Millions of Americans rely on medical implants — defibrillators, pacemakers, drug pumps and more — and every year 300,000 more receive such devices worldwide. Most of these implants operate via wireless connections. This enables a patient’s doctor or caregiver to closely monitor vital statistics of a patient and administer and modify treatments as needed.
However, as with most any wireless device, these, too, can be hacked, researchers at the University of Massachusetts-Amherst found in 2008.
“You might have people listening to a signal from a patient’s device to get private medical information from the patient or even send commands to the device,” said Dina Katabi, an associate professor in MIT’s department of electrical engineering and computer science. Attackers could, for example, instruct an implant to administer a lethal amount of medication or electricity.
Although no such attacks have occurred thus far, the potential is there and it spurred Katabi and her colleagues to take action. The team has created a system, which they will present at the upcoming SIGCOMM conference, that can prevent such attacks from occurring.
The system employs a second transmitter — which the researchers call a "shield" — to handle encryption and authentication of wireless communications so that unauthorized messages never reach the medical implant itself. The shield would be controlled by a patient’s doctor (just like medical implants are today).
“The shield serves as a secure gateway between doctor and patient,” Katabi said. “A trusted external device (i.e. the patient’s caregiver) that wants to communicate with the implanted device communicates authenticated and encrypted messages to the shield. The shield then conveys these messages to the medical implant and also prevents non-authenticated messages from reaching the implant.”
In other words, only those people who have the shield’s key can access the implanted defibrillator, pacemaker or other medical implants. Unauthorized messages would never get beyond the shield because they wouldn’t carry the secret key.
Furthermore, the shield conveys the medical device’s encrypted messages to the patient’s doctor (the trusted external device) while preventing others from obtaining these messages.
The researchers designed the shield as an outside device for various reasons.
First, separating the shield from the pacemaker or defibrillator would allow patients already outfitted with such implants to receive shields retroactively. Second, the researchers didn’t want to overburden the medical devices themselves.
“One challenge was protecting the medical device without having to access it and alter its own functions,” Katabi said. “You don’t want to put more functions on a device than necessary because things like battery life are very important. An outside device has more capability.”
And last, putting encryption on a medical implant itself could have lethal consequences in an emergency. But these shields would be small enough to be worn as a necklace, bracelet or brooch, Katabi said, and could easily be removed.
“If you put the secret [key] on the pacemaker, for example, only the doctor who knows the secret [key] can access the pacemaker,” Katabi said. “In an emergency, a patient may be taken to a foreign hospital where the doctor does not have access to the secret key. This could be fatal if the key is within the implanted device.” With the shield as external necklace or brooch, by contrast, an emergency doctor can simply remove the shield and treat the patient.
It remains to be seen whether medical companies will see the need to deploy such a system, given that so far no attacks have occurred. “But perhaps this is good timing because it is always good to have a solution before the attack starts," Katabi said.