The document discusses the security challenges of implantable medical devices (IMDs), emphasizing their importance in real-time patient monitoring and the risks associated with potential cyber attacks. It reviews current threats, constraints in strengthening IMD security, and proposed solutions including the use of external devices and communication protocols to mitigate these risks. The paper calls for continued innovation in IMD security to protect patient safety and devise better protective measures, addressing vulnerabilities associated with the increasing reliance on these technologies.

1. Security for Implantable
Medical Devic es (IMDs)

2. Abstract
Market Trends
Challenges / Constraints in making IMDs secure
Published Solutions
Threat Analysis
Conclusion
RReeffeerreenncceess
3
3
5
5
7
7
8
Table of Contents
© 2014, HCL Technologies. Reproduction Prohibited. This document is protected under Copyright by the Author, all rights reserved.

3. Security for Implantable Medical Devices (IMDs) | 3
Implantable Medical Devices (IMDs) have significantly transformed the medical devices industry. Any device inserted directly
into a patient’s body would be very useful in monitoring his/her vital signs, especially in certain conditions such as
arrhythmias and diabetes. Such constant monitoring helps relay real-time information in case of life-threatening situations.
It also ensures that the patient receives medical attention quickly.
Active IMDs are devices that need a power source for their functioning. They connect with the external world wwiirreelleessssllyy aanndd
help in monitoring a patient’s condition, remotely. This presents a great advantage for patients, as these devices help to
extend and enhance the quality of life. For physicians this means real-time tracking of the patient’s condition. This helps the
doctor to change the course of therapy based on the patient’s current condition, and reduces response time. This way the
doctor need not wait for the patient to come to him/her for a checkup. However, active IMDs come with an expensive
caveat – security.
RReesseeaarrcchheerrss hhaavvee ddeemmoonnssttrraatteedd tthhaatt sseeccuurriittyy iiss hhiigghhllyy ccoommpprroommiisseedd iinn tthhee ccaassee ooff IIMMDDss.. AAnnyy hhaacckkeerr wwiitthh mmaalliicciioouuss iinntteenntt
can gain access to this device and cause great damage to the life of the person wearing the IMD. Hence, it is imperative that
security is inbuilt and that an ecosystem is created to protect human lives.
IInn tthhiiss wwhhiitteeppaappeerr,, tthhee ccoonntteexxtt iiss sseett wwiitthh tthhee ttyyppeess ooff ppootteennttiiaall sseeccuurriittyy aattttaacckkss aanndd gguuiiddaannccee ffrroomm vvaarriioouuss rreegguullaattoorryy
bodies. It then discusses the challenges and constraints in securing IMDs, followed by solutions that address security
threats. The whitepaper also covers factors, such as hackers’ challenges and the advantages that influence the threat
impact. As security for IMDs is a niche field, there is a lot of scope for innovation.
The role of active IMDs is critical in providing timely medical care whenever a patient needs it. It relays vital information to
physicians about the patient’s condition. This, in turn, allows doctors to take proactive action and thus help save lives.
An IMD’s primary interface with the external world is through a device called the IMD Programmer. This device is
responsible for gathering a patient’s medical information from the IMD and providing commands for therapy to the IMD.
With the introduction of Medical Implant Communication Services (MICS) in 1999, the FCC allocated the 402-405 MHz band
for this purpose. The latest range of IMDs also makes use of telemetry to beam long-range, high-bandwidth data across
remote locations.
© 2014, HCL Technologies. Reproduction Prohibited. This document is protected under Copyright by the Author, all rights reserved.
Abstract
Market Trends
Why IMDs?
Artificial Cardiac Pacemakers, Implantable Cardioverter Defibrillators (ICDs), Neurostimulators and Insulin Pumps are some
of the popular active IMDs. Active IMDs equipped with a wireless interface helps in monitoring a patient’s condition
remotely while adjusting the therapy based on the patient’s condition at any given time. Using these wireless IMDs,
physicians can get real-time data on the patient’s condition and administer the therapy remotely. The major benefit for a
patient lies in effort, time and cost savings due to a reduction in planned or unplanned hospital visits.
How do IMDs work?
Problems in the current context
The benefits of wireless connectivity and remote monitoring come with associated security risks. The devices meant to
protect people’s lives, if compromised by hackers, can cause security breaches and severe damage to the patients. It can
even cause their death under certain circumstances. Some of the ways the security and efficacy of IMDs being breached are
listed below:

4. Security for Implantable Medical Devices (IMDs) | 4
Confidentiality:
A hacker can use custom equipment to mimic an IMD Programmer, interface with the IMD and access any patient’s
personal details and up-to-date health information. These details run the risk of being altered to disastrous effect,
and hence should be accessible only by authorized personnel.
Integrity:
A hacker can connect with the IMD and modify the health information stored in the device, raising false alarms or
making the physicians diagnose the situation wrongly. The hacker can also send prescriptive commands to the
device to disrupt and degrade the therapy.
Availability:
In the DOS (Denial of Service) form of attack, a hacker can keep sending queries to the device repeatedly in order to
drain the battery quickly, severely impacting/nullifying the device’s functioning. Typically, an IMD’s battery life spans
a few years. DOS attacks can drain the battery in a few hours.
There has been no reported attack on any medical device so far. However, several researchers have demonstrated in
separate instances, the possibilities of such attacks using commercially available IMDs.
Daniel Halperin, from the University of Washington, along with other researchers, published a paper in the IEEE
Symposium on Security and Privacy, in 2008. They established the possibilities of cyber attacks on IMDs with
pacemaker technology. They demonstrated cyber attack aspects such as breaching confidentiality (unauthorized
access to patient data) and integrity (wrong therapy settings).
At the Black Hat Conference in Las Vegas in 2011, security researcher Jerome Radcliffe, a diabetic himself,
demonstrated the vulnerability of the insulin pump by taking complete control of his own IMD, remotely. He could
command the pump to deliver insulin every three minutes or stop insulin delivery at will just from a distance of 100
feet.
At the Breakpoint conference in Melbourne in October 2012, Barnaby Jack of security vendor IOActive demonstrated
the ways in which IMDs could be compromised. He used a laptop 50 feet away from the patient to deliver a deadly,
830-volt shock. He said that there was also a possibility of infecting the vendor’s servers, which in turn could infect
the vendor’s implanted IMDs, and thus enable the opportunity to commit mass murder.
The U.S. Government Accountability Office (GAO) did a study to determine whether wireless IMDs are protected against
information security risks that could affect their safety and effectiveness. In its August 2012 report, the GAO recommended
that the Food and Drug Administration (FDA) develop and implement a plan expanding its focus on information security
risks.
As per FDA reports, there has been no real security attack. However, the FDA came up with a safety communication in June
2013. Cyber security is a focus area for the medical device industry as it concerns potential loss of human lives and sensitive
health information. As of today, it is still a nascent technology.
© 2014, HCL Technologies. Reproduction Prohibited. This document is protected under Copyright by the Author, all rights reserved.

5. Challenges to make IMDs secure
There are several unique challenges / constraints in securing IMDs against cyber attacks. The scenario is different from
securing networks, servers and computers.
The major challenge in making IMDs secure is the resource constraint with regard to the processing power, battery, and
memory. The situation becomes more complex with the varying mix of security, privacy, efficacy and safety associated with
different types of IMDs. Any solution should take care of these constraints.
A typical solution attempting to prevent unauthorized access to an IMD may involve a complex encryption / decryption
algorithm. Typically, such algorithms require significant processing power. Similarly, if algorithms to detect iinnttrruussiioonnss rruunn
on the IMDs on a continual basis, the battery will drain quickly. Replacing the battery necessitates another surgery, which
involves money, effort, pain, and even a risk to life itself. Such algorithms can be executed on the IMD programmers.
However, the programmer itself may not have a powerful CPU.
TThhee sseeccoonndd cchhaalllleennggee iiss ttoo sseeccuurree aallrreeaaddyy iimmppllaanntteedd IIMMDDss.. SSeeccuurriittyy ccaann bbee ddeessiiggnneedd iinnttoo nneeww ddeevviicceess aass tteecchhnnoollooggiieess
evolve, even with the constraints stated above. However, over 4 million IMDs (pacemakers and CRM devices alone) have
already been implanted in patients’ bodies, worldwide. Another 700,000 devices are implanted every year [1]. As most of
these devices were designed several years ago, the required security features relevant in today’s context were not built in at
that time. There needs to be a solution to protect already implanted IMDs and the patients.
AAnnootthheerr uunniiqquuee cchhaalllleennggee iiss tthhaatt tthhee sseeccuurriittyy ffeeaattuurree bbuuiilltt aarroouunndd IIMMDDss,, sshhoouulldd hhaavvee tthhee aabbiilliittyy ttoo bbee ddiissaabblleedd bbyy pprreevviioouussllyy
unauthorized yet competent people such as doctors of a different hospital. Imagine a scenario where the patient is in a
critical situation, unable to communicate, and is admitted to a different hospital. The doctors there should be able to use
their IMD Programmers and communicate with the device. If the device prevents unauthorized access at that time, the
doctor cannot provide the necessary treatment, thus presenting a real danger to the patient. Security designers have to
take these kinds of emergency scenarios into account while designing a solution.
Published Solutions
Security for Implantable Medical Devices (IMDs) | 5
Several solutions have been reported in the literature. These solutions take into account the challenges and constraints
posed by IMDs. An external device is a part of many of these solutions. Such external devices can be worn by the patient or
kept near the IMD that it is protecting. The following solutions are covered in this section.
IMD Shield
H2H (Heart-to-Heart)
NFC Interface
Conducted Communication through Surface ECG Electrodes
In SIGCOMM ’11, researchers from MIT and the University of Massachusetts-Amherst presented an innovative solution [8],
which does not require any modifications to already implanted IMDs. They used commercially available IMDs and IMD
PPrrooggrraammmmeerrss ffoorr tthhee ssttuuddyy.. TThheeyy pprrooppoosseedd aann eexxtteerrnnaall ddeevviiccee ccaalllleedd tthhee ““IIMMDD SShhiieelldd”” tthhaatt aaccttss aass aa ggaatteewwaayy ffoorr tthhee IIMMDD.. IItt
can be worn by the patient, like a necklace, ensuring proximity to the device it would be protecting. Communication from
IMD to IMD Programmer and vice versa is handled by the shield. The IMD continues to operate the way it was originally
designed, and the shield is built with two antennas – one to receive and the other to jam. It receives the patient’s health info
from the IMD to forward to the IMD Programmer. It simultaneously jams signals from the IMD, thus
© 2014, HCL Technologies. Reproduction Prohibited. This document is protected under Copyright by the Author, all rights reserved.
IMD Shield

6. Security for Implantable Medical Devices (IMDs) | 6
preventing an intruder device from accessing the patient’s medical
information. It jams signals coming from an intruder device, thereby corrupting
the info and preventing the IMD from responding to unauthorized commands.
Since the shield and IMD Programmer are external devices, their design can be
modified as the threat scenario evolves in the future.
Heart-to-Heart:
Secure
Communication
,MD Shield ProΑrammer
Figure 1: IMD Shield
Researchers at Rice University along with a team at RSA Securities have come up with a solution [9], called “Heart-to-Heart”
(H2H). This solution will address the challenge related to medical emergencies. It involves using the patient’s heartbeat as
the password. In this method, a special type of IMD Programmer authenticates itself with the IMD by touching the patient’s
body and taking the reading of the heartbeat. It also asks the IMD to take the reading of the heartbeat.
The IMD Programmer and IMD take independent, time-synchronous ECG
readings. The IMD compares the two results. If the results are nearly equal, it
grants access to the IMD Programmer. Since the readings are taken in
real-time, a hacker will not be able to replay and trick the IMD into getting the
access. This solution can be applicable only to new IMDs or to already
implanted IMDs that allow a wireless firmware upgrade.
NFC Interface:
,MD
ProΑrammer
,MD ProΑrammer
Figure 2: Heart - to - heart protocol
B Kim et al [10] have proposed the use of NFC interface (13.56 MHz frequency band) for all communications between the IMD
and the external world through a smart phone with NFC. They proposed a passive NFC tag that harvests energy from the
reader’s magnetic field. The major advantage of the NFC interface is its short communication range, limited to about 4-5 cm
in free space. They used pork as a substitute to emulate human-like tissue and found that the communication range was
reduced by 5-8 mm due to absorption, but still the range was over 4 cm. This ensures that a hacker cannot unleash the
attack from a distance of a few meters, which is possible with other interfaces such as MICS or Bluetooth. TThhee oonnllyy
disadvantage of the NFC based solution is that it will be available only in the new IMDs under development. Some vendors
have started making use of NFC technology for the interface between the IMD and the Programmer. IMDs with NFC are
expected to arrive in the market in a couple of years.
Conducted Communication through Surface ECG Electrodes:
In a remarkable breakthrough in pacemaking, the St. Jude Medical Nanostim Leadless Pacemaker can be implanted inside
the heart using a minimally invasive procedure, thereby eliminating the need for surgery [7]. In addition, there is no wireless
interface. The communication with the external world is by way of conducted communication through Surface ECG
Electrodes [7]. Electrodes will be placed on the chest of the patient and through ECG monitoring, the readings will be taken
and the settings will be adjusted, if required. This ensures that a hacker cannot attack remotely.
Leadless Pacemaker ,nside Heart
Figure 3: Leadless Pacemaker
© 2014, HCL Technologies. Reproduction Prohibited. This document is protected under Copyright by the Author, all rights reserved.

7. Security for Implantable Medical Devices (IMDs) | 7
Threat Analysis
If there has been no real attack so far, it could be due to the challenges that hackers may be facing. The following factors
lead one to believe that the researchers’ concerns may be far-fetched and that the probability of threats may be low.
Proximity:
In typical non-IMD cyber attacks, a hacker can be far away from the victim, from the comfort of their workplace at the
time of their choice. In the case of an IMD attack, the hacker or the equipment they use to hack should be close to the
victim. This requires meticulous preparation, such as visiting the area and identifying the hiding place for the attack.
This limitation could act as a major deterrent, thereby reducing the number of hackers who will “invest” in this area.
Geographic Spread:
The usage of wireless IMDs is concentrated in a few developed countries. When compared to non-IMD cyber
attacks, the geographic spread of IMD attack is quite limited.
Ethical Aspect:
A typical non-IMD hacker derives pride, pleasure and money in hacking the victim’s email accounts or bank
accounts. While their acts are legally crimes, they may not consider themselves criminals. However, when it comes
to hacking IMDs, they know that they are playing with the victim’s life. Only those hackers with atrociously criminal
intent would be getting into this field, thereby limiting the IMD hacker population.
However, the following factors paint a different picture.
Advantage Hackers:
Any solution against cyber attacks has to go through the rigorous compliance testing mandated by regulatory bodies
such as the FDA. This results in delaying the deployment by around 5-7 years. Hackers do not have this limitation
and they can deploy newly found attacks immediately.
High Value Targets:
Due to the cost of an IMD, and surgery and maintenance expenses, the rich and famous are more likely to be
implanted, making them high-value targets. For instance, the doctors who replaced former U.S. Vice President Dick
Cheney's heart defibrillator in 2007 asked the manufacturer to disable the wireless feature, fearing that terrorists
might hack the device and try to kill him [11].
From these perspectives, it is imperative that IMDs are adequately secured.
Conclusion
With the growing usage and complexity of IMDs, there are associated vulnerabilities that compromise the confidentiality,
integrity, and availability aspects of these gadgets. The FDA has recognized the issue. Vendors have started taking care of
security issues in their new implementations.
In this paper, the various possible types of attack and their impact on the patient’s life have been presented. The unique
challenges in securing IMDs due to their inherent nature and the usage scenarios have also been explained. Though there
have been no reported vulnerabilities, regulatory bodies have taken note of the possibilities and started working with
manufacturers and security experts to strengthen cyber security in IMDs. A few solutions taking care ooff CCIIAA aassppeeccttss
published in the literature have been presented. In addition, the challenges and advantages from the hackers’ point of view
have been presented.
© 2014, HCL Technologies. Reproduction Prohibited. This document is protected under Copyright by the Author, all rights reserved.

8. Security for Implantable Medical Devices (IMDs) | 8
Conducted communication and NFC interface based devices are likely to be the earliest solutions that will be available to
patients in the near future. All other solutions are in the conceptual stage with the researchers still in discussion with
vendors to implement the solution in upcoming devices.
Cyber security for IMDs is a nascent technology where a lot needs to be done before the potential threats become real. It is
hoped that the reader finds this ecosystem overview helpful.
References
St. Jude Medical Announces Acquisition and CE Mark Approval of World's First Leadless Pacemaker, October 14, 2013
http://investors.sjm.com/phoenix.zhtml?c=73836&p=irol-newsArticle_Print&ID=1863989
Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses by Kevin Fu et al.
http://scholarworks.umass.edu/cgi/viewcontent.cgi?article=1067&context=cs_faculty_pubs
Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System by Jerome Radcliffe, presented at Black Hat Technical Security
Conference: USA 2011. http://cs.uno.edu/~dbilar/BH-US-2011/materials/Radcliffe/BH_US_11_Radcliffe_Hacking_Medical_Devices_WP.pdf
"Broken Hearts": How plausible was the Homeland pacemaker hack? bbyy BBaarrnnaabbyy JJaacckk..
http://blog.ioactive.com/2013/02/broken-hearts-how-plausible-was.html
FDA Should Expand Its Consideration of Information Security for Certain Types of Devices, GAO, August 2012.
http://www.gao.gov/assets/650/647767.pdf
FDA Safety Communication: Cyber security for Medical Devices and Hospital Networks, June 13, 2013
http://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm356423.htm
Leadless cardiac pacemaker with conducted communication,
hhttttpp::////wwwwww..ggooooggllee..ccoomm//ppaatteennttss//WWOO22001133005588995588AA11
They Can Hear Your Heartbeats: Non-Invasive Security for Implantable Medical Devices, presented at SIGCOMM ’11 by Shyamnath et al.
http://groups.csail.mit.edu/netmit/IMDShield/paper.pdf
Heart-to-Heart (H2H): Authentication for Implanted Medical Devices, by Masoud Rostami et al, to be presented at CCS’13, November 4–8, 2013, Berlin, Germany
http://www.aceslab.org/sites/default/files/H2H.pdf
In-Vivo NFC: Remote Monitoring of Implanted Medical Devices with Improved Privacy, by Kim B et al, SenSys ’12, November 6-9, 2012, Toronto, Canada
http://dl.acm.org/citation.cfm?id=2426691&dl=ACM&coll=DL&CFID=376029119&CFTOKEN=76995657
CChheenneeyy''ss ddeefifibbrriillllaattoorr wwaass mmooddiififieedd ttoo pprreevveenntt hhaacckkiinngg,, bbyy DDaannaa FFoorrdd,, CCNNNN,, OOccttoobbeerr 2244,, 22001133
http://www.cnn.com/2013/10/20/us/dick-cheney-gupta-interview/
Author Info
Ashok Kumar V
HCL Engineering and R&D Services
Designed By: Mayuri Infomedia
This whitepaper is published by HCL Engineering and R&D Services.
The views and opinions in this article are for informational purposes only and should not be considered as a substitute for professional business advice. The use herein of any
trademarks is not an assertion of ownership of such trademarks by HCL nor intended to imply any association between HCL and lawful owners of such trademarks.
For more information about HCL Engineering and R&D Services,
Please visit http://www.hcltech.com/engineering-rd-services
Copyright@ HCL Technologies
AAllll rriigghhttss rreesseerrvveedd..