Wayne Burleson · Sandro Carrara Editors Security and Privacy for Implantable Medical Devices Security and Privacy for Implantable Medical Devices Wayne Burleson • Sandro Carrara Editors Security and Privacy for Implantable Medical Devices 123 Editors WayneBurleson SandroCarrara DepartmentofElectricalandComputer ÉcolePolytechniqueFédéraledeLausanne Engineering Lausanne,Switzerland UniversityofMassachusetts Amherst,MA,USA ISBN978-1-4614-1673-9 ISBN978-1-4614-1674-6(eBook) DOI10.1007/978-1-4614-1674-6 SpringerNewYorkHeidelbergDordrechtLondon LibraryofCongressControlNumber:2013948851 ©SpringerScience+BusinessMedia New York 2014 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartof thematerialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation, broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformation storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodology nowknownorhereafterdeveloped.Exemptedfromthislegalreservationarebriefexcerptsinconnection with reviews or scholarly analysis or material supplied specifically for the purpose of being entered and executed on a computer system, for exclusive use by the purchaser of the work. Duplication of this publication or parts thereof is permitted only under the provisions of the Copyright Law of the Publisher’slocation,initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer. PermissionsforusemaybeobtainedthroughRightsLinkattheCopyrightClearanceCenter.Violations areliabletoprosecutionundertherespectiveCopyrightLaw. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. While the advice and information in this book are believed to be true and accurate at the date of publication,neithertheauthorsnortheeditorsnorthepublishercanacceptanylegalresponsibilityfor anyerrorsoromissionsthatmaybemade.Thepublishermakesnowarranty,expressorimplied,with respecttothematerialcontainedherein. Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Contents 1 Introduction .................................................................. 1 WayneBurlesonandSandroCarrara PartI 2 BloodGlucoseMonitoringSystems........................................ 15 FrancescoValgimigli, FabrizioMastrantonio, andFaustoLucarelli 3 WirelessSystemwithMultianalyteImplantableBiotransducer........ 83 ChristianKotanenandAnthonyGuiseppi-Elie 4 NewConceptsinHumanTelemetry ....................................... 93 SandroCarrara 5 InVivoBioreactor:NewTypeofImplantableMedicalDevices........ 129 QiangTan PartII 6 Segue .......................................................................... 155 WayneBurlesonandSandroCarrara 7 DesignChallengesforSecureImplantableMedicalDevices............ 157 BenjaminRansford,ShaneS.Clark,DenisFooKune, KevinFu,andWayneP.Burleson 8 AttackingandDefendingaDiabetesTherapySystem................... 175 ChunxiaoLi,MengZhang,AnandRaghunathan, andNirajK.Jha 9 ConclusionsandAVisionoftheFuture................................... 195 SandroCarraraandWayneBurleson Index............................................................................... 201 v Chapter 1 Introduction WayneBurlesonandSandroCarrara Implantable medical devices (IMDs) have advanced considerably in the last few decades, promising unprecedented access to the human body to gather personal health data anywhereand any time. Widely deployeddevicessuch as pacemakers and insulin pumpsalready provideenormoushealth benefits. Cochlear and ocular implants use advanced microelectronics and novel powering schemes for vastly improved hearing and vision. Biosensors address disease by drug and biomarker detection with myriad applications, ranging from cancer therapies and infectious diseasedetectiontogenomeanalysis,promisingtoimprovehealth,increasesafety, andreducethecostofdiagnostics. However,the security and privacyof these devicesand their data have still not been adequately addressed. The low cost and lightweight nature of the devices makesimplementationofstandardinformationsecurityandcryptographychalleng- ing and motivates novel approaches that are customized to constraints and threat models. Wireless interfaces are perhaps the most obvious vulnerability; however, devicecounterfeitinganddata fraudare also realistic threats. The mostdisturbing concernsariseinsystemswheredrug(e.g.,insulinpumps)orelectrictherapies(e.g., pacemakers)canbemaliciouslymodifiedtodeliverlethalresults.Butthesecurity andprivacyofpersonalhealthdataandgenomicsinformationmotivatediscussions aboutdataownershipandfundamentalhumanprivacyrights. Most recently, the development of new biosensors has allowed blood tests to be performed in the body that previously required blood sampling, incurring costs, compromising safety, and causing inconveniencefor patient and physician. Furthermore,thefactthatlabtestscanbeperformedanywhereandanytimeallows W.Burleson((cid:2)) DepartmentofElectricalandComputerEngineering,UniversityofMassachusetts, 309CKnowlesEngineeringBuilding,Amherst01003,USA e-mail:[email protected] S.Carrara ÉcolePolytechniqueFédéraledeLausanne,Lausanne,Switzerland e-mail:Sandro.Carrara@epfl.ch W.BurlesonandS.Carrara(eds.),SecurityandPrivacyforImplantableMedicalDevices, 1 DOI10.1007/978-1-4614-1674-6__1,©SpringerScience+BusinessMedia New York 2014 2 W.BurlesonandS.Carrara unprecedentedexposureofthebodyandpersonalhealthinformation.Personalized health solutions can be used to tackle difficult problems in cancer and other therapies. Responses to drugs and drug interactions can be monitored on a much finer-grainedlevelthanbefore. However,theincreasedrelianceonthesetechnologies,especiallyinthecaseof potentially life-saving therapies, can introduce difficult tradeoffsin reliability and security. Personal health information that was once restricted to the confines of a medical laboratory and physician could now potentially be accessible to various unauthorizedparties. Wireless Access toImplantableDevices: ADouble-EdgedSword Wirelessconnectivityatvariousscalesprovidesnumerousbenefitswith respectto implantablemedicaldevices(IMDs).Theabilitytocommunicatewithanimplanted device allows data to be transferred both up and down as well as download of controlinformationandsoftwareupdates.Fortunately,mostdatatransferratesfrom IMDsarequiteslowandtheout-of-bodyradiocanbelocatedquiteclose,removing manyconcernsaboutpowerlevelsandeavesdropping.Recentexampleswherethe external radio is on a bandage [1] just millimeters from a subcutaneous implant [2]poseissuesthatarerelativelyeasytosolveintermsofwirelesscommunication systemdesignbydrawinguponrecenttechniquesinradio-frequencyidentification (RFID), (NFC), and inductive coupling. More challenging are deeply implanted devicesthatmustcrosssignificantamountsofhumantissuebeforeleavingthebody. Examplesincludedeepbrainimplants,deepheartimplants,andfetalmonitors[3]. Iftheexternalradioisonthebody(Fig.1.1),thiscaneithertieintoorformthe basis of a bodyarea network(BAN). BANs have been proposedfor a wide range ofapplications,andagoodsurveyonthemcanbefoundin[4].TheIEEErecently announced a new standard for BANs (the IEEE 802.15.6) that emphasizes ultra- low-powerdevices. Wireless connectivityalso providescapabilitiesfordirectlyupdatingelectronic healthrecords(EHRs)[5].OneofthemainconcernsaboutEHRshasbeenthecost andaccuracyofmanualdataentry[6].By directlyenteringdatafromimplantable devices,someoftheseconcernsmaybereduced.Inaddition,wirelesscapabilities facilitatetheconceptofapersonalhealthrecord(PHR)orportfolio(PHP)[7],which extendstheEHRtoarecordthatisunderthecontrolofthepatient.Thisaddresses manyconcernsaboutindividualcivillibertiesandprivacyrights. If the external radio is not on the body, the wireless communication problem issignificantlymorechallengingandadditionalvulnerabilitiesarise.However,this scenarioisquiteattractivebecauseitavoidstheinconvenienceofthepatientshaving to wear a device, possibly losing the device, and keeping it powered. Instead, a wall-poweredbase station, similar to a Wi-Fi router,can be used to communicate 1 Introduction 3 Fig.1.1 Abodyareanetwork(BAN)connectsvarioussensorstoawearablerouter/hubthatcom- municateswirelesslywithothernetworks formedical,emergency, andrecord-keeping purposes (CourtesyofCSEM/Switzerland) Fig.1.2 Remote access to implantable pacemaker and cardiac monitor (Courtesy of Golkatta (MIT)) withtheimplanteddeviceandthendirectlytieintothecellularorfixednetworkand thentotheInternet(Fig.1.2).ArecentUSstudysuggeststhatphysicianaccessto medicaldevicesthroughremotemonitoringcanofferareductioninhospitalvisits by40%andcostpervisitbyUS$1,800[8]. Wireless powering is another advantage of wireless access to subcutaneous IMDs (Fig. 1.3). Although numerous possibilities have been proposed for energy 4 W.BurlesonandS.Carrara Fig.1.3 Fullyimplantablemedicaldevicesmaybepoweredbypatcheslocatedontopoftheskin, andtheseelectronicpatchesmaybewirelesslyconnectedtoasmartphoneviaaBluetoothlink harvestingwithinthebody,includingthermalgradients,electrochemicaltechniques, and vibration harvesting, most are not considered sufficiently mature or reliable for medical applications [9]. Batteries have their own problems, including size, weight, cost, and toxicity. Most rechargeable batteries have safety risks, which limit their application in implantable devices. Recent problems with lithium-ion batteriesinvariousapplicationswillonlycontinuetohindertheirpublicacceptance forsafety-criticalapplicationslikemedicaldevices.Amajorreasonforpacemaker replacementsurgeryissimplyduetothelifetimeofthebattery(approximately7–10 years), so any reduction in power consumption can translate to reduced surgery. Wirelesspoweringoverashortrange,similartoRFID andsmart-cardtechnology, is very promising for providing up to milliwatts of power to the implantable device.Recentresearch[10]hasshownthatoptimalpoweringfrequenciesinGHz rangeallowverysmallmillimeter-sizedantennasonimplantabledevices.Wehave demonstrated novel antennas for remote powering from patches applied to the skin directly above a subcutaneous device that allow MHz frequencies, too, for millimeter-sizedantennasonimplantabledevices[1].Thecloseproximityandease ofalignmentallowhighlyefficientenergytransfer. ThePromise ofImplantableMedical Devices This book will show that IMDs are not limited to biosensors. Chapter 5 shows a quitedifferentcaseofIMDs,andnumerousotherIMDsareonthedrawingboards. Therefore,ataxonomyofIMDscanbedefinedbyseveraldimensions: (cid:129) Physicallocation/depth,procedure,lifetime; (cid:129) Sensing/actuatingfunctions(sense,deliverdrugsorstimulus,growtissue!); (cid:129) Computationalcapabilities; (cid:129) Datastorage(bothvolatileandnon-volatile);