The unique security challenges of implantable medical devices.
India has observed an alarming number of cybersecurity-related incidents—the number stands at 1.4 million incidents in 2021 and 212,000 incidents in January and February 2022 alone. The new cybersecurity directions from the Indian Computer Emergency Response Team (CERT-In) has implemented a new cybersecurity framework to counter threats and breaches in India. The purpose is to address the country’s gaps and loopholes to maintain cybersecurity regulations – across all sectors, including healthcare.
In the healthcare sector, implantable medical devices have been saving lives since the first pacemaker was installed in 1958 – that’s over half a century. Breakthroughs are being made nearly every day. A few examples of implantable medical devices in use now include deep brain stimulators for patients with epilepsy or Parkinson’s disease, drug delivery systems using infusion pumps and various sensors to collect and process vital signs. Increasingly, medical implants have internet connections, allowing healthcare providers to download data and programmers to update the software.
That connection can make patients vulnerable to attacks, which may be exacerbated by constraints of the device itself: limited computing power and battery capacity. According to HIMSS Cybersecurity Survey Report 2021, the most substantial security incidents are typically phishing attacks (45%) or ransomware attacks (17%).
Let’s have a look at the various possibilities of security attacks challenging patient safety:
TINY, ENCRYPTED COMMUNICATIONS
Communications between an implantable device and the laptop, phone, tablet, or device it is connected to often aren’t encrypted. The devices are small and may not have enough computing power to employ certain types of encryptions. But that may be changing as awareness of potential security risks grows. Researchers are now actively exploring using the body’s data to form the cryptographic key both devices will use to establish secure communications. Various researchers have tabled the use of electrocardiogram data as a benchmark for communications between medical sensors. Using signals from the body, a form of biometrics establishes a secure connection with limited computing resources.
Implants are also susceptible to battery attacks, which can come in two forms. An attacker can request the implant to establish a secure channel using incorrect credentials, which causes implants to run part of an energy-consuming authentication protocol. This drains the battery. In another attack, the bad actor generates electromagnetic noise to cause high error rates at the implant transceiver. This increases its energy consumption due to an increased number of free transmissions. The increased noise may also increase the implant’s transmission power, reducing battery life. While these types of attacks are largely theoretical, they have been shown to be feasible through several demonstrations by security researchers. And in some cases, individuals have even had wireless connectivity to their implants disabled to prevent the attack. “It’s one of the easiest to mount highly effective attacks,” said Shally Gupta, an IEEE Graduate Student Member. Gupta said to defend against these attacks’ device makers are increasingly turning to zero-power defence strategies – defence that don’t rely on the device’s battery power. One example turns the attack on its head. “The Implantable Medical Device (IMD) first harvests energy from wireless messages received from the external entity and then performs the authentication operation using this free energy. The IMD does not switch to its main battery for subsequent operations until and unless the external entity is authenticated. This ensures that the IMD does not deplete its battery responding to bogus messages from entities.”
Compromising personal and patient safety and wellness becomes problematic, unfolds vulnerabilities, and exposes patients and consumers to using specific devices and applications. Advancing security mechanisms can easily identify medical devices, suspect their vulnerabilities, and ensure non-intrusive security for enhanced patient satisfaction. Cybersecurity also keeps patient information confidential for legal purposes, preventing cybercrimes, as the International Journal of Research in Engineering, Science and Management, India suggested.