Who’s Watching Who?

20 October 2010 (Last Updated October 20th, 2010 18:30)

Implantable medical devices are being used with increasing frequency, but do we take their security for granted? Dr Mark Gasson reviews the potential security flaws and the dangers they pose to patients.

Who’s Watching Who?

Implanting computing technologies into the human body is still a largely unrecognised discipline, yet hundreds of thousands of people are given cardiac pacemakers each year. Other medical devices, such as deep brain stimulators, also form intimate connections with the body.

With developments in computational, storage and communication capabilities, these types of implants are becoming increasingly complex, which creates a tension between the core therapeutic functionality and secondary factors such as security and privacy. 

As a result of advances in medicine and public health, increasing life expectancy in developed countries has given rise to an ageing population susceptible to more years of ill health in later life. This is reflected in the increasing prevalence of implantable devices being used in geriatric care. In addition, new therapies incorporating implantable technologies are being developed at an unprecedented rate to treat a range of disorders.

Low-frequency inductive coupling with a range of a few centimetres and a low-data bandwidth has been a key element in the deployment of the technology, allowing easy post-operative device configuration to modify therapies and the relaying of diagnostically-relevant data logged by the device.

More modern devices have begun to adopt the Medical Implant Communications Service standard, achieving a greatly-improved data bandwidth and communication range of up to five metres while consuming little power. This has opened up possibilities for at-home monitors that store data collected from implanted devices in a centralised repository, which medical professionals can access remotely.

"ICT implants, due to their network capability, could be misused for all kinds of social surveillance or manipulation."

Some concerns over this type of innovation have arisen because it is unclear how the potential information overload should be handled by healthcare providers. While logged data from implanted devices could provide indicators of changes in a patient's health, the burden of analysing this information and the liability issues surrounding its lack of use are under discussion. Interestingly, the potential risks of these developments for end-users of the device are discussed less often.

Historically, most implanted devices have been isolated from networks, communicate over small ranges or do not interoperate. This is changing, creating privacy and security risks related to the potential for intentional malicious misuse of implantable medical devices by unauthorised personnel.

The European Commission has agreed that aspects beyond the immediate function of implantable devices need consideration. The European Group on Ethics in Science and New Technologies presented an opinion in March 2005 (to be updated in 2010) that considered a range of information and communications technology (ICT) implants, from cardiac pacemakers and brain stimulators to subcutaneous radio-frequency identification devices (RFID). It stated:

"Although particular ICT implants may be used to repair deficient bodily capabilities, others are ethically more problematic, particularly if such devices are accessible via digital networks. ICT implants, due to their network capability, could be misused in several ways for all kinds of social surveillance or manipulation."

Privacy risks of implants

Many of the privacy risks are related to the communication between the implanted medical device and external world. They include:

  • unauthorisedscanning of people to detect the presence and type of medical implant
  • unauthorisedreading of a device ID number, which could be used to track a person'smovements
  • unauthorisedreading of a patient's personal data, which is often saved in the device'smemory
  • unauthorisedreading of medical data collected by the device, which gives an insightinto the state of a patient's health.

There are also several risks related to device security, including:

  • maliciousmodification of firmware or data stored in a device's memory
  • maliciousmodification of the device's configuration parameters
  • stoppingthe device from operating, either by sending an instruction code to haltthe device or by a denial-of-service attack
  • triggeringa device to act in a way that could threaten a patient's health, forexample, instigating defibrillation.

There is a clear tension between security and accessibility of implanted medical devices which needs careful consideration. In emergency situations, the communication with the device should be easy and free of limitations, but requirements for privacy and security cannot be disregarded. The possibility of unauthorised access to and manipulation of the device has serious implications, so a compromise between security measures and accessibility is needed.

Recently, academics studied a commercially-available cardiac pacemaker and found that someone could "violate the privacy of patient information and medical telemetry" and "turn off or modify therapy settings". However, at this stage the risk to patients is low, so it should not deter them from receiving these life-saving devices.

"A denial of service attack or malicious modification to an implanted device constitutes an infringement on the right to bodily integrity."

In the context of restorative medical devices, such as pacemakers, the discussion on security and privacy issues is relatively new. However, in October 2004, the first implantable identification tag for human use – the VeriChip, designed as a kind of 21st century medic alert bracelet – obtained approval from the US Food and Drug Administration (FDA) and raised similar questions in the context of privacy.

The VeriChip implant, essentially an RFID tag similar to those used in animals, stores a unique identification number and can be read from a distance of up to approximately 15cm.

The ID number is long enough for devices to uniquely identify everybody in the world. Other information related to the owner is not stored on the implant, but in a centralised database. However, an authorised user can access this through a password-protected website, using the patient's implant ID number.

One concern is that the device will respond to any reader that interrogates it and that the simplicity of the core technology significantly limits the ways in which this issue can be mitigated.

This is not necessarily the case with more complex implantable devices. The Medical Device Security Centre, a cross-disciplinary academic partnership based in the US, highlights a variety of basic means of protection against unauthorised access, striking a balance between the need for security and privacy, and the fundamental usage of the devices. These include:

  • accesscontrol, authorising specific people or entities to perform specifiedoperations on the device; the device must be context-aware and able toautomatically disable access control in an emergency situation
  • requirementof authorisation via a secondary channel, for example by using nearbyfield communication to initialise the data transmission
  • a setof measures against denial-of-service attack, protecting against memoryoverflow, the draining of battery power and the blocking of communicationsin particular notification to the patient when the device exchanges datawith an external reader through a secondary channel; this could be throughvibration, for example using an intermediate device for communication,which could be embedded in a smart phone, watch or belt
  • short-rangecommunication between the implanted device and the intermediate devicecould use light-weight encryption and authentication to preserve power,while strong security could be applied for the exchange of data betweenintermediate device and external devices.

Bodily harm from implanted devices

It is also necessary to consider the broader issues. As functions of the body are restored or further enhanced by implanted devices, the boundaries of what constitutes ‘the body' are becoming increasingly unclear. Recipients of RFIDs echo the sentiments of many cochlear implant and pacemaker users, who tend to incorporate the technology into what they understand and perceive to be their body over time.

"One concern is that the device will respond to any reader that interrogates it and that the simplicity of the core technology limits the ways in which this can be mitigated."

With prosthetics, this effect is desired and seems to readily occur; what the user understands to be their body includes the technological enhancement. In essence, the boundaries between humans and machines simply become theoretical. This development in the traditional notion of what constitutes the body and its boundaries leads to notable repercussions and impacts on certain rights such as that of bodily integrity.

Bodily integrity constitutes a right to do with one's body whatever one wants and it implies the right to prevent one's body from being harmed by others. In this context, a denial of service attack or malicious modification to an implanted device constitutes an infringement on the right to bodily integrity.

In April 2010, researchers at the University of Reading, UK, explored this issue using advanced RFID implants capable of storing data and performing simple computations.

They used a device implanted in the hand for gaining access to a building and having exclusive access to a mobile phone. The implant also stored profile data about the person which could be read and modified by the building's systems.

After being implanted in the hand for more than a year, a vulnerability in the technology was deliberately exploited to allow an engineered computer virus to propagate via the implant. In the context of bodily integrity, it becomes possible in this case to talk in terms of a human – albeit a technologically-enhanced one – becoming infected by a computer virus, not the implant, thereby constituting a form of abuse. While no medical devices have been successfully attacked in this way to date, this raises very interesting and complex issues about the security of implantable devices.

Implications of implanted devices

The use of RFID implants by individuals with no medical need points to the possibilities of new markets. Academic researchers envisage a future where medical technology becomes redeployed for application in healthy people. Since people undergo invasive surgery for cosmetic reasons, it cannot be assumed they will not do the same to have an implant if it is of benefit to them.

Whether such applications are found and become commonplace or not, a number of wider moral, ethical and legal issues stem from applications of implantable technologies. Security and privacy through obscurity may work in the very short term, but other mechanisms need to be implemented.