What are IMD's?
IMD Architecture
Security Requirements
SECURITY SOLUTIONS FOR SUPPORTING EMERGENCY ACCESS
SECURITY SCHEMES FOR SUPPORTING REGULAR CHECK-ups
SECURITY SCHEMES FOR ADDRESSING IMD RESOURCE CONSTRAINTS
FUTURE WORK & CONCLUSION
9
10. SECURITY SOLUTIONS FOR SUPPORTING
EMERGENCY ACCESS
As discussed above, the doctors must be able to access the IMD to perform
emergency treatment of patients in a hospital setting where security tokens or keys
may not be present.
External Proxy-Based Solutions
• Provides a fail-open access in order to achieve the trade- off between security
and accessibility.
• The use of an external security proxy requires a little or no modifications to
the IMD.
• This design can mitigate battery draining attacks on the IMD, since the
majority of security operations are delegated to the external proxy device.
10
13. Biometric-Based Access Control
Biometric features of people are used for access control.
Two Level-AC :
• This proposed access has two levels. In the first level, the patient’s fingerprints, iris color and
height are used.
• In the second level, a iris verification tool is used to unlock access to IMD.
• In the emergency situation, a sample iris image is captured and converted into a sample iris
code.
• However, a security flaw in biometrics based approaches is that the selected biometric is
normally unchangeable and an attacker may gain access to the biometric template.
Heart-to-Heart (H2H) :
• ECG signals are used as authentication for the IMD.
• IMD can be only accessed by a programmer which is in physical contact.
• ECG signal is measured by the programmer and is compared with the ECG signal from IMD for
a match.
• These two signals have similarity only when they are measured from same body. Hence, an
attacker cant have access to the IMD using patient’s records or from other person.
• Processing real-time ECG signals every attempt is both energy and time consuming.
13
15. Proximity-Based Security Schemes
Distance between the programmer and IMD is used as an access control
mechanism. Critical operations, e.g., fine-tuning the IMD should use a security
range much smaller than those used in remote monitoring.
Ultrasonic-AC:
• The protocol uses ultrasonic distance bounding technique to measure the range
between the IMD and the programmer.
• The patient carries a security token that shares a secret key with the IMD.
• In the normal operation mode, the doctor places the programmer within a
prescribed security range and uses the token from the patient to gain access to
the IMD.
15
16. • In the emergency mode when the token is not available, the IMD will generate a
temporary secret key and share it with a programmer which is within its security
range.
• However, this proximity-based security scheme could be breached if the
adversary can get close to the patient, e.g., in the public transportation or other
public area.
16
17. Key Distribution Supporting Emergency
Access
• Direct-KD: A direct Key Distribution (Direct-KD) method can be used to provide
the key instantaneously during the emergency situation by printing the key on a
bracelet or the patient’s skin.
• Public Key Cryptography: With a public key infrastructure, a certificate with a
trusted party’s public key can be deployed in the IMD initially. In emergencies, a
programmer contacts the party and obtains a valid certificate which is later used
to establish a symmetric key between the IMD and the programmer. The public
key cryptography is too expensive in terms of computation and energy
consumption, so it is inappropriate for implantable medical sensor devices.
17
18. • ECG-KD: The technique of ECG signal based Key
Distribution (ECG-KD) has been studied for use in
wireless body area networks (WBANs) and IMDs.
PSKA scheme is used to convey the key securely
from one sensor to another. The polynomial
computation and construction is computationally
expensive for the IMD which has limited resources.
A symmetric key is encrypted by a random BS
generated from ECG signals, and decrypted in
another WBAN sensor by a synchronously
generated BS
BS- Binary Sequences from ECG
18
21. SECURITY SCHEMES FOR ADDRESSING IMD
RESOURCE CONSTRAINTS
This section examines security approaches which can address the resource
constraint requirement of the IMD and counter power DoS attacks by using
lightweight algorithms, harvesting energy and using a separate security unit.
• A. Lightweight Security Algorithms
• Security functions should use as less energy as possible.
• Hosseini-Khayat proposed a lightweight security protocol to provide data
confidentiality and authentication between the IMD and its base station.
• Strydis studied a number of symmetric (block) ciphers in terms of various
metrics, such as power consumption, total energy budget, encryption rate
and efficiency, program-code size and security level
21
22. SECURITY SCHEMES FOR ADDRESSING IMD
RESOURCE CONSTRAINTS
• A performance and power simulator, XTREM, is used to evaluate the ciphers and
found MISTY-1 , IDEA and RC6 to be the best performing ciphers.
B. Energy Harvesting
• Potential way to counter attack power DoS attacks.
• Use the Radio Frequency (RF) based energy harvesting technique to power
security circuitry.
• A Wireless Identification and Sensing Platform (WISP), with an attached piezo-
element, harvests energy from the wireless channel when it senses signals from a
programmer.
22
23. SECURITY SCHEMES FOR ADDRESSING IMD
RESOURCE CONSTRAINTS
C. Separate Security Unit
• Used to mitigate security overhead on IMD.
• For external proxy based security solutions, shift the security related
computations to an external device.
• An experiment was performed using a cell phone device to run the IMD
authentication. The IMD device will not run the computations and instead will
sleep thereby saving energy
23
24. FUTURE WORK
• A. Proper Assumptions
• Patients, doctors and hospitals, emergency medical personnel, and IMD
manufacturers are trustworthy.
• The IMD may record all accesses and active commands in the past few
months into its log for the purpose of analysis and detection.
• Licensed doctors are trustworthy and hospitals are a safe working
environment.
• B. Decoupled Design
• Divide the IMD into multiple submodules.
• Each component of a system works independently and any changes to one
component will have a minimal effect on the others.
• Reduces complexity and risks of device recalls.
• Speedy approvals.
24
25. FUTURE WORK
C. Safety Overrides Security
• Safety and utility of an IMD has a higher priority than its privacy and security
requirements.
• Ex: Guaranteed access to unauthorized doctors during emergency situation.
• Major part of IMD resources should be allocated for supporting IMD medical
functionality. So, the designers must carefully weigh costs arising from security
algorithms against the safety and utility capabilities of the IMD.
• They can use light weight security algorithms and power them up using the
energy harvesting method.
25
26. CONCLUSION
• By incorporating a tiny wireless module into the IMD, a doctor can configure
parameters in and transmit medical data to/from the IMD by using external
programmers.
• However, an undesirable, yet inevitable, side effect is that these IMDs are
increasingly vulnerable to security attacks.
• This paper has analyzed threats faced by the IMDs and trade-offs that we need to
consider in their security design.
• Since the IMDs normally perform critical functions for chronic patients, the
security issues in the IMDs have to be addressed in a proactive manner or else a
patient may be exposed to severe life threatening health hazards.
26
Older IMD’s used wires to communicate with circuitry outside the body.
The wires are a common source of surgical complications, including breakage, infection and electrical noise
physiological-signal-based key agreement (PSKA), a scheme for enabling secure intersensor communication within a BAN in a usable (plug-n-play, transparent) manner.one-time pad (OTP) is an encryption technique that cannot be cracked, but requires the use of a one-time pre-shared key the same size as, or longer than, the message being sent. In this technique, a plaintext is paired with a random secret key. XOR between message and random key.