Content uploaded by Heena Rathore
Author content
All content in this area was uploaded by Heena Rathore on Aug 15, 2018
Content may be subject to copyright.
A Review of Security Challenges, Attacks and
Resolutions for Wireless Medical Devices
Heena Rathore∗, Amr Mohamed∗, Abdulla Al-Ali∗, Xiaojiang Du†, Mohsen Guizani‡
∗Dept. of Computer Science and Engineering Department, Qatar University, 2713, Doha, Qatar
†Dept. of Computer and Information Sciences, Temple University, Philadelphia, PA, USA
‡Dept. of Electrical and Computer Engineering, University of Idaho, Moscow, Idaho, USA
Email:∗{heena.rathore,amrm,abdulla.alali}@qu.edu.qa, †xjdu@temple.edu, ‡mguizani@gmail.com
Abstract—Evolution of implantable medical devices for human
beings has provided a radical new way for treating chronic
diseases such as diabetes, cardiac arrhythmia, cochlear, gastric
diseases etc. Implantable medical devices have provided a break-
through in network transformation by enabling and accessing the
technology on demand. However, with the advancement of these
devices with respect to wireless communication and ability for
outside caregiver to communicate wirelessly have increased its
potential to impact the security, and breach in privacy of human
beings. There are several vulnerable threats in wireless medical
devices such as information harvesting, tracking the patient, im-
personation, relaying attacks and denial of service attack. These
threats violate confidentiality, integrity, availability properties of
these devices. For securing implantable medical devices diverse
solutions have been proposed ranging from machine learning
techniques to hardware technologies. The present survey paper
focusses on the challenges, threats and solutions pertaining to the
privacy and safety issues of medical devices.
Keywords: Security, privacy, wireless medical device.
I. INTRODUCTION
Recently, with the advent of the internet of things, automa-
tion, management and monitoring of devices have become
painless and simple. Intelligent health care has gained impor-
tance in the recent past since it allows continuous monitoring
of patients away from hospitals and doctors. Nevertheless,
every year many doctors and patients enhance their personal
satisfaction through a surgical methodology that includes em-
bedded medical devices. These medical devices are currently a
pervasive part of cutting edge medicinal care. The therapeutic
improvement as far as Implantable Medical Devices (IMDs)
have brought is the powerful change in the quality of life of
the patient. Nevertheless, with the expanded life expectancy in
today’s life, the requirement for new medicines, implants, and
long-term pharmaceutical utilization has increased manifold.
These devices have extended the capacity of doctors to analyse
and treat diseases away from the patients, making extraordi-
nary commitments to the well-being and providing personal
satisfaction to patients.
IMDs are placed inside the human bodies to analyse,
monitor and respond to treat various medical conditions. These
devices range from neuro-stimulators for brain stimulator,
gastric stimulators for stomach, cardiac defibrillators for the
heart, cochlear implant for hearing, drug delivery system such
as insulin for diabetic patients, artificial eye lenses for cataracts
etc [3]. The United States remains the biggest market in
medical devices with a market size of around $148 billion,
and it is anticipated to reach medical devices sales to $185.9
billion by the year 2019 [1].
Fig. 1: Threat Model: Adversary can either disrupt the system or
hinder wireless communication
IMDs are designed in a manner to communicate wirelessly
with the outside caregiver to have access to the patient’s
data remotely. However, the information contained in the
devices can be openly accessed by adversary through internal
and communication means endangering the health of the
patients [4], [5]. As seen in Figure 1, an adversary can
attack the system components or wireless channel between
the patient wearing IMD and the caregiver. Researchers have
developed various solutions to implement the security of
medical devices ranging from shared key authentication to
wearable gadgets that handle encryption and approval. For all
intents and purposes, all such plans require standardization to
make far reaching selection conceivable, yet no standardization
association exists so far. Nonetheless, it is also mandatory to
have privacy preserving capabilities in the medical devices
since these devices contain sensitive medical information of
patients. Moreover, during emerging situations, techniques
are required that can assist the doctor or unauthenticated
caregivers to ease, secure and quicken the medical process
for healthy well-being of patients. The objective of the paper
is to present a review of various attacks and strategies used in
overcoming the attacks in IMD. Diverse solutions are present
for securing IMD which reflects how profoundly different
fields can be utilized to resolve security issues in IMD.
The remainder of the paper is organized as follows: Sec-
tion II entails the motivation for the current topic. Section III
978-1-5090-4372-9/17/$31.00 ©2017 IEEE 1495
presents the constraints that are faced in using IMDs. Security
requirements for these devices are presented in Section IV.
Section V and VI detail the types of attacks on these devices
followed by the diverse set of solutions implemented in these
devices to secure them. Section VII concludes the paper.
II. MOT IVATIO N
Technology innovation in health care have added new
innovative services that augment the limitations of providing
one-to-one healthcare through clinical and hospital doctors.
By associating a defibrillator or insulin pump to wireless,
specialists can monitor the basic individual and physiological
information about their patients remotely and in real time.
While this might be advantageous as far as observing an indi-
vidual’s human health is concerned, it leaves these life-saving
devices to life-taking ones that can disrupt their functionality,
and threaten the life of many patients, which calls for strictly
protecting these devices. On the other hand, in emergency
situations, these medicinal devices should be sufficiently open
that any suitable restorative expert can recover the data loss.
However, same openness leaves the gadget and the patient
more susceptible to the outside attacker. In late 90’s, Therac-
25 accident caused due to manufacturing or software error
reported six deaths in a row [6]. The first failure happened with
the usage of cardiac defibrillator when a 21-year-old died due
to short circuiting [7]. Moreover, insulin pumps also reported
attacks such as eavesdropping wireless communication or
controlling other medicinal gadgets to modify the expected
treatment [17]. Similarly, gastric simulators if introduced with
defective electrical signals by an adversary gives significantly
fewer symptoms for gastric emptiness making the device
functionality counter productive. Thus, IMDs should ensure
security since the patient’s life is firmly bound to the working
of IMDs. A more holistic approach which can not only detect
but also responds and recovers from the threat vulnerability
is needed. There is a need to adjust the necessities of patient
and doctors while dealing with the advantages and downsides
of this upcoming technology. The present paper presents the
survey of IMD’s security challenges, attacks and resolutions.
Although, diverse set of solutions have been proposed for
IMDs security, there are internal level and communication
level issues as discussed in the next section.
III. CONSTRAINTS ON IMPLANTABLE MEDICAL DEVICES
IMDs, on one hand, has provided a radical new way of
communication between patients and doctors while on the
other hand face diverse constraints for providing communica-
tion and monitoring services. The constraints on IMDs can be
categorised under two levels viz. internal and communication:
•Internal Level Constraints: During the initial setup of
IMDs inside the body, utmost care is required to make
the IMD settle inside the system. These devices should
not only be smaller in size but should be efficient in its
operation. Cases were reported where the IMDs were re-
jected which in turn caused inflammation and pain in the
body. Also, IMD is built with a non rechargeable battery,
which can live up to 10 years. The security protocols such
as cryptographic solutions, machine learning approaches
and hashing require enormous processing which drains
the battery quickly. Moreover, if the battery is exhausted,
the whole IMD needs to be replaced which has its
own disadvantages. IMDs may likewise wish to keep
audit records of all exchanges with outside gadgets or
internal processing. These exchange logs could possibly
flood the device’s locally available memory, especially
under Denial of Service(DoS) attack or when an intruder
unequivocally tries to debilitate device memory.
•Communication Level Constraints: The communication
transmission cause enormous amount of radiations and
power consumption which in turn is injurious to the
health of the patients. Moreover, many techniques ad-
dressing communication security rely on the fact that the
wireless channel of the legitimate user is stronger and in
many cases not as faded as the illegitimate user [22], [24].
However, for IMDs, the wireless channel for the body is
intrinsically faded through the patient body and because
of using low transmission power to maximize the devices
lifetime. Therefore, traditional security techniques do not
work efficiently.
IV. SECURITY REQ UI RE ME NT S FO R IMPLANTABLE
MEDICAL DEV IC ES
The goals of security services in IMD are aimed to protect
the information of the patient and also the resources of the
device. IMDs should aim at following properties [11]:
•Confidentiality: IMDs should conceal information sent to
and from IMDs from illegitimate users.
•Integrity: The data being processed and sent to and from
IMDs should be encrypted or should have a stronger
authentication mechanism that preserves the data from
being altered or corrupted by illegitimate personnel.
•Availability: The main objective of installing an IMD
inside the body is to have regular and remote access of
a patient to doctor. The doctor and the patient should be
able to access and perform operations on the device as
and when required.
•Access control: IMDs should be able to deny the permis-
sion of any unauthorised users.
•Authentication: Just approved users ought to be permitted
to adjust an IMD. Doctors or device makers ought to
place limits on the settings accessible to patients to keep
them away from inadvertently or deliberately hurting.
•Authorization: It is an act of granting access rights to the
user which can range from personal authorization to role
based and IMD selection [12].
•Accountability: It is the act of being explained and
justifiable. IMDs keep review logs to track for potential
breakdowns on the device.
•Freshness: Operations being performed should be fresh
and non-redundant. While maintaining exchange logs
and in adverse DoS attack condition an intruder can
1496
unequivocally try to debilitate device memory by sending
similar operations.
•Robustness: The devices should be capable of handling
situations such as emergency circumstances or any other
abnormal situation.
Consequently, while designing a security management system
for the medical device, all the above security properties should
be attained for a concrete solution.
V. ATTACKS IN IMDS
Cyber-attacks on IMDs is a genuine and developing risk.
These attacks can point at obstructing the secrecy and val-
idation of the information by tampering the administration
trustworthiness or it can modify and exhaust network acces-
sibility. Moreover, the outcomes of the attacks can be deadly
for patients as these sudden changes can affect the life of
the patient. The intent of the attacks is to understand the
patient’s data in order to affect the patient’s health or to
suppress the quality of the device with negative intent from
competitive manufacturer’s site. The attacks vulnerabilities
incorporate unsecured wireless channels, deficient verification
or authentication mechanism, weak audit mechanisms and
negligible memory capacity. This section gives the details of
the types of attacks seen in IMD’s. Broadly, we can classify
the attacks in IMD in two groups viz internal attack and
communication attacks as shown in Figure 2.
Fig. 2: Attacks in Implantable Medical Devices
A. Internal Attacks
Internal attacks are introduced during medical device de-
ployment and while understanding real world parameters.
Here, malevolent attackers have the ability to hack pacemakers
and insulin pumps to close down doctor’s facility systems and
steal patients data. The malevolent manufacturer employee,
patient, physician or hospital administrator can get hold of
the internal system of IMD and introduce attacks such as
calibration failure, battery failure, hardware/connection failure,
modification of dosage/ data or through malware software:
•Calibration attacks focus on altering the collected data to
mislead the diagnostic process of a medical patient [16].
•Battery failure attacks happen when the processor and
the radio utilized as part of processing consumes a great
deal of energy while sending, handling and accepting
information. Malevolent attackers can make the device’s
memory deficient by introducing processing tasks in the
device in order to make the device counter productive.
•An attacker can alter the device’s software program to
carry out harmful actions to add viruses to the device.
For instance, the attacker can intentionally overdose the
insulin amount by either single shot or chronic shot in
case of diabetic patients as described in [17].
•Moreover, there are hardware/connection failure which
can be caused by factors such as natural disasters, mali-
cious and negligent third parties or legitimate actions of
third parties whose business interests conflict.
B. Communication Attacks
The communication channel between IMD and caregiver
gives a way for unauthorised people to access the medical
device. The sensitivity of data being transmitted and utilization
of unencrypted wireless channel, inadequate authentication
and access control mechanisms give rise to the communication
attacks. Communication attacks can either allow the attackers
to capture the medical device in order to trap and tunnel
the data to some other device or to deplete the resources of
the device. The communication channel can be unencrypted
and is susceptible to eavesdropping [18], replay [19] and
injection attacks [20]. Moreover, resource depletion attack
tries to deplete the resources of medical devices either by
exhausting the battery by requesting power consuming tasks
to them such as DoS or forced authentication attack.
The malicious entity can eavesdrop the communication
occurring between the gadgets and the caregiver [18]. This
listening can permit an attacker to learn about the gadgets
associated with the patient, the capacities of the gadget or the
directions and settings given to the gadget and patient health
data. Through this data, an attacker can surmise point by point
data about the present status of the patient’s afflictions and
track the patient. Also, Man-In-The-Middle (MITM) attack
occurs when the external intruder embeds itself between the
device and caregiver passing information between them and
making them trust that they are transmitting information to
each other. The external intruder disables the communication
between the two entities by allowing the information from the
medical device to pass into it. This permits an intruder to ac-
cess patient information in an unapproved way by knowing the
status of the patient’s health. The external intruder can further
expand this attack by launching DoS attack. For instance, the
intruder between the IMD and the caregiver can essentially
discard the patient’s information, prompting the device to
persistently send repeated transmissions. Replaying an old
message exchanged between the device and the caregiver
can trick the beneficiary into trusting the authenticity of the
attacker. Once the association is set up, the attacker can have
unapproved access to the patient information and thereby
corrupt it.
1497
VI. SECURITY SOLUTIONS FOR WIRELESS MEDICAL
DEV IC ES
IMDs have a diverse set of vulnerabilities that make them
prone to undependable software, limited battery or hardware
dysfunctional. These threat vulnerabilities affect the safety and
well being of the patients who are using it. Efforts to alleviate
data security dangers should be adjusted with fewer impacts on
device execution, including constrained battery life. There are
set of security solutions proposed for wireless medical devices
as described in this section.
A. Access Control Mechanisms
1) Biometric Approaches: Biometric authentication relies
on measurable physiological and individual characteristics that
can be verified. These approaches are genuine since it takes
into account the behavioural and biological characteristics to
verify and identify the individuals. The process compares and
searches for the characteristics against a number of samples
stored within the system. Screening, scanning, feature extrac-
tion and association are some of the specific tasks used in such
approaches. In order to prevent unauthorised access to IMDs a
biometric based two level secure access control was proposed
in [21]. Initially, it employs patient’s basic information i.e.
type of fingerprint, iris color and height followed by obtaining
the iris images. The reference image is chosen among the
images captured (i.e. clearest image) which is then converted
to iris code. Thereafter, discriminative bit set is acquired
from multiple iris codes for each iris. For the verification
of iris, hamming distance is used. The process is effective
and employs light weight computation and little overhead to
the device. However, storing the biometrics in the system is
similar to deploying any master key in the system. The work
presented by [23] uses ECG signals to authenticate the IMD
and the caregiver. It is based on the assumption that the IMD
user and the caregiver is near to each other. Both the parties
extract the least significant four bits from a consecutive set
of intra pulse timing intervals present in the ECG signals.
Later, it uses Neyman-Pearson hypothesis testing algorithm
for calculating the error distribution for authorizing near and
low error genuine users. The approach is able to protect
from MITM attack since IMD reveals the data only after
authenticating the caregiver. However, the scheme consumes a
lot of battery when the authentication fails since the IMD waits
for an extra cycle until it receives a genuine authentication.
2) Distance Based Approaches: Distance based access con-
trol approaches grant access to external agents through the
concept of touch and close proximity [2]. In this process,
the access is authorized by the patient being aware regarding
the information being accessed. The work presented in [22]
uses zero-power notification, zero-power authentication, and
sensible key exchange for providing authorization to the med-
ical devices. The approach works on the principle of detecting
sound emitted by the medical device through a piezoelectric
circuit element implanted in the human body. This method
attempts to avoid the use of cryptographic solutions that
puts a strain on the battery life of the medical device. In
the proposed method, the caregivers attempt to connect to
the device via a radio frequency. The piezoelectric element
in the device generates signals that can only be detected
by caregivers through a microphone. This can acoustically
identify the device and a key is shared with this method, to
get access to the patient’s information. The main advantage of
this method is that it does not consume any battery power in
the medical device. The major disadvantage of this approach
is that the piezoelectric element must be implanted only 1 cm
under the skin. Therefore, it has to be installed separately from
the medical device that is implanted deep in the patient’s body.
Another approach proposed in [13] uses Ultrasound based
distance bounding detection based on the speed of sound using
Diffie-Hellman (DH) key agreement protocol. This protocol is
used to generate the private key in order to initiate the sharing
of encrypted information of the medical device. The advantage
of this system is that only the caregivers in close proximity
can establish a connection with the device. However, the radio
signals can be used by an attacker from a distance to induce
a current in the audio receiver. This will deceive the device
to generate the key which can then be used to access the
information of the patient without being in close proximity.
The work proposed in [24] uses in-vivo Near Field Com-
munication (NFC) approach to access the patient information
in the medical device. This method authenticates access to the
medical practitioners by utilizing a NFC-enabled smart phone.
In this method, in-vivo NFC tag is inserted in human body
which can communicate with the medical practitioner through
the use of smart phone. In this case, the smart phone can then
be used to share information using mobile network or WiFi
connection. The advantage of using such method is that in-
vivo-NFC tags do not use battery power from the implanted
medical device. Instead, the power is provided by the smart
phone while accessing the information of the patient. But,
it is almost impossible to share information in the event of
the lost or damaged smart phone. According to the authors,
the key is generated only once, during the initial surgical
implantation, which is shared with the smart phone. In the
event of damaged or lost smart phone, the key cannot be
regenerated and information cannot be shared with any other
device. Due to this limitation, the proposed protocol may be
deemed useless and impractical.
3) Key Management Protocols: Symmetric [14], [19] and
public key methodologies [15] can be used to encrypt and
authenticate the data which can limit the attacks of IMD. A
symmetric key is a tool in which information is only shared
between the trusted devices and personnel, and is secured from
all other external agents. The asymmetric key, on the other
hand, has a public signature in which two keys are used. One
is made public and the other one is kept secret. Generally,
symmetric cryptographic technique is preferred as it is not a
very demanding technique in terms of computing and power
consumption. Asymmetric tools on the other hand, often result
in complex circuits, high data exchange, and communication,
between the medical device and the caregivers, before allowing
access. This results in heavy use of computing power which in
1498
turn increases the power consumption of the medical device,
reducing its reliability. A proposed solution to this problem
was to attach an external wearable device that will do the
heavy computing for the asymmetric cryptographic tool before
allowing the access to the medical device. But, a drawback to
this solution is that in the event of the damage or loss of
the external device, there will be no other way to access the
medical device.
The work presented by [25] uses physiological ECG signals
for granting access to the doctors or users. Here, ECG signal
sensor is worn in the hand of the patient which is measured by
the IMD and the caregiver simultaneously. Keys are exchanged
between the two parties having the ECG signals. Even of the
unique authentication process, the technique adds wait time
which decreases the reliability.
B. Audit Mechanisms
Audit logs are maintained in the IMDs for keeping the
record of patient’s history and the conduct of the device
over a particular time frame. The logs give data required
for sufficient patient care and also upgrades to the patient
treatment if conveyed through the IMD. However, the limited
storage memory of IMDs (1MB) where 75% is utilised in
medical functions would overflow the audit logs, which makes
the medical device prone to attacks. Overwriting the previous
non-relevant data may be an extended audit mechanism that
can be deployed in the system. Also, alarming and alerting
the provider upon completion of memory storage can be
considered as another possible approach [8]. RFID Guardian
is an external device which can be utilized for accessing and
monitoring the data and events that have been occurred. Be-
sides that, it also authenticates the registered devices, handles
keys and blocks unregistered entities. The biggest issue of
using RFID Guardian is that if the attacker is able to access
the Guardian, it will have the entire control over RFID tags [9].
C. Anomaly Detection Techniques
The work presented by [10] utilizes supervised machine
learning algorithm viz support vector machine(SVM) for treat-
ing resource depletion attack. The scheme models patient IMD
access pattern which are used to train the SVM. The access
pattern information comprises of five fields viz reader action
(identification, obtaining patient data, changing the patient
name, changing therapies etc.), time interval, location, time
and date of utilization. This information is fed into linear
and non-linear SVM for learning and classification between
bogus and genuine reader. It utilizes the patient cell phone for
authentication and verification. Linear SVM and non-linear
SVM obtains a classification accuracy for resource depletion
attack of 90% and 97% respectively. Although the system is
quite accurate, running SVM on the medical device consumes
a lot of energy which would affect the medical process.
D. External Hardware Methodologies
For dealing with the security issues, external devices are
used such as cloaker, IMDGaurd and IMD Shield as described
in this section.
1) Cloaker: A communication cloaker as devised by [26]
is an extra electronic gadget that is worn by the patient to
act as an outsider between IMD’s correspondences with the
caregiver. The cloaker ensures the security of the IMD for the
time that it is worn and gives open access to the outside world
when not worn. The IMD overlooks all other authentications
for the length of the time the clocker is worn. In emergency
situations, patients can remove the cloaker so that the IMD
reacts to all authentications. The cloaker offers a master key
to be shared with IMD which can channel all the information
between them. There are two methodologies by which the
IMD can distinguish the nearness of the cloaker. Firstly, the
IMD pings the cloaker so that the cloaker responds by giving
confirmation to it. Besides that, the IMD sends intermittent
keep-alive messages and redesigns its state agreeing to the
reaction from the cloaker. In both cases, the IMD considers
an emergency mode when it gets no reaction from the cloaker
after a holding up period. The security of the cloaker frame-
work depends upon the patient’s wearing the cloaker gadget in
any environment where unapproved interchanges may happen.
In the event that the patient overlooks or picks not to wear the
cloaker gadget, the security elements of the framework will be
ineffectual. Since the gadget secures against remote assaults
that might happen, the demonstration of wearing the gadget
may bring about mental trouble to the patient.
2) IMDGaurd: IMDGuard [27], a security mechanism for
implantable heart gadgets, which are embedded to screen or
treat cardiovascular therapeutic conditions. These are gener-
ally used in implantable cardioverter-defibrillator, pacemaker,
and ECG (electrocardiogram) sensor. IMDGuard utilises the
Guardian, a wearable gadget, to facilitate associations between
the IMD and the caregiver in a manner that gives the security
in a customary condition, and securely permits access in the
emergency situation. The patient’s specific ECG signals are
used for key sharing between the IMD and the Guardian. ECG
key extraction methodology does not require any additional
pre-conveyed software with the goal that it is difficult to
rekey the IMD when the Guardian is lost or broken. Also, it
makes the attackers not able to produce fake guardians aside
from physical contacts with the patient. Later, besides the skin
contact, it was found that video recording the face of a person
for a period of time can not only reveal movement and color
of the patient but also the heart pulse. Moreover, IMDGaurd
is also prone to MITM attack as shown in [28].
3) IMDShield: IMD Shield is another externally worn gad-
get used for IMD’s security [29]. It utilizes full duplex radio
device which acts as a jammer and a receiver. It comprises of a
jamming antenna and a receiver antenna. The jamming antenna
transmits an arbitrary flag to keep away eavesdroppers from
interpreting the IMD’s transmissions. The receiving antenna
receives the IMD’s signal and deciphers it with the help of
transmit and a receive chain. However, IMD Shield commands
do not remain confidential if the commands are sent from
the caregiver to the IMDs. Also, jamming interferes with
other radio frequency devices and do not comply with FDA
regulations.
1499
TABLE I: Comparison of Various IMD Security Mechanisms
Mechanism Overcome
Attacks
Properties
Achieved
Advantages Disadvantages
Biometric Based
Approaches
Relies on unique biological char-
acteristics for authentication. Ex-
amples: Retina scan, iris recogni-
tion [21], heart signals [23], finger-
printing, facial recognition etc.
Eavesdropping,
MITM [23]
Authentication,
confidential-
ity, integrity,
availability
Secure, unique and pri-
vate authentication, light
weight, little overhead to
the device [21]
Lack of standardization,
not able to accommodate
changes to the biometric
overtime, sample collec-
tion phase is influenced by
environmental conditions,
user training.
Distance/Proximity
Based
Approaches
Estimate the distance between the
IMD and caregiver by measuring
the sent and received transmission
in proximity through piezoelectric
element [22], Diffie Hellam pro-
tocol [13], near field communica-
tion [24].
Wireless
eavesdropping,
wireless replay
Authentication,
confidential-
ity, integrity,
authorization
Do not complicate interac-
tions of medical staff.
Weak authentication since
the attacker can make
physical contact with the
patient by approaching
close
Key Management
Protocols
Symmetric [14], public key [15]
and physiological [25] signals are
used for the generation of keys
Denial of
Service,
Eavesdropping,
replay, MITM
Authentication,
confidential-
ity
Unique and private infor-
mation. Symmetric tech-
niques are less power con-
suming as compared to
other key exchange
Decreased reliability and
extra waiting time for the
authentication
Audit Mecha-
nisms [8], [9]
Audit logs are maintained to
store the patient’s information and
IMD’s track record.
Threats against
non repudiation.
Accountability Malevolent activities can
be easily identified and
traced without any com-
putation.
Exhaust limited memory
of IMD
Anomaly Detec-
tion [10]
Classify between the normal and
abnormal activities.
Internal attacks,
resource
depletion and
malicious
communication
Availability,
confidential-
ity, integrity,
privacy
High accuracy Drains battery
External Device
Methodolo-
gies [30], [33]
Externally worn device utilizing
electrocardiagram [27], full duplex
radio device [29], share a master
key to authenticate IMD and the
caregiver [26].
Eavesdropping,
Device Capture,
Tunnelling
Confidentiality,
integrity,
robustness,
authentica-
tion
Fast response time, prior-
itizing the safety of pa-
tients, no equipment or
software alterations
Adversary can contact the
patient and extract the key.
Battery consuming tasks.
4) MedMon: MedMon [30] is an external device which
snoops all radio frequency wireless communications to/from
medical devices and utilizes multi-layered abnormality iden-
tification to distinguish possibly malignant exchanges. After
detection of malignant interaction, MedMon takes appropriate
reaction mechanism such as informing the client or block the
packets from reaching to the medical device. It prompts to
zero power overheads on these gadgets. However, it does not
provide any secured communication channel since the channel
of communication is typically not confidential.
5) Channel Estimation: The work presented in [33] uses
wearable external device to act as a middle man protector
between IMD and the adversary. Initially, the IMDs sends pilot
signals to empower external device to assess and approximate
the channel. By utilizing this information, the external device
performs data equalization and allows the pilot signals to reach
the adversary (assuming adversary cannot be nearer to the
IMD in comparison to the external device). Thus, adversary
captures weaker signals and approximate incorrect channel
estimation. Device capture and tunnelling attacks can be
avoided through such mechanism. The technique decreases the
processing complexity of IMDs and also helps in estimating
channel conditions which in turn improves the communi-
cation performance. However, prior authentication with the
wearable device is required and factors such as dispersion
in time and frequency will affect the channel estimation.
Jamming is another major threat vulnerability which exhausts
the resources of the system by sending numerous requests
simultaneously. Some of the major contributions to lessen
jamming are through frequency hopping and direct sequence
spread spectrum techniques which are studied for cardiac
pressure sensing system in [31]. These approaches can protect
the devices from eavesdropping and impersonation attack but
do not support medical devices due to limited hardware design
and band regulations [32].
Table I shows the comparative analyses of the techniques
discussed in this section.
VII. POTE NT IA L FUTURE RESEARCH DIRECTIONS
In order to provide usable and adoptable secure solutions
for wireless medical devices, additional contributions are re-
quired: (1) Accurate, real time and energy efficient techniques
to secure medical devices; (2) Efficient, usable and privacy
preserving technique for concealing the patient’s health record.
For a secure and dependable wireless medical device, follow-
ing research questions are still open:
•The requirement to implement a specific level of pro-
tection conceivably disabling the service when the level
can’t be ensured.
•To assess if the security arrangements in wireless medical
device ensure protection and privacy in specific temporal
1500
or spatial zone. This might be accomplished by consider-
ing, for instance, the number of clients, their movement,
their worries about security, and additionally the spatio-
temporal imperatives of the administration
•Design a legitimate eavesdropper that detects malicious
network traffic leveraging machine learning techniques
•Adjust and recover from the abnormal activity by chang-
ing the configuration and providing the counter mecha-
nism after detecting the threat vulnerability.
VIII. ACKN OWLEDGEMENTS
This publication was made possible by NPRP grant #8-408-
2-172 from the Qatar National Research Fund (a member of
Qatar Foundation). The statements made herein are solely the
responsibility of the authors.
REFERENCES
[1] Medtech Switzerland, 2017, “The U.S. Market for Medical Devices:
Opportunities and Challenges for Swiss Companies”
[2] AlTawy, R. and Youssef, A.M, “Security Tradeoffs in Cyber Physical
Systems: A Case Study Survey on Implantable Medical Devices”. IEEE
Access, 4, pp.959-979, 2016.
[3] 24/7 Wallst Street, “The Eleven Most Implanted Medical Devices In
America”, 2011, [accessed on 17 January, 2017]
[4] Camara, C., Peris-Lopez, P. and Tapiador, J.E. “Security and privacy is-
sues in implantable medical devices: A comprehensive survey”. Journal
of biomedical informatics, 55, pp.272-289, 2015.
[5] Clark, S.S. and Fu, K., October. “Recent results in computer security for
medical devices”. In International Conference on Wireless Mobile Com-
munication and Healthcare (pp. 111-118). Springer Berlin Heidelberg,
2011.
[6] Leveson, N.G. and Turner, C.S. “An investigation of the Therac-25
accidents”. Computer, 26(7), pp.18-41, 1993.
[7] Hauser, R.G. and Maron, B.J., “Lessons from the failure and recall of
an implantable cardioverter-defibrillator”. Circulation, 112(13), pp.2040-
2042, 2005.
[8] Gupta, S. “Implantable medical devices-cyber risks and mitigation
approaches”. In Proceedings of the Cybersecurity in Cyber-Physical
Workshop, The National Institute of Standards and Technology (NIST),
US, 2012.
[9] Rieback, M.R., Crispo, B. and Tanenbaum, A.S. “RFID Guardian:
A battery-powered mobile device for RFID privacy management”. In
Australasian Conference on Information Security and Privacy (pp. 184-
194). Springer Berlin Heidelberg, 2005.
[10] Hei, X., Du, X., Wu, J. and Hu, F. “Defending resource depletion
attacks on implantable medical devices”. In Global Telecommunications
Conference (GLOBECOM 2010), 2010 IEEE (pp. 1-5). IEEE, 2010.
[11] Rathore, H., 2016. “Mapping biological systems to network systems”.
Springer.
[12] Halperin, D., Heydt-Benjamin, T.S., Fu, K., Kohno, T. and Maisel, W.H.
“Security and privacy for implantable medical devices”. IEEE pervasive
computing, 7(1), pp.30-39, 2008.
[13] Rasmussen, K.B., Castelluccia, C., Heydt-Benjamin, T.S. and Capkun,
S. “Proximity-based access control for implantable medical devices”. In
Proceedings of the 16th ACM conference on Computer and communi-
cations security (pp. 410-419). ACM, 2009.
[14] Halperin, D., Heydt-Benjamin, T.S., Ransford, B., Clark, S.S., Defend,
B., Morgan, W., Fu, K., Kohno, T. and Maisel, W.H. “Pacemakers and
implantable cardiac defibrillators: Software radio attacks and zero-power
defenses”. In IEEE Symposium on Security and Privacy (sp 2008) (pp.
129-142). IEEE, 2008.
[15] Singh, K. and Muthukkumarasamy, V., “Authenticated key establishment
protocols for a home health care system”. In Intelligent Sensors, Sen-
sor Networks and Information, 2007. ISSNIP 2007. 3rd International
Conference on (pp. 353-358). IEEE, 2007.
[16] Yan, R., Xu, T. and Potkonjak, M. “Semantic attacks on wireless medical
devices”. In SENSORS, 2014 IEEE (pp. 482-485). IEEE, 2014.
[17] Hei, X., Du, X., Lin, S., Lee, I. and Sokolsky, O. “Patient infusion pattern
based access control schemes for wireless insulin pump system”. IEEE
Transactions on Parallel and Distributed Systems, 26(11), pp.3108-3121,
2015.
[18] Venkatasubramanian, K.K., Gupta, S.K.S., Jetley, R.P. and Jones, P.L.
“Interoperable medical devices”. IEEE Pulse, 1(2), pp.16-27, 2010.
[19] Hosseini-Khayat, S., “A lightweight security protocol for ultra-low
power ASIC implementation for wireless implantable medical devices”.
In Medical Information and Communication Technology (ISMICT), 2011
5th International Symposium on (pp. 6-9). IEEE, 2011.
[20] Rushanan, M., Rubin, A.D., Kune, D.F. and Swanson, C.M. “SoK:
Security and privacy in implantable medical devices and body area
networks”. In Security and Privacy (SP), 2014 IEEE Symposium on
(pp. 524-539). IEEE, 2014.
[21] Hei, X. and Du, X., “Biometric-based two-level secure access control
for implantable medical devices during emergencies”. In INFOCOM,
2011 Proceedings IEEE (pp. 346-350). IEEE, 2011.
[22] Halperin, D., Heydt-Benjamin, T.S., Ransford, B., Clark, S.S., Defend,
B., Morgan, W., Fu, K., Kohno, T. and Maisel, W.H. “Pacemakers and
implantable cardiac defibrillators: Software radio attacks and zero-power
defenses”. In Security and Privacy, 2008. SP 2008. IEEE Symposium
on (pp. 129-142). IEEE, 2008.
[23] Rostami, M., Juels, A. and Koushanfar, F. “Heart-to-heart (H2H): au-
thentication for implanted medical devices”. In Proceedings of the 2013
ACM SIGSAC conference on Computer and communications security
(pp. 1099-1112). ACM, 2013.
[24] Kim, B., Yu, J. and Kim, H. “In-vivo nfc: Remote monitoring of
implanted medical devices with improved privacy”. In Proceedings of
the 10th ACM Conference on Embedded Network Sensor Systems (pp.
327-328). ACM, 2012.
[25] Zheng, G., Fang, G., Shankaran, R., Orgun, M.A. and Dutkiewicz, E.
“An ECG-based secret data sharing scheme supporting emergency treat-
ment of implantable medical devices”. In Wireless Personal Multimedia
Communications (WPMC), 2014 International Symposium on (pp. 624-
628). IEEE, 2014.
[26] Denning, T., Fu, K. and Kohno, T. “Absence Makes the Heart Grow
Fonder: New Directions for Implantable Medical Device Security”. In
HotSec, 2008.
[27] Xu, F., Qin, Z., Tan, C.C., Wang, B. and Li, Q. “IMDGuard: Securing
implantable medical devices with the external wearable guardian”. In
INFOCOM, 2011 Proceedings IEEE (pp. 1862-1870). IEEE, 2011.
[28] Rostami, M., Burleson, W., Juels, A. and Koushanfar, F. “Balancing se-
curity and utility in medical devices?”. In Design Automation Conference
(DAC), 2013 50th ACM/EDAC/IEEE (pp. 1-6). IEEE, 2013.
[29] Gollakota, S., Hassanieh, H., Ransford, B., Katabi, D. and Fu, K. “They
can hear your heartbeats: non-invasive security for implantable medical
devices”. ACM SIGCOMM Computer Communication Review, 41(4),
pp.2-13, 2011.
[30] Zhang, M., Raghunathan, A. and Jha, N.K. “MedMon: Securing medical
devices through wireless monitoring and anomaly detection”. IEEE
Transactions on Biomedical circuits and Systems, 7(6), pp.871-881,
2013.
[31] Chow, E.Y., Chlebowski, A.L., Chakraborty, S., Chappell, W.J. and
Irazoqui, P.P. “Fully wireless implantable cardiovascular pressure mon-
itor integrated with a medical stent”. IEEE Transactions on Biomedical
Engineering, 57(6), pp.1487-1496, 2010.
[32] Ankarali, Z.E., Abbasi, Q.H., Demir, A.F., Serpedin, E., Qaraqe, K. and
Arslan, H. “A comparative review on the wireless implantable medical
devices privacy and security”. In Wireless Mobile Communication and
Healthcare (Mobihealth), 2014 EAI 4th International Conference on (pp.
246-249). IEEE, 2014.
[33] Ankaral, Z.E., Demir, A.F., Qaraqe, M., Abbasi, Q.H., Serpedin, E.,
Arslan, H. and Gitlin, R.D. “Physical layer security for wireless im-
plantable medical devices”. In Computer Aided Modelling and Design of
Communication Links and Networks (CAMAD), IEEE 20th International
Workshop on (pp. 144-147). IEEE, 2015.
1501