Security Risk of Wireless Implantable Medical Devices

STEVEN SUGGETTLewis University

CAMS Dept.1 University Parkway Dr., Romeoville, IL

USAstevenpsuggett@lewisu.edu

LUCIEN NGALAMOULewis University

CAMS Dept.1 University Parkway Dr., Romeoville, IL

USAngalamlu@lewisu.edu∗

Abstract: Wireless Security has become increasingly important in recent years. The amount of devices that connectto the internet has skyrocketed with the capability of connecting wirelessly to these devices being recently added.Very few of these devices are equipped with proper security methods. One such device that only recently has beenadded to the pool of wireless devices is implantable medical devices such as pacemakers. Patients and doctors canconnect to these devices to update firmware, view information, and manage the device in other ways; however,the devices still lack the proper cybersecurity and are vulnerable. This paper presents a review of security riskof wireless implantable medical devices, the obstacles and solutions to address security threads that these devicesmight be exposed to.

Key–Words: Internet of Things, Wireless Security, Encryption, Implantable Medical Devices, Authentication.

Received: January 22, 2020. Revised: May 2, 2020. Accepted: May 18, 2020. Published: May 29, 2020.

1 IntroductionThe concern for cyber security has been increasingfor many reasons in recent years. Security breachescompromise the information of a system and can hap-pen wirelessly and quietly. A user may have no ideatheir system has been compromised, but an attackercould have access to view and potentially modify datawithin the machine. There is no perfect method forsecurity, as any computer connected to the internet,sending data out and taking data in has the ability tobe attacked. The closest scenario to a perfectly se-cure computers are ones that are not hooked up to theinternet at all, and even those computers can be com-promised if an attacker has physical access to it. Inthe past, this concern over cyber security was reservedjust for computers, as there were not many other de-vices that could be connected to wirelessly; however,recently there is a growing phenomena where count-less devices are connected to the internet. This isknown as the Internet of Things, and it includes anyprinters, DVRs, wireless mice and keyboards, andmany different medical devices including pacemak-ers and implantable cardiac defibrillators. Many ofthese devices serve very important functions, and thismeans their security is essential. Even devices thatappear to serve no harmful function such as house-hold appliances could be compromised and play a rolein other attacks. The security of these devices, es-pecially medical devices, and what can happen once

∗Corresponding Author

they are compromised must be considered when de-signing them. There are many different security sys-tems in place and even more on the way, but no mat-ter how sophisticated security methods get there isalways the often overlooked security breach throughhuman error, in the form of improperly setting up orignoring security protocols. Implantable medical de-vices in particular have been known to contain manysecurity holes, opening the devices up to potential at-tacks. Many of these devices were designed solelywith function in mind, and lack any sort of encryption,authentication, or prevention against attackers gain-ing access and control over the device[Owens(2016)].A major cause of this in the past has been the lackof control over the requirement involved in the se-curity of medical devices, and it was not until justrecently, around late 2016, that the US Food andDrugs Administration (FDA) has placed more restric-tive standards on the security of implantable medicaldevices[Aram et Al(2016)]. The FDA has made manydifferent recommendations over the years, starting in2005, when it comes to cyber security for implantablemedical devices; however it was not until December28, 2016 that the FDA turned what used to be nonbinding recommendations into requirements for med-ical implant design[Aram et Al(2016)]. In providingthese devices with greater security, a variety of knownattacks has to be considered and the ways methods topreventing them.

1][1].

[2]

[2].

WSEAS TRANSACTIONS on INFORMATION SCIENCE and APPLICATIONS DOI: 10.37394/23209.2020.17.10 Steven Suggett, Lucien Ngalamou

E-ISSN: 2224-3402

89

Volume 17, 2020

2 Regulation History of Medical Im-plants

The first medical implant was a pacemaker given to apatient in 1958[Woods(2017)]. At that time, the pri-mary concern for medical device research has beenfocused mainly on increasing efficiency and batterylife, as there was not a major concern for cyber secu-rity. Around this same time, a similar trend was shownwhere performance was the first major concern, andsecurity did not become an issue until later on. Whileadvances in security for computers has advanced tobecome very sophisticated since the 1960’s, medicaldevices fell behind in security. Medical devices haverelatively recently been given the ability to connectwirelessly to other monitors and devices allowing pa-tients and doctors can view vital information. Themethods in which medical devices can connect to out-side monitors is through various wireless frequencies,some exclusively used for medical implants while oth-ers use more common methods such as Wi-Fi andBluetooth[Woods(2017)]. There are many known vul-nerabilities for these wireless methods if they are notsetup properly. Careful setup while using any wirelessconnection is necessary, and failing to follow propersetup could lead to vulnerable medical devices. Forexample, leaving Wifi or other passwords as the de-fault or empty makes it extremely easy to break intofor attackers. Setting up the security of the devicesproperly greatly reduces vulnerability of these devicesto attacks[Woods(2017)].

3 Potential for Medical Device At-tacks

Any message sent wirelessly has the potential to beintercepted, which is why managing proper securityprotocols for these messages is important. Medicaldevices have become increasingly dedicated in re-cent years, having gone from simple mechanical im-plants that do their job and not much else, to so-phisticated mini computers that not only does theirjob, but also transmits vital information wirelesslyto be analyzed by doctors; however, the data trans-mitted to and from the medical implants, like anyother data sent wirelessly, is vulnerable to attackers[Fergusonet et Al(2010)]. The problem has becomethat while the scope of these medical implants has in-creased, the necessary security of these devices hasyet to be implemented. Two major medical com-panies, St. Jude Medical and Johnson & Johnson,have even declared that there are unaddressed secu-rity risks in current medical implants and other medi-cal devices; however, the risks posed by these security

holes are often overblown, and it would often be moredangerous to choose not to accept a medical implantbecause of the security risks[Fergusonet et Al(2010)].Deciding not to use a medical device because of thepotential for the device to become compromised ismuch more dangerous. This is because even thoughmedical implants such as pacemakers could be at-tacked by outsiders, the likelihood of a normal con-sumer being targeted in a life threatening attack israther low[Fergusonet et Al(2010)]. Targeting a pace-maker with the intention of compromising it withlethal intent is, at the end of the day, homicide andthe chance of becoming the victim of a wireless at-tacker with intent to kill as rather low. What is perhapsan even more important issue, given how unlikely afatal attack is using medical implants, is the privacyof information going to and from the device. Sensi-tive, personal medical information relating to the pa-tient can be compromised by intercepting data goingto and from the device, and keeping a patient’s privateinformation safe is very important in the medical field.While not many attackers would regularly perform fa-tal attacks using implants, there are likely many at-tackers who would be willing to intercept medicaldata transmitted by these medical implants and sellthem to other attackers[Fergusonet et Al(2010)]. Forthis reason it is still very important to ensure the se-curity of medical devices, and of course preventingfatal attacks however unlikely is still from the medi-cal device; however, an attacker is able to listen in onwhat is being sent, and also send his own commandsto the device. Fig. 1. A Doctor is able to freely send

Figure 1: Medical Device Connection without En-cryption

and receive information desired, but the obstacles toimplementing proper security protocols cannot be ig-nored. One major obstacle is the cost of implement-ing security protocols into medical implants. Medicalimplants are very small, very advanced devices thatare constantly evolving. Having to keep security up

[3].

[4].

[4].

[3].

[3].

[4].

[4].

[4].

[4]

WSEAS TRANSACTIONS on INFORMATION SCIENCE and APPLICATIONS DOI: 10.37394/23209.2020.17.10 Steven Suggett, Lucien Ngalamou

E-ISSN: 2224-3402

90

Volume 17, 2020

to date would delay the release of these medical de-vices, and increase the cost of future installments andresearch within them[Barand(2017)]. Implementingsecurity protocols within these medical devices startsat the design level, and researchers and programmersneed to keep security in mind even at the very startof medical device related projects. Calls for the gov-ernment to create security guidelines has been plen-tiful in the last few years, and more recently someguidelines have started to be made, such as the guide-lines created by the FDA. The FDA guidelines requireproper implementation of security protocols for theencryption of data, the authentication of its users, andproper use of the privileged user[Aram et Al(2016)].Research and advancements concerning these deviceshas typically been focused on making the operatingsystems within these devices more efficient and faster,and implementing cyber security measures would goagainst this trend. Because of this many devices stillhave barebones security, and for the security of pa-tients’ privacy and wellbeing it is important that re-search goes into keeping implantable medical devicessecure[Barand(2017)]. To understand some of the re-quirements recently set by the FDA for secure medicaldevices, common encryption methods, authenticationmethods, and the function of a privileged user will beanalyzed.

4 Encryption MethodsOne of the guidelines that the FDA has required formedical devices is the encryption of data. AES is oneof many methods of encryption, and there are vari-ous methods that strive to achieve the same goal asit. While the actual encryption method used for en-crypting data from these medical devices may vary,AES stands out as an important method because ithas been recognized as a very good form of en-cryption, and has even been formally approved bythe government as being recognized as a securitystandard[Fergusonet et Al(2010)]. AES is currentlyused to encrypt web traffic, is the major discerningupgrade between WPA and WPA2, two very com-mon security methods used The main goal of encryp-tion is to scramble a message enough to give out-side observers the least information possible aboutthe original message. This ensures the privacy ofthe contents of the message, and is rather importantfor many devices. The original message that be-comes encrypted may either consist of readable wordsintended to communicate with other people, or themessage may also contain commands that are meantto be interpreted by some system. Because the en-crypted message should convey the least informa-

tion possible to an attacker, good encrypted messagesshould appear completely random. Simply replacingthe original message with completely random con-tents would not be viable though, since the intendedreceiver of the message must be able to revert themessage back to its original form in order to readit[Fergusonet et Al(2010)].

4.1 Diffusion and Confusion in AES Encryp-tion

An effective encryption algorithm needs to be able totake any message, scramble it up enough to appearcompletely random, provide no statistical data con-cerning the original message such as how many timesa certain letter appears, and be revertable by only theintended receiver. AES was designed from the groundup to do this effectively, and it does this by performinga series of mathematical operations between the datawithin the original message, and the data containedwithin a key file, which in its simplest terms is simplya random value applied to the encryption algorithm.The AES algorithm scrambles the original messageso effectively, that even changing a single characterfrom the original message will completely transformthe outcome of the encrypted message. The messageis encrypted using the key, and can be decrypted byanyone who has the same exact key. Anyone with-out the key will not be able to read or understandthe original message, while people with the key canundo the mathematical operations performed from theencryption algorithm and have access to the originalmessage[Fergusonet et Al(2010)].

4.2 Protection Against Brute Force AttacksBrute Force attacks are when an attacker simply triesevery possible key when decrypting a message untilthey find the original message. It is usually fairlyobvious to tell when the original message has beenfound, because it will be on of the only messages thatmakes sense and is not just a scramble of random val-ues. For example, if the attacker expects the originalmessage to be in English, then they can try randomkeys until they decrypt into a message that has En-glish text. In order to ensure the key cannot be ran-domly guessed the simplest solution has been to makethe make the number of possible keys so large thatit would take for too long, even for automated com-puters, to try every possible key. The problem withthis is that as time goes on computers are becomingmore efficient, and keys that used to be large enoughto trusted as safe are not anymore. Thankfully, currentencryption methods have attempted to prevent this, atleast for a while, by overestimating necessary size for

[4].

[4] .

[ 5 ] .

[ 5 ] .

[ 2 ] .

WSEAS TRANSACTIONS on INFORMATION SCIENCE and APPLICATIONS DOI: 10.37394/23209.2020.17.10 Steven Suggett, Lucien Ngalamou

E-ISSN: 2224-3402

91

Volume 17, 2020

these keys; however, over time the size of keys willinevitably have to be increased once again. AES, andmany other encryption methods, can handle keys thatare 256 bits large, or binary numbers that have a lengthof 256 digits. This means that there are 22̂56 possibledifferent keys. Typically, if an encryption algorithmis only vulnerable to Brute force attacks, it is consid-ered secure. The time it would take to randomly guessthe correct key as long as the length of the key is suf-ficient is negligible, especially considering it wouldbe very difficult to prevent attackers from carrying ouBrute Force attacks given the simplistic nature of theattack[Fergusonet et Al(2010)].

4.3 Implementation of AES or Similar Meth-ods

Encryption methods are only effective when imple-mented properly. There are various quirks with eachmethod that Fig. 2. Doctor is able to send and re-

Figure 2: Medical Device Connection without Au-thentication: Replay Attack.

ceive Encrypted Messages to the device. While theattacker is able to see these messages, because theyare encrypted they cannot understand the messages.The attacker is still able to send the same message tothe devices, using a replay attack. The device will stillunderstand the attacker’s message and perform the op-erations described in the attacker’s copy of the orig-inal message. requires proper setup and implemen-tation. In recent years, the biggest cause of securitybreaches has been human error. Despite having ad-vanced and effective methods of providing security forthese devices, people often do not make use of them.Increased security comes at the cost of reduced easeof access and convenience. In the case of medical de-vices, the security protocols in place may even providean obstacle in the event of a device failure. For exam-ple, if login credentials are required to access the de-vice one of the few people that would know the logincredentials of the device, the user, may be in a criti-

cal condition, and the paramedics would have troubleaccessing it[Fergusonet et Al(2010)]

5 Strong Authentication MethodsThe FDA also requires medical devices to Authenti-cate communication between outside users such as thepatient and the doctor, and the medical device itself.Encryption exclusively handles the issue of makingsure data cannot be intercepted and read by an out-side observer, but by itself is not enough to ensurethe total security of medical implants or other devices.While proper encryption methods prevents attackersfrom learning just about any information within amessage, it does not ensure that the message comesfrom a trustworthy source or has not otherwise beentampered with. For example, in a system secured onlywith encryption, an attacker could pose as the doc-tor and send faulty signals to the medical device in anattempt to force it to perform undesired tasks, or sendfaulty information from the medical device to the doc-tor or hospital in an attempt to misinform the peoplemanaging the device. To prevent this, authenticationmethods are put into place[Fergusonet et Al(2010)]

5.1 Message Authentication CertificatesAuthentication methods aim to prove that any mes-sage is from who they claim to be. A very com-mon way to do this is to run various mathematicaloperations on the original message, similar to encryp-tion, to create a Message Authentication Certificate(MAC) tag. This MAC tag is then attached to theoriginal message, and the two of them are sent to-gether as a single message. When the recipient ofthe message decrypts the message, they can check theMAC tag to ensure the message has not been tam-pered with. This works because if the message hasbeen tampered with in any way, after decrypting thetampered message the MAC tag will not be correctafter all the scrambling that the encryption and de-cryption process creates. What this method by it-self does not address is the potential for a replay at-tack, which was a security hole in various medical de-vices that used only basic encryption protocols but notauthentication[Fergusonet et Al(2010)].

5.2 Replay Attacks and Secure ChannelsA replay attack is when an attacker intercepts a mes-sage, holds onto it, and can then resend that originalmessage as many times as he likes. Even though thefirst message was sent with good intentions, repeat-ing the message could be harmful. For example, con-sider if the original message was one that told the de-

[4].

WSEAS TRANSACTIONS on INFORMATION SCIENCE and APPLICATIONS DOI: 10.37394/23209.2020.17.10 Steven Suggett, Lucien Ngalamou

E-ISSN: 2224-3402

92

Volume 17, 2020

vice to restart and the attacker intercepted that mes-sage. While the original restart may have been sentin goodwill, the attacker would now be able to tell thedevice to restart as often as he likes potentially lead-ing to unintended, undesired side-effects. To preventagainst this, further authentication methods need to beput into place. One such method is the use of securechannels to send messages. The goal of secure chan-nels is to first prove that a message is from the legiti-mate sender, and then once the sender has been provenany messages sent between the parties can be trustedto originate from the original sender. Secure chan-nels modify messages over time while the channel isbeing used. When using a secure channel the valuesused to encrypt and decrypt modify so that even if thesame message in sent exact is sent twice, such as whatoccurs during a replay attack, the message only prop-erly encrypts and decrypts if it is from someone withthe same key that established the channel. Each timea secure channel is established, both parties need toreshare keys to establish a new secure channel. Byusing a secure channel, replay attacks are prevented;however, in order to establish a connection properlythe two parties involved need to somehow share anauthorization key between each other. This becomesa bit more complicated when one of the parties is nota person, but rather a medical implant that can onlybe accessed wirelessly. Because of this, additionalsteps are necessary in sending authenticated messagesto and from medical devices[Fergusonet et Al(2010)]

5.3 Sharing of Keyschannel create a value that attackers cannot pull fromintercepted messages. It is possible however, and theDiffie-Hellman protocol shows that property rathersimply, even though it is not the main protocol usedin authentication. The Diffie-Hellman protocol makesuse of performing mathematical operations by usinga secret number that only personal party knows withpublicly declared numbers that both parties agree on.Diffie-Hellman takes the public number, and raises itto the power of their secret number. The parties thensend the numbers resulting from this operation to eachother, and then each party then raises the newly re-ceived number to the power of their original secretnumber and both parties should have the same end re-sult. This works because raising numbers to two ormore certain powers does not depend on the order thatoperations were performed, as shown in Equation

Authentication protocols, including Diffie-Hellman itself, makes use of Modular Arithmeticand other methods to further obscure the originalnumbers. The end result is that both parties areable to send secret information over to each other,

despite having to send that information over a publicchannel. By doing this, the two parties can sharevalues that are then used to create the keys necessaryto establish a secure channel. Once a secure channelis made, attackers will be unable to impersonatethe senders, and in the case of medical implants,could not send faulty messages to and from thedevice[Fergusonet et Al(2010)]

6 Privileged UserAnother requirement that the FDA has recently madefor medical implants is the function of a Privilegeduser. A Privileged user is a user that has total, ad-ministrative access to a device. Privileged users havebeen used in the past for operating systems such asLinux and Windows, and the function of an admin-istrator has been to restrict potentially harmful com-mands from regular users. In Linux administratorsare often referred to as the “root” user, and has thepotential to create, access, and delete any files on thesystem[Shackleford(2017)] Fig. 3. Doctor is able tocommunicate with the medical device using a securechannel. The Attacker can still see the encrypted mes-sages, they are unable to communicate directly withthe device, because the device refuses connections notsent through the secure channel.

Figure 3: Medical Device Connection sith SecureChannel.

6.1 Role of Privileged UsersManaging system files is often necessary for regularmaintenance such as updating the system, adding newusers, installing new software, and other tasks. Whilethe system protects itself from potentially harmful ac-tions of regular users such as deleting system files, in-stalling untrusted software, and accessing files withsensitive system information, the system does not pro-tect itself against the privileged user. For this reason, itis not safe to use the privileged user account as a main

[ 6 ] .

WSEAS TRANSACTIONS on INFORMATION SCIENCE and APPLICATIONS DOI: 10.37394/23209.2020.17.10 Steven Suggett, Lucien Ngalamou

E-ISSN: 2224-3402

93

Volume 17, 2020

account in a system, even for the person in charge ofmanaging the system. Accidently deleting importantfiles or other potential risks of being logged in as theprivileged user means that it is often best to only usethe privileged user account when immediately neces-sary, and use a regular account otherwise. The pres-ence of a privileged user is important for keeping thesystem safe from regular users and managing the sys-tem; however, given the control a privileged user hasover a system security is essential when implement-ing one. In Linux systems, connecting to the root ac-count used to be done by logging in directly as theroot user, providing both a username and passwordfor the root account. A major risk of this methodmeans giving total access of the system to a sin-gle person or multiple people. More recently, Linuxhas made use of specialized, specific privileges forthe system’s administrators through use of the “sudo”command[Shackleford(2017)]. When a user needs toperform maintenance on a system, rather than loggingin as the root user and gaining total control over thesystem, they use the sudo command to gain root levelaccess for only the current command they are attempt-ing to perform. At the time of using the sudo com-mand, a user must provide his own login credentials,and not the root user’s credentials. This means thattotal control is never given to the user, and reduces thelikelihood that the system is either accidentally or ma-liciously tampered with. Furthermore, individual ad-ministrative users can be given different permissionsfor managing the system. For example, some mightonly be able to install software while other administra-tive users may be able to mount disks and view systemlogs. The other advantage of this method is that ad-ministrative tasks link back to the person performingthem, rather than a singular privileged user account.These actions can all be logged so the actions of theprivileged users, which are especially important, canbe monitored[Shackleford(2017)].

6.2 Risks of Full AccessAs it stands, there are many medical devices that donot make proper use of the privileged user method,either from allowing full control to anybody that hasaccess including attackers, mismanaging of adminis-trative permissions, or not properly securing currentadministrator accounts. Even when privileged usersystems are set in place, they are not always secure.Many devices that are already in use make use ofadministrator accounts, but the login credentials formany of these accounts use the default password thatanybody with the manual could lookup and use to gainfull control of the implantable medical device. Whena person gains full access to the device they gain ac-

cess to all of the information and operations of thedevice. This would allow attackers to take advantageof lethal tactics such as administering repeated shocksin a pacemaker or altering the settings of the device tobe inappropriate for the patient or update the firmwareof the device to a version that is more vulnerable toother attacks. In addition to this, an attacker with fullcontrol would be able to alter the log files to makeit appear as though nothing suspicious has occurred.This is especially important, as the information withinthe log files could play a major role in investigationsrelating to device malfunction. Currently, investiga-tors can review the events that previously took placein the case of lethal attacks using implanted medicaldevices, although by allowing attackers to gain fulladministrative access to a device it is possible that asmart attacker would be able to cover up or destroyany trace of wrongdoing[Shackleford(2017)]

7 Other Potential AttacksEven when using proper encryption, authentication,and privileged user security methods wireless devicesof all sorts are still vulnerable to various other typesof attacks. Encryption prevents attackers from eaves-dropping on data travelling to and from the device,authentication ensures communication is from a reli-able source and secure channels prevents replay at-tacks, and proper restriction of administrative rightsprevents attackers from modifying devices and view-ing or altering history logs; however, attackers stillhave the potential to cause the device to malfunctioneven without gaining direct access to it. One methodis to create interference of some sort, blocking anycommunication made to the device. This jammingcould take the form of electromagnetic interferencebeing sent to the device. There is a precedent forelectromagnetic interference being possible to causea device to malfunction, as was shown by researchinvolving the effects of walk through medical detec-tors on the device. It has been shown that over time,the electromagnetic interference created by the metaldetectors were able to cause test devices to malfunc-tion, and attacker’s could possibly use similar technol-ogy to malfunction a target device[Guag et Al(2017)].Another method of blocking access to the device in-volves the use of Dedicated Denial of Service (DDoS)attacks. When attempting to connect to just aboutany device, including implantable medical devices,the attempted connection needs to be checked if it isfrom a legitimate source. DDoS attacks are conductedwhen an attacker makes repeated attempted connec-tions to an individual device that are so plentiful thatthe device is unable to process all the connections and

[ 6 ] .[ 6 ].

[ 6 ].

[ 7 ] .

WSEAS TRANSACTIONS on INFORMATION SCIENCE and APPLICATIONS DOI: 10.37394/23209.2020.17.10 Steven Suggett, Lucien Ngalamou

E-ISSN: 2224-3402

94

Volume 17, 2020

becomes inaccessible[Xie and Yu(2017)]. In 2016,DDoS reached over 100 Gigabits per second, muchgreater than a simple medical device would be ableto handle[Akamai(2016)]. By creating so many il-legitimate connection to the device, it is not able tofind legitimate connections. In a regular setting thiswould create a scenario where the device is inacces-sible which is already bad for various reasons, but inthe case of implantable medical devices DDoS attackscan be much more damaging.

Figure 4: Medical Device Connection with Authenti-cation:DDoS Attack.

Fig. 4. Doctor attempts to make a connection tothe device, but the Attacker has made so many Ille-gitimate connection attempts that the device is unableto find and respond to the doctors connection. Theattacker never gains access to the device, but shutsout others from accessing and drains battery from theImplantable Medical Device. This is because witheach connection the device requires a certain amountof power to check if the connection is real or if it isan illegitimate attack as part of a DDoS attack. Evenif the device turns away all illegitimate connections,it still requires power to filter through them. Thismeans that DDoS attacks, or other repeated connec-tion attacks, against implantable medical devices canquickly drain battery power from the device, caus-ing it to malfunction[Ellouze et Al(2014)]. Prevent-ing DDoS attacks is rather tricky, as need hardly anyinformation to perform one. All an attacker needs isto find the device or server he wants to connect to,and automate repeated attempts to connect to the de-vice. Current DDoS prevention techniques take theform of redirecting traffic during a DDoS attack tosomewhere that can handle the bandwidth traffic suchas an internet service provider or the cloud, but imple-menting these techniques into medical devices seemsrather difficult given the restrictions regarding pro-cessing power and hardware that have already beenan obstacle to cyber security measures being imple-

mented in the devices[Ellouze et Al(2014)]. In thiscase, devices would likely have to be given specialinstructions in handling a DDoS attack, perhaps bytemporarily refusing any outside connections to pre-vent the battery of the device from being forcefullydrained. The downside of this approach is that if thedevice needs to be accessed while it is under attack, itwould not be able to connect while it has temporarilyset itself to refuse connections.

8 Implementation ObstaclesProperly implementing encryption, authentication,and privileged users would greatly increase the secu-rity of implantable medical devices; however, thereare a few reasons they have not already been imple-mented. The medical field is a very divided field withresearch focused all over the place, and each of theseindividual sections of the medical field are very smalland focused on their designated to optimizing and im-proving the performance of the devices they are re-searching. While medical field research is focusedon getting these implantable medical devices as smalland efficient as possible, researching and implement-ing cyber security methods would slow this down. Im-plementing cyber security protocols into a medical de-vice could have a negative impact on the device’s per-formance, and this is often undesirable. Another is-sue is the cost of cyber security research, as only 3%of funding in the medical field goes to cyber security,where on average other fields allot 11% of fundingto cyber security[Woods(2017)]. This means that thecyber security sector of the medical field is extremelysmall in order to physically be placed inside a person’sbody. These reasons account for most of the lack ofsecurity in implantable medical devices, but anotherreason could also be part of the issue: the need for se-curity in implantable medical devices is a concern thathas only applied for the last few years[Woods(2017)].Not too long ago, implantable medical devices weresecure in the idea that the only way to access them wasphysically. It is not until recent advances that medicaldevices such as pacemakers and insulin pumps wereable to take advantage of wireless connections to mon-itor a patient, update firmware, and manage any otherfunctions. Because of this, the security of medicaldevices still remains in a similar state to the securityof computers before cyber security was implemented.During that time, the only security method was hop-ing that people would either not have access to or beuninterested in compromising information. Recently,the need for cyber security within the medical fieldand within implantable medical devices has grown togreater focus. While old devices may still be lack-

[ 8 ] .

[ 9 ] .

[ 10 ] .

[ 10 ] .

[ 3 ] .

[ 3 ] .

WSEAS TRANSACTIONS on INFORMATION SCIENCE and APPLICATIONS DOI: 10.37394/23209.2020.17.10 Steven Suggett, Lucien Ngalamou

E-ISSN: 2224-3402

95

Volume 17, 2020

ing in encryption, authentication, and proper use ofthe privileged user and other security requirements,but going forward new devices are being required tomake use of these security methods by the FDA, FBI,and Department of Homeland Security.

9 ConclusionWhile the medical field has been optimizing im-plantable medical devices in form and function, secu-rity has fallen behind. While it is unlikely for a personto be attacked with lethal intent through compromis-ing a medical device, it still has left many people con-cerned. This is because attacks can often still be tracedeven when performed through these means. What ismore likely to occur is that an attacker will eavesdrop-ping on personal information going to and from thedevice. Wireless connections have only been a part ofmedical implants for a very short period of time, so se-curity measures within the medical field has only beenin demand for an equally short time. Because of this,many devices lack the encryption, authentication, andaccess restrictions that are necessary to protect thesedevices and the information within these devices fromoutside attackers. Even when proper security mea-sures are put into place, the device has to be setup ina way to take full advantage of the implemented secu-rity methods, such as not using default passwords andproperly using a secured channel to prevent replay at-tacks. Designers in the medical field would also berequired to become familiar with cyber security meth-ods, as the implementation of many of these meth-ods has to be taken into account from the beginningof the design process. This is because running secu-rity methods in these devices takes up resources andmemory that used to be dedicated entirely to the per-formance of the device. The guidelines to follow thesesecurity protocols has recently been set by the FDA,so future devices should start using these methods.

References:

[Owens(2016)] Owens B. Stronger rules needed formedical device cybersecurity. The Lancet, Vol.387, 1384, April 2016.

[Aram et Al(2016)] Aram S, Shirvani R, Pasero E,and Chouikha M. Implantable Medical Devices;Networking Security Survey. Journal of Inter-net Services and Information Security, Vol.6, No. 3, August 2016, Pages 40-60. Avail-able: http://isyou.info/jisis/vol6/no3/jisis-2016-vol6-no3-03.pdf

[Woods(2017)] Woods M, Cardiac defibrillators needto have a bulletproof vest: the national securityrisk posed by the lack of cybersecurity in im-plantable medical devices. Nova law review, Vol.41, No. 3, Spring 2017.

[Fergusonet et Al(2010)] Ferguson N, Schneier B,and Kohno T. Cryptography Engineering: De-sign Principles and Practical Applications. Wi-ley, March 2010. ISBN: 978-0-470-47424-2.

[Barand(2017)] Brand A, Medical device security:patient safety and cost considerations. Health-care Financial Management, Feb. 2017, Pages28-33.

[Shackleford(2017)] Shackleford D, Keys tothe Kingdom: Monitoring PrivilegedUser Actions for Security and Com-pliance. SANS Institute, May 2010.Available: https://www.sans.org/reading-room/whitepapers/analyst/keys-kingdom-monitoring-privileged-user-actions-security-compliance-34890

[Guag et Al(2017)] Guag J, Addissie B, and Wit-ters D, Personal medical electronic devices andwalk-through metal detector security systems:assessing electromagnetic interference effects.Biomedical engineering online, Vol. 16, No. 1,March 2017.

[Xie and Yu(2017)] Xie Y and Yu S, ”Monitoring theApplication-Layer DDoS Attacks for PopularWebsites,” in IEEE/ACM Transactions on Net-working, vol. 17, no. 1, pp. 15-25, Feb. 2009.

[Akamai(2016)] Akamai Releases Third Quarter2016 State of the Internet / Security Report: Q3report highlights a 138 percent YoY increase intotal DDoS attacks greater than 100 Gbps withtwo record DDoS attacks caused by the MiraiBotnet. PR Newswire Association LLC, Novem-ber 2016.

[Ellouze et Al(2014)] Ellouze N, Rekhis S, Al-louche M, and Boudriga N Digital Investi-gation of Security Attacks on Cardiac Im-plantable Medical Devices. October 2014. Avail-able: https://arxiv.org/pdf/1410.4303v1.pdf

[ 1 ]

[ 2 ]

[ 3 ]

[ 4 ]

[ 5]

[ 6]

[ 7 ]

[ 8 ]

[ 9 ]

[ 10 ]

WSEAS TRANSACTIONS on INFORMATION SCIENCE and APPLICATIONS DOI: 10.37394/23209.2020.17.10 Steven Suggett, Lucien Ngalamou

E-ISSN: 2224-3402

96

Volume 17, 2020