07-05-2014, 04:43 PM
Securing Wireless Implantable Devices for Healthcare: Ideas and Challenges
[attachment=63001]
ABSTRACT
Implantable devices hold great potential for
pervasive healthcare, enabling the identification,
monitoring, and treatment of patients regardless
of their location. To realize this goal, these
devices must be able to communicate wirelessly
with external devices. However, wireless commu-
nication presents many vulnerabilities: an attack-
er can eavesdrop on transmitted information,
use implanted devices to track patients, or spoof
an implanted device. An attacker even has the
potential to cause direct physical harm to a
patient, either by forcibly removing an implanted
device from the patient or by maliciously send-
ing commands that affect the operation of an
implanted device. Addressing these security
threats is crucial for implantable devices due to
their permanent nature, but it is difficult because
of the severe resource constraints facing such
devices. This article details the threats that face
wireless implantable devices, surveys the work
addressing these threats, and identifies open
issues for future research.
INTRODUCTION
Although the term implantable device may evoke
futuristic images of part-human, part-machine
cyborgs, such devices have been used for some
time, especially in healthcare. For instance,
implantable pacemakers for regulating heart rate
were invented in the late 1950s. As technological
innovations make implantable devices smaller,
safer, and longer-lasting, researchers are devel-
oping more applications using these devices to
achieve the vision of pervasive healthcare. These
applications include patient identification, con-
tinuous monitoring of patients, and automatic
delivery of medications. Implantable devices can
potentially outperform their non-implantable
counterparts. An implantable insulin pump, for
instance, can be placed close to the location of a
normal pancreas, enabling more effective absorp-
tion of insulin than traditional injections.
IIDS
IIDs serve strictly to provide identifying informa-
tion about a person. Thus far, the IIDs we are
aware of are implantable, radio-frequency identi-
fication (RFID) tags. Such a tag is generally very
small (comparable in size to a grain of rice),
with no power source of its own. When scanned
by an external reader, the tag uses the energy in
the reader’s signal to emit a unique identifier
wirelessly.
The most well-known IID is VeriChip Corp.’s
RFID tag (Fig. 2), which was approved for
human implantation by the U.S. Food and Drug
Administration in 2004. The VeriChip is usually
implanted in the upper arm. Authorized medical
professionals can use the serial number emitted
by a VeriChip to access a person’s medical infor-
mation in a database called VeriMed. This
makes it possible to quickly retrieve vital infor-
mation even if the patient is unresponsive or
unconscious, for example, in a medical emergen-
cy. According to the company Web site, “thou-
sands” of people have had this chip implanted.
COUNTERMEASURES
Although security issues regarding IIDs such as
the VeriChip have been mentioned widely in the
literature, few countermeasures have been pro-
posed specifically for IIDs. However, extensive
research has been performed for securing gener-
al RFID devices. Here we outline some pro-
posed solutions that are applicable to IIDs and
identify which of the above threats they address.
The most straightforward way of discouraging
harvesting is to limit the amount of information
contained in the IID. VeriChip seems to have
adopted this approach; the IID simply contains a
serial number without any personal information
such as medical history. To gain such informa-
tion, the attacker must also have access to the
VeriMed database. If the database is sufficiently
secure, no patient information is at risk of being
compromised. However, this approach alone
does not prevent other attacks such as cloning or
tracking.
Data Access Control
The schemes present-
ed above address the mechanics of symmetric
key management. Once the encryption mecha-
nisms are established, the main concern becomes
not how the data is encrypted, but rather who
should have access to it. One issue is how an
IMD can authenticate an external device to
ensure that it is valid. To do this, many of the
same mechanisms outlined for IIDs could be
used (e.g., using shared secrets); we do not reit-
erate them here.
CONCLUSION
Implantable medical devices will play a major
role in pervasive healthcare, enabling applica-
tions ranging from patient identification to
remote administration of drug treatments. Con-
siderable work has been done to date to counter
the security threats in implantable devices. For
IIDs, the threats of harvesting, tracking, and
cloning have been addressed by numerous tech-
niques that restrict or vary the information emit-
ted by the device. For IMDs, the problem of
keeping patient data private has been
approached by using symmetric encryption with
various key-management schemes, in addition to
variants of role-based access control. Meanwhile,
falsification of patient data has been addressed
by schemes that use patient biometric data for
authentication.
[attachment=63001]
ABSTRACT
Implantable devices hold great potential for
pervasive healthcare, enabling the identification,
monitoring, and treatment of patients regardless
of their location. To realize this goal, these
devices must be able to communicate wirelessly
with external devices. However, wireless commu-
nication presents many vulnerabilities: an attack-
er can eavesdrop on transmitted information,
use implanted devices to track patients, or spoof
an implanted device. An attacker even has the
potential to cause direct physical harm to a
patient, either by forcibly removing an implanted
device from the patient or by maliciously send-
ing commands that affect the operation of an
implanted device. Addressing these security
threats is crucial for implantable devices due to
their permanent nature, but it is difficult because
of the severe resource constraints facing such
devices. This article details the threats that face
wireless implantable devices, surveys the work
addressing these threats, and identifies open
issues for future research.
INTRODUCTION
Although the term implantable device may evoke
futuristic images of part-human, part-machine
cyborgs, such devices have been used for some
time, especially in healthcare. For instance,
implantable pacemakers for regulating heart rate
were invented in the late 1950s. As technological
innovations make implantable devices smaller,
safer, and longer-lasting, researchers are devel-
oping more applications using these devices to
achieve the vision of pervasive healthcare. These
applications include patient identification, con-
tinuous monitoring of patients, and automatic
delivery of medications. Implantable devices can
potentially outperform their non-implantable
counterparts. An implantable insulin pump, for
instance, can be placed close to the location of a
normal pancreas, enabling more effective absorp-
tion of insulin than traditional injections.
IIDS
IIDs serve strictly to provide identifying informa-
tion about a person. Thus far, the IIDs we are
aware of are implantable, radio-frequency identi-
fication (RFID) tags. Such a tag is generally very
small (comparable in size to a grain of rice),
with no power source of its own. When scanned
by an external reader, the tag uses the energy in
the reader’s signal to emit a unique identifier
wirelessly.
The most well-known IID is VeriChip Corp.’s
RFID tag (Fig. 2), which was approved for
human implantation by the U.S. Food and Drug
Administration in 2004. The VeriChip is usually
implanted in the upper arm. Authorized medical
professionals can use the serial number emitted
by a VeriChip to access a person’s medical infor-
mation in a database called VeriMed. This
makes it possible to quickly retrieve vital infor-
mation even if the patient is unresponsive or
unconscious, for example, in a medical emergen-
cy. According to the company Web site, “thou-
sands” of people have had this chip implanted.
COUNTERMEASURES
Although security issues regarding IIDs such as
the VeriChip have been mentioned widely in the
literature, few countermeasures have been pro-
posed specifically for IIDs. However, extensive
research has been performed for securing gener-
al RFID devices. Here we outline some pro-
posed solutions that are applicable to IIDs and
identify which of the above threats they address.
The most straightforward way of discouraging
harvesting is to limit the amount of information
contained in the IID. VeriChip seems to have
adopted this approach; the IID simply contains a
serial number without any personal information
such as medical history. To gain such informa-
tion, the attacker must also have access to the
VeriMed database. If the database is sufficiently
secure, no patient information is at risk of being
compromised. However, this approach alone
does not prevent other attacks such as cloning or
tracking.
Data Access Control
The schemes present-
ed above address the mechanics of symmetric
key management. Once the encryption mecha-
nisms are established, the main concern becomes
not how the data is encrypted, but rather who
should have access to it. One issue is how an
IMD can authenticate an external device to
ensure that it is valid. To do this, many of the
same mechanisms outlined for IIDs could be
used (e.g., using shared secrets); we do not reit-
erate them here.
CONCLUSION
Implantable medical devices will play a major
role in pervasive healthcare, enabling applica-
tions ranging from patient identification to
remote administration of drug treatments. Con-
siderable work has been done to date to counter
the security threats in implantable devices. For
IIDs, the threats of harvesting, tracking, and
cloning have been addressed by numerous tech-
niques that restrict or vary the information emit-
ted by the device. For IMDs, the problem of
keeping patient data private has been
approached by using symmetric encryption with
various key-management schemes, in addition to
variants of role-based access control. Meanwhile,
falsification of patient data has been addressed
by schemes that use patient biometric data for
authentication.