September 2030, at St. Olavs Hospital, Trondheim. A nurse is monitoring on a tablet the hydration level of a patient, along with other vital such as cardiac rhythm, oxygen, or glucose level. She then reports to the doctor in charge who, after a quick look advises on a slightly modified treatment. This choice is made based on the recommendations of the application directly. 250 kilometres from there, the monitored patient receives a notification on her smartwatch indicating an update of her treatment, along with the motivations to do so.
The Internet of Medical Things (IoMT) is the network of medical devices that are connected through the internet. It enables this new type of hospital, “connected and at home”, which should become the new normal in the upcoming years in order not only to release pressure on the hospitals but also to bring better and more comfortable care to the patients. This change could already be witnessed during the COVID-19 crisis. In addition, the ability for medical devices to communicate is not novel and becomes a basic functionality in newer models, whether it is a connected watch or an implanted medical device such as a pacemaker or an insulin pump. It is undeniable that those new technologies improve patients’ life and overall, the quality of healthcare, but what about their security?
It is undeniable that those new technologies improve patients’ life and overall, the quality of healthcare, but what about their security?
In the American series “Homeland”, a terrorist remotely hacks the Vice President’s pacemaker, shocks him, and kills him. Scary, isn’t it? Doctors were asked about the feasibility of such an attack and said that it is not possible in real life. However, years of research on the subject suggest otherwise. As early as 2008, researchers described an attack on a pacemaker. Using software-defined radio (SDR) devices, they reverse-engineered the communication protocol used between the pacemaker and its programmer . They then used this knowledge to develop several attacks, including the ability to retrieve the patient’s personal data. More worryingly, they were able to modify the pacemaker’s settings (including therapies) and trigger a shock (in the case of a defibrillator), potentially killing the patient. More recent research from 2016 on the latest generations of pacemakers seems to show that these vulnerabilities still exist: researchers managed to drastically reduce the battery life of a pacemaker by blocking it in “interrogation” mode (a mode in which it can communicate with a programmer, which requires more energy) .
SINTEF has been looking at this topic for the past three years. Specifically, we have analysed the ecosystem of one of the main manufacturers of pacemakers in the market. We got our hands on the last three generations of the telecardiology unit to compare the evolution of their security over time. Our results show that overall, the security of medical devices has improved, although manufacturers are still lagging and are unable to implement certain basic security measures .
Six properties to develop secure devices
Designing secure medical devices is difficult for several reasons. To develop a secure device, a manufacturer must meet the following six properties: confidentiality, integrity, availability, non-repudiation, authorization, and authentication. In the case of a pacemaker, these properties must be valid not only during “normal” operating mode, but also in “emergency” mode. In “normal” mode, it is reasonable to think that we can control the devices connecting to the pacemaker and implement strict security measures (the pacemaker can, for example, simply ignore any connection request). On the contrary, in “emergency” mode, even if it is still necessary to respect the aforementioned properties, it is vital that the pacemaker be accessible, for example if the patient has to undergo an operation abroad and the pacemaker must be deactivated. Having such a mode means implementing a “backdoor”, which goes against all security principles. Another challenge for manufacturers is the lack of resources of the devices (in terms of memory capacity or battery life, for example). The limited available computing power makes it very difficult to implement “strong” cryptography algorithms.
Should we conclude that connected medical devices are not secure and should not be used? No. The possibilities offered by connected medical devices greatly improve the quality of care and simply the quality of life of patients. However, as this article shows, it is crucial not to put the cart before the horse and to ensure that we develop devices that meet the security needs of today and tomorrow.
New research project on medical devices and security
With our latest project, NEMECYS, we will look at security of medical devices as a whole. In this project, we are developing proportionate risk benefit schemes that will balance cyber security risks with clinical benefits to ensure that the right amount of cyber security is applied in each situation. This is unique in that it is the first approach we know of that balances both cyber security risk and clinical benefit. Our dynamic runtime risk assessment will extend existing dynamic cyber security risk assessment work to incorporate sensing of events pertaining to medical situations and patient care risks. This will provide practitioners with advance warnings of changes in situations from a cyber security perspective and recommendations on how to adjust their cyber security appropriately. We will also provide semi-automated cyber security assessment tools and techniques that target the whole lifecycle of medical devices. These tools will be built into toolboxes, which will collect a “complete” set of methods and tools in one place, making it easier for practitioners to create and maintain risk assessments for connected medical devices.
- Halperin, D., Heydt-Benjamin, T. S., Ransford, B., Clark, S. S., Defend, B., Morgan, W., Fu, K., Kohno, T., and Maisel, W. H. (2008). Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero- power defenses. In 2008 IEEE Symposium on Security and Privacy (sp 2008), pages 129–142. IEEE.
- Marin, E., Singelée, D., Garcia, F. D., Chothia, T., Willems, R., and Preneel, B. (2016). On the (in) security of the latest generation implantable cardiac defibril- lators and how to secure them. In Proceedings of the 32nd annual conference on computer security applica- tions, pages 226–236.
- Bour, G., Moe, M.E.G. and Borgaonkar, R., 2022. Experimental Security Analysis of Connected Pacemakers. In BIODEVICES (pp. 35-45).
- #SINTEFblog: Security Testing of the Pacemaker Ecosystem
- guillaumebour.fr – Security testing of the pacemaker ecosystem – Part 1