AI based Defense Techniques for effective countermeasures

against Access Control Attacks on Implanted Medical

Devices

Introduction
Information technology, and precisely information security holds a novel value in the modern
day world. As far as health care is concerned, this sector puts up some extra challenges due to
sensitivity issues. Health records, more and more use of inter operable devices have emerged as a
great use. In this category, implanted devices are especially critical, as they may potentially put
patients in life-threatening situations when not properly secured. Medical devices are becoming
important for millions of patients worldwide. Their increasing dependence on software and inter
operation with other devices via wireless communication and the Internet has increasingly made
security a global challenge that needs to be responded well. The personal health care systems
based on implantable and wearable medical devices are expected to transform health care by
enabling diagnostics, monitoring, and therapy and make this available on a continuous and
personalized basis. A general trend in these systems is towards greater intelligence fueled by the
use of increasingly powerful embedded processors, wireless communications, and connectivity
to back-end computing infrastructure. The security attacks on personal health care systems are
also on the line and just like general computing technologies, health care may also come in the
attack sphere. But, the effect of this kind of breaches is tarnishing, enabling hackers to make the
machine work in lethal and fatal manner. One such system which is susceptible to attacks is the
Glucose monitoring and insulin delivery system. In the US, the Centers for Disease Prevention
and Control estimate that 25.8 million people (8.3 percent of the population) live with diabetes.
Most diabetics use glucose meters and a rapidly growing number of them are using insulin
pumps for therapy. There were around 245,000 insulin pump users in 2005, and the market for
insulin pumps is expected to grow at a compound rate of 9 percent from 2009 to 2016. Major IT
security incidents that affect the general public are almost regularly reported in the media.
Examples include stolen passwords, stolen credit card information, or website availability
problems. The loss, theft, or exposure of personally identifiable information is one major
problem that is also widespread in the health care sector, which accounts for one fifth of all
these reported issues. The FDA collects information regarding reportable issues with medical
devices to capture and identify adverse and unexpected events for a particular device or device
type. Each year, several hundred thousand medical device reports are received about suspected
device-associated deaths, serious injuries and malfunctions. An analysis of these recalls and
events has shown that both the number of recalls and adverse events have increased over the
years. The major reason for recalls involves devices malfunctions.
Literature Review
Medical implanted devices are implanted inside human body for medical purposes. Some types
of IMDs, e.g., pacemakers and ICDs, perform life-saving functions for the patients. The battery
for such devices is required to have a long lifetime, although it is non-chargeable and embedded
in the body. All these specific features of the IMD make its security design more challenging
when compared to security design for a generic wireless device or a wearable health device.
Furthermore, there is a unique challenge in the IMD security design: security versus
accessibility.
In 2012, Burleson et al. surveyed threats and design challenges of three different types of IMD
systems, including insulin pumps, ICDs and implantable bio-sensors. They discussed sound
security principles to follow and some common pitfalls to avoid when designing IMD security
solutions. We know that the IMDs have limited resources, especially their battery. This weakness
can be exploited by the adversaries to launch power DoS attacks. This type of attacks, although
will not disclose the patient’s medical data, can still prove to be harmful to the patient. A
depleted battery requires an operation to replace the IMD during which the patient may suffer.
Therefore, security schemes designed for the IMD should be energy-efficient and must not be
manipulated by adversaries to drain its battery. Hosseini-Khayat proposed a lightweight security
protocol to provide data confidentiality and authentication between the IMD and its base station.
It uses a lightweight block cipher and an improved protocol that does not use the challenge-
response. Wireless IMDs, as currently used in medical practice, exhibit many vulnerabilities.
Communication between the IMD and a base-station or programmer device can be intercepted
and, if the signals are not protected by encryption and/or authentication protocols, an attacker can
collect or alter the information, potentially while positioned hundreds of meters away. Even if
protected by encryption, which many existing devices are not, the mere presence and pattern of
such signals can provide information that could be valuable for an attacker. The base-station or
programmer can also be the target of interference; its communications with other devices on a
wireless network (or over the internet) can be collected and altered, and the device can be
compromised through physical or remote introduction of malicious code. This latter issue is of
importance as IMDs are increasingly designed to interface with consumer electronic devices
such as smartphones and tablet computers, opening up the possibility of malware targeting the
consumer device and thereby gaining access to programmer applications that control the IMD.
Potential attacks are not limited to digital systems, with analogue sensor and effector components
of IMDs being vulnerable to spoofing attacks. These technical vulnerabilities are compounded
by the human factor of everyday clinical practice. Lax security procedures when connecting to
hospital networks (e.g. leaving computers unlocked when away from one’s desk), poor interface
designs that make it expedient for clinicians to ignore security features, bad practices such as use
of default passwords on medical devices, and a simple lack of awareness of cybersecurity risks
can all open otherwise securely designed IMDs to potential attack. The consequences of these
vulnerabilities, should they be exploited, are varied and potentially profound. Theft of data and
denial of treatment are possible across almost all wirelessly connected IMDs. with battery-
draining attacks being particularly feasible to conduct and damaging to patient health. Cardiac
implants and implanted insulin pumps can be manipulated to induce cardiac rhythms, or deliver
an insulin bolus, that may be damaging.
Problem Background
An IMD is often termed as a device which is placed inside human body permanently or
sometimes temporarily. The purpose of this device is to treat the patient with a certain medical
condition. With the advancing technology, the IMDs are becoming capable of communicating
with the programmers and are now able to transmit much more and accurate of data. But with
this, also appear some drawbacks. The attack base has become much wider and the safety and
security of the IMDs have become much more important.
Security threats faced by the modern IMDs can be categorized in 6 general categories. This
include tampering, spoofing, repudiation, information disclosure, elevation of privilege and
denial of service.

Some of the threats may address various properties simultaneously, or that a single kind of attack
could actually be decomposed into some individual threats. There are generally six security
properties in which are to be addressed in an IMD system. They are
 Authentication
 Integrity
 Non-repudiation
 Confidentiality
 Availability
 Authorization
The identity of the components in IMD can be impersonated. The programmer and the external
device can be falsely claimed. Consider an example where a programmer is impersonated. This
will eventually cause the beginning of the privilege attack. Similarly, the data which is
transmitted or received by the IMD components can only be modified by the authorized parties.
Having no integrity checking mechanisms on IMD data, data can be easily modified on its way
on the unsecure transmission medium. On the other side, the IMD will begin accepting malicious
inputs thus which will then cause code injection attacks. Another major aspect of the security is
the precaution that the operations performed by or onto the IMD may be logged somewhere. The
attacker tends to delete these actions in order to cover her traces. Not all the IMDs are covered
with the log systems. Unfortunately, the attacker could repeatedly try to gain access to the IMD
without leaving any trail. Confidentiality is another important aspect to be taken care of. Data
either being stored on the device or being communicated via the channel of wireless link should
always be able to be read by the relevant parties. Normally parties communicate at the radio
channel of frequency 401-406 MHz. and these communications are exposed to eavesdroppers. If
the communications are not encrypted, an attacker can then disclose the private information
which can be medical information of the patient. The services provided by the IMD should
always be available to the relevant persons. Since these devices are treating critical patients and
the availability is crucial for such patients. An IMD can be rendered inaccessible through the
active jamming of the radio signals. Besides, the network can be overloaded and flooded with
traffic. The intention could be to block the IMD access or to drain off the battery. Considering
this fact, the drain of battery can cause the permanent failure and the device may get switched off
and patient’s life could be in danger. An operation which is to be done by the respective
individual or the party, should not be able to be done by the other one, thus ensuring
authorization. For instance, the therapy parameters such as current, voltage etc. should only be
allowed to be adjusted by the doctors and no one else. In this case, the programming of the IMD
is done by the doctor and the technician who is from the manufacturing company. Moreover, the
IMD should not be allowed to switch off. Unless there is any danger to the patient life and that
too should be done by the doctor.
The attackers in the IMD based attacks can be divided in two major categories[1]. One is the
passive attacker. He can only listen to the channel. And therefore getting access to the messages
exchanged between the IMD and the programmer. This can threaten the authentication and the
confidentiality. Besides, an active attacker can not only listen to the attack but al[2]so could
actively participate in sending the commands to the IMD, could tamper the message during the
transmission, or simply block them so that they never arrive. The active attack can be much more
devastating as this jeopardize the total functionality of the IMD.
Technical Challenges
In case of IMDs there are large number of challenges but few important ones are listed as under:
 Energy
 Storage
 Computing Power
Considering the fact, that the attacker himself does not need to come close to the IMD[3]. Based
on the communication technology used, for the radio link, the IMD could be reachable from a
few meters hence securing the channel medium has been a key factor. IMDs have restricted
capabilities in three dimensions, mainly energy, storage and computing power. Each of them
have security related consequences because they can be misused or because they can limit the
security mechanisms that can be afforded. IMDs are powered by an integrated battery that
supplies energy to all functions incorporated in the device. Since the battery is a critical part for
the working of the device and it cannot be frequently replaced otherwise more issues will arise.
Moreover, this battery is replaced with the help of surgical procedure which carries its own
medical complications. Therefore, the battery drainage issue is itself an issue. Similarly, storage
is an issue in the current IMDs and it is quite limited. The memory is generally used to store
patient’s illness related parameters. For example, pacemakers store ECG of patient that
eventually decides to apply stimulation. A potential challenge in the IMDs is to have security
mechanisms which have as little memory as possible in order to save it for potential storage
requirements required by the medical functions of the device. We may have increased the RAM
in the implanted device but this will increase the size of the implant. This is critical as the
implant is fitted inside the body and we cannot have a very huge size. Due to power restrictions,
computing and communication are limited in the IMDs. The most expensive task is the
communication inside an IMD so it this is minimized; we can have an extended battery lifetime.
Future Work
In this section, I would shed some light upon the different security mechanisms that have been
proposed to thwart security threats and which may be used in future to have the work done for
securing the devices.
To the best extent, the inclusion of security measures should not require any modification of the
IMDs, as this would result in its replacement and therefore needing a surgical procedure. The
alternate proposed is the use of external device to control the access to the implanted device
which would result in the IMD not being implanted inside the body and part or all the security
functions would be delegated to them. This presents several benefits. On one side IMD would
save battery since the security feature will be taken care by an external device. On other side, the
single device can integrate a number of security capabilities.
References

1. Giraldo, J., et al., Security and privacy in cyber-physical systems: A survey of surveys. IEEE Design
& Test, 2017. 34(4): p. 7-17.
2. Henry, P.S., et al., Method and apparatus for responding to events affecting communications in
a communication network. 2017, Google Patents.
3. Suarez-Tangil, G., et al., Evolution, detection and analysis of malware for smart devices. IEEE
Communications Surveys & Tutorials, 2013. 16(2): p. 961-987.