Kevin Fu Assistant Professor Department of Computer Science University of Massachusetts Amherst

Similar documents
Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses

Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses

A Closer Look. LATITUDE NXT Alerts SUMMARY. Alerts. Red Alerts

The evolution of Medical implant telemetry and Body Area Network

Hacking Sensors. Yongdae Kim

POWERFULLY SIMPLE SEEQ. Mobile Cardiac Telemetry System SHORT-TERM CARDIAC MONITORING FOR UP TO 30 DAYS 95 % PATIENT SATISFACTION 1

ULP Wireless Technology for Biosensors and Energy Harvesting

FASTER - SAFER - BETTER

Pa#ents, Pacemakers, and Implantable Defibrillators:

Biometric-based Two-level Secure Access Control for Implantable Medical Devices during Emergencies

Project: IEEE P Working Group for Wireless Personal Area Networks N (WPANs)

Energy-aware Circuits for RFID

Malware in Men - will you be protected?

Potential Risks of MRI in Device Patients

FAQs. BIOTRONIK EHR DataSync Frequently Asked Questions. Cardiac Rhythm Management. BIOTRONIK Home Monitoring / Programmer

Health Care Professional Education Programmes Partnering with you to provide focused educational opportunities

St. Jude Medical: Enhanced MICS (emics) A Thesis. presented to. the Faculty of Biomedical/General Engineering Department,

Device Pairing at the Touch of an Electrode

MEDTRONIC CARELINK PROGRAMMER

Health Informatics Principles - Excerpt -

BIOTRONIK // Celebrating 50 years of excellence BIOTRONIK. Setting the pace, pioneering the future

MEDICARE S OUTPATIENT PROSPECTIVE PAYMENT SYSTEM

HUMAN BODY MONITORING SYSTEM USING WSN WITH GSM AND GPS

MITOCW watch?v=ba3xcpyla34

BME 405 BIOMEDICAL ENGINEERING SENIOR DESIGN 1 Fall 2005 BME Design Mini-Project Project Title

Software Radio and the Future of Wireless Security. Michael Ossmann Institute for Telecommunication Sciences

Proximity-based Access Control for Implantable Medical Devices

WANT TO PARTICIPATE IN RESEARCH? THERE S AN APP FOR THAT!

Medical Devices cyber risks and threats

Development and Integration of Artificial Intelligence Technologies for Innovation Acceleration

Security and Risk Assessment in GDPR: from policy to implementation

Syed Obaid Amin. Date: February 11 th, Networking Lab Kyung Hee University

Trends Report R I M S

Introduction to Medical Electronics Industry Test Analysis and Solution

Fundamentals of Pacing Therapy

Midwestern Conference on Optimizing Electrophysiology Patient Care and Procedural

The FDA: Merging Innovation and Opportunity to Impact Public Health

Rulemaking Hearing Rules of the Tennessee Department of Health Bureau of Health Licensure and Regulation Division of Emergency Medical Services

IMPULSE 6000D/7000DP DEFIBRILLATOR/TRANSCUTANEOUS PACER ANALYZER. 25 reasons to differentiate Impulse 6000D/7000DP from all others

Computer and Information Ethics

A review of the role and costs of clinical commissioning groups

Draft. User s Manual. Transmitter Model EX1150

Analysis of ECG Signal Compression Technique Using Discrete Wavelet Transform for Different Wavelets

Yevo Scientific Advisory Board

Infrared Screening. with TotalVision anatomy software

Game Theory for Safety and Security. Arunesh Sinha

Epilogue. Simona Rocchi Erasmus University, Centre for Environmental Studies, Rotterdam

A New Systems-Theoretic Approach to Safety. Dr. John Thomas

Presented by Doris Ma Fat on behalf of the. Department of Health Statistics and Information Systems World Health Organization, Geneva

Overcoming Interference is Critical to Success in a Wireless IoT World

Data Protection and Ethics in Healthcare

MRI with the VNS Therapy System October 2017

IPM 12/13 Course Projects

TechARENA: MedTech. Is digital health dead? M. Kaiser Senior Manager Business Development SEMI Europe, SEMI Europe, Berlin, Germany

RFIC Group Semester and Diploma Projects


Wireless In Vivo Communications and Networking

Data Anonymization Related Laws in the US and the EU. CS and Law Project Presentation Jaspal Singh

Computers and Medicine

Topical Collection on Blockchain-based Medical Data Management System: Security and Privacy Challenges and Opportunities

Comprehensive Research Services

Why (Special Agent) Johnny (Still) Can t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System

Health Informaticians Drive Innovation from Bench to Bedside

Ethics of Data Science

Lecture for January 25, 2016

Ness MCR Multi-Channel Radio Receiver

GE Healthcare. Vivid S5. Cardiovascular ultrasound system

Anatomic and Computational Pathology Diagnostic Artificial Intelligence at Scale

Morality Matters: How to Reset the Mission of Quality Improvement. February 18, Dial In: Code:

Electromagnetic compatibility of implantable neurostimulators to RFID emitters

VHF Transceiver AR6201

NeuVision 500. Abundant and friendly display interface, multifold ECG display screen:

USTGlobal. Internet of Medical Things (IoMT) Connecting Healthcare for a Better Tomorrow

Transcutaneous Energy Transmission Based Wireless Energy Transfer to Implantable Biomedical Devices

INSTRUCTION MANUAL. IBRit - rf1 - usb PC - Station for wireless Data transmission. M e s s t e c h n i k. Messtechnik GmbH & Co.

Artificial Intelligence in Medicine. The Landscape. The Landscape

Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors

RF Communication for Active Implant Medical Devices. Communication with Active Implantable Medical Devices AIMD

Enphase. Mobile Connect Installation Guide

BUILD Consortium Member Biographies

ENGR 499: Wireless ECG

UPDATE TO MEDICAL DEVICE CORRECTION

Get your daily health check in the car

Generating reliable cause-of-death information within a civil registration and vital statistics system

MEDTRONIC ANNOUNCES 2013 GLOBAL HEROES

Ophthalmic Digital Health Areas

DC Core Internet Values discussion paper 2017

BUILD Consortium Member Biographies

Management to Host Conference Call at 8:30 a.m. ET today

How AI and wearables will take health to the next level - AI Med

The wireless alternative to expensive cabling...

Towards inexpensive home Ambulatory BP Monitors [Work in Progress]

NAMING COMMITTEE AGENDA

f105 \ - US 9,749,086 Bl Aug. 29, 2017 ( * ) 100- Īmplantable Medica "1"1 <:; US Bl ;1 Adversary {AD} ... Wearable External .

Human-Computer Interaction IS 4300

MOBILE COMPUTING 2/25/17. What is RFID? RFID. CSE 40814/60814 Spring Radio Frequency IDentification

For Immediate Release. For More PR Information, Contact: Carlo Chatman, Power PR P (310) F (310)

Addressing Safety and Security Contradictions in Cyber-Physical Systems

Wireless Technology for Aerospace Applications. June 3 rd, 2012

MOBILE BASED HEALTHCARE MANAGEMENT USING ARTIFICIAL INTELLIGENCE

Transcription:

Implantable Medical Devices: Security Privacy for Pervasive, Wireless Healthcare Kevin Fu Assistant Professor Department of Computer Science University of Massachusetts Amherst http://www.cs.umass.edu/~kevinfu/ Dartmouth College Computer Science Colloquium UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science

Many Collaborators William H. Maisel, MD, MPH -Director, Pacemaker and Defibrillator Service, Beth Israel Deaconess Medical Center -Assistant Professor, Harvard Medical School Tadayoshi Kohno -Assistant Professor, CSE, University of Washington Students -Shane Clark, Benessa Defend, Tamara Denning, Dan Halperin, Tom Heydt-Benjamin, Andres Molina, Will Morgan, Ben Ransford, Mastooreh Salajegheh UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 2

Risks of Implantable Medical Devices: Just Add Internet+Wireless Heart Image from www.nasaexplores.com 3

Risks of Implantable Medical Devices: Just Add Internet+Wireless Heart Image from www.nasaexplores.com 4

IMD Security & Privacy is Hard Background Unintentional medical malfunctions Intentional medical malfunctions Pacemaker & Implantable Cardioverter Defibrillator (ICD) Security analysis of a pacemaker/icd Violate patient privacy Induce a fatal heart rhythm Defensive methods Protect the battery, proper use of cryptography The Future UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 5

Unintentional Malfunctions in Medical Care UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science

Unintentional Accidents IEEE Computer 1993 UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 7

Malfunctions Reprinted with permission from JOURNAL OF PACING AND CLINICAL ELECTROPHYSIOLOGY, Volume 25, No. 12, December 2002 Copyright 2002 by Futura Publishing Company, Inc., Armonk, NY 10504-0418. Changing Trends in Pacemaker and Implantable Cardioverter Defibrillator Generator Advisories WILLIAM H. MAISEL, WILLIAM G. STEVENSON, and LAURENCE M. EPSTEIN From the Cardiac Arrhythmia Service, Cardiovascular Division, Department of Medicine, Brigham and Women s Hospital, Boston, Massachusetts MAISEL, W.H., ET AL.: Changing Trends in Pacemaker and Implantable Cardioverter Defibrillator Generator Advisories. Pacemaker and implantable cardioverter defibrillator (ICD) generator recalls and safety alerts (advisories) occur frequently, affect many patients, and are increasing in number and rate. It is unknown if advances in device technology have been accompanied by changing patterns of device advisory type. Weekly FDA Enforcement Reports from January 1991 to December 2000 were analyzed to identify all advisories involving pacemaker and ICD generators. This article represents additional analysis of previously cited advisories and does not contain additional recalls or safety alerts over those that have been previously reported. The 29 advisories (affecting 159,061 devices) from the early 1990s (1991 1995) were compared to the 23 advisories (affecting 364,084 devices) from the late 1990s (1996 2000). While the annual number of device advisories did not change significantly, ICD advisories became more frequent and a three-fold increase in the number of devices affected per advisory was observed. The number of devices affected by hardware advisories increased three-fold, due primarily to a 700-fold increase in electrical/circuitry abnormalities and a 20-fold increase in potential battery/capacitor malfunctions. Other types of hardware abnormalities (defects in the device header, hermetic seal, etc.) became less common. The number of devices recalled due to firmware (computer programming) abnormalities more than doubled. The remarkable technological advances in pacemaker and ICD therapy have been accompanied by changing patterns of device advisory type. Accurate, timely physician and patient notification systems, and routine pacemaker and ICD patient follow-up continue to be of paramount importance. (PACE 2002; 25:1670 1678) pacemakers, defibrillation, epidemiology, postmarket surveillance Address for reprints: William H. Maisel, M.D., M.P.H. Cardiovascular Div. Brigham and Women s Hospital, 75 Francis St. Boston, MA 02115. Fax: 617-732-7134; e-mail: wmaisel@partners.org Received April 30, 2002; revised July 17, 2002; accepted September 12, 2002. Introduction Pacemaker and implantable cardioverter defibrillator (ICD) generator recalls and safety alerts (collectively referred to as advisories ) occur frequently, affect many patients, and are increasing in number and rate. 1 The US Food and Drug Administration (FDA) is responsible for the safety and oversight of medical devices in the United States. FDA Enforcement Reports are issued to report advisories, including those involving pacemaker and ICD generators. These advisories are issued to notify physicians and patients of the potential for device malfunction. 2 While pacemaker and ICD advisories are common, actual device malfunctions are relatively rare. Nevertheless, advisories increase patient anxiety and increase utilization of hospital resources. 3,4 A number of advances in device therapy occurred during the 1990s. Pacemakers now routinely provide features to preserve battery life, promote physiological pacing, and provide increased diagnostic capabilities. ICDs continue to shrink in size while maintaining their battery life and high energy capabilities. In addition, they have increasingly sophisticated algorithms for tachyarrhythmia detection and now have the potential to treat atrial and ventricular arrhythmias. Pacemaker and ICD generator advisories are most often issued because of potential hardware or firmware (computer programming) malfunctions. 1 This study was undertaken to determine if advances in device therapy have been accompanied by changing trends in advisory type. This article represents additional analysis of previously cited advisories and does not contain additional recalls or safety alerts over those that have been previously reported. 1 Methods The authors methods have been previously described in detail. 1 The number of pacemaker and ICD advisories was determined by reviewing all weekly FDA Enforcement Reports from January 1991 through December 2000 and verifying all recalls and safety alerts with the manufacturer when possible (Tables I and II). 5 10 Only advi- 1670 December 2002 PACE, Vol. 25, No. 12 UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 8

Wardrobe Malfunctions UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 9

Is a malicious intentional malfunction a risk of real concern? UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science

The Tylenol Scare of 1982 trutv crime library UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 12

Bad People Do Exist UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 13

Background: Pacemaker & Defibrillator 101 UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science

Networking + Wireless! Photos from: Medtronic 15

Pacemakers: Regulate heartbeat > Energy spent on radio & computing, etc. overhead! < Energy for pacing! UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 16

ICDs: Resynchronize the heart Implantable Cardioverter Defibrillator (ICD) Related to pacemaker Large shock: resync heart Monitors heart waveforms Heart UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 17

Our Tested Pacemaker + ICD Physical characteristics: ~5-year battery Waveform memory Radio interface w/ programmer Therapies:* Steady pacing shocks 35 J defibrillation shocks * detail in [Webster, 1995] UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 18

Implantation Scenario 1. 2. 3. 4. Doctor sets patient info Surgically implants Tests defibrillation Ongoing monitoring Device Programmer Home monitor Photos: Medtronic; Video: or-live.com UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 19

At Home: Wireless + Internet Home monitor UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 20

What s special about security? UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 21

Correctness is easy. Security is hard. Photo by Kevin Fu UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 22

Computer Security Computer Security (Informal Definition): Study of how to design systems that behave as intended in the presence of determined, malicious third parties Security is different from reliability The malicious third party controls the probability distribution of malfunctions Security researchers focus on understanding, modeling, anticipating, and defending against these malicious third parties [This description drawn from the work of Prof. Yoshi Kohno with permission] UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 23

Our Security Analysis of a Pacemaker + ICD UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science

Method #1: Steal Device Programmer Insider attack Thief can reverse engineer, modify... Risk: get root on many implants Photo: Medtronic Issue: ICD s trusted computing base is large.

Why Steal When You Can Build? Software radio GNU Radio software, $0 USRP board, $700 Daughterboards, antennas: $100 ~10 cm (un-optimized)

Method #2: Eavesdrop Private ImplantingInfo Diagnosis physician Hospital Also: Device state Patient name Date of birth Make & model Serial no.... and more

Method #2: Eavesdrop Private Info In the future: Sophisticated devices may divulge a lot more data. Challenge: Can we add encryption? Photo: Medtronic

Method #3: Sniff Vital Signs 1 0.5 0 0.5 Eavesdropping setup 1 0 500 1000 1500 2000 2500 3000 ICD emits reconstructible vital signs Issue: Vital signs can say plenty.

Methods that Replay Traffic Ours: Deaf (transmit-only) attacks Caveats: Close range; only one ICD model tested; attacks not optimized; takes many seconds ~10 cm Photo: Medtronic

Method #4: Drain Energy Implant designed for infrequent radio use Radio decreases battery lifetime Are you awake? Are you awake? Now I am!

Method #5: Turn Off Therapies Stop detecting fibrillation. Device programmer would warn here Issue: Can quietly change device state.

Method #6: Affect Patient s Physiology Induce fibrillation which implant ignores Again, at close range In other kinds of implant: Flood patient with drugs Overstimulate nerves,... Issue: Puts patient safety at risk.

Defensive Direction: Zero-Power UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science

Prototype Defenses Focus on sleep deprivation In zero power (harvested RF energy) Challenge-response authentication Patient notification mechanism Sensible key exchange Human is in the loop UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 35

Prototype defenses against some of the attacks. Main idea: defend without using battery.

B.Y.O.P. WISP = RFID + computation [Ubicomp 06] WISPer = WISP + our code Maximalist crypto [RFIDSEC 07] Prototype: 913 MHz RFID band Goal: External party pays for power.

Patient notification BZZZZZZZZZZZZZZZ Auth Go ahead! ICD

WISPer as Gatekeeper Authenticate against WISPer WISPer to ICD: Radio use OK Acoustic patient notification How to deter enemies? (Open question!) 1 External party WISPer 2 Implant 3

Sensible key exchange Session setup Programming head Tissue 1 cm Key material Modulate ICD ~4 khz acoustic wave

Testing WISPer: Simulated Torso 1 cm bacon WISPer 6 cm chuck Energy harvesting through tissue is possible.

How WISPer Could Work Auxiliary device (possibly integrated) Audible or tactile patient alert Patient detects activity: am I in a clinic? Fail open: sensible, tactile key exchange UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 43

IMDs+Wireless+Internet: The Future UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science

Future Home Care Sacramento Bee, May 17, 2008 Yet some remarkable changes are on the horizon, said Dr. Larry Wolff, a UC Davis Medical School professor who specializes in implanting defibrillators. "I believe over time we could make programming changes on the telephone," he said, although that's not possible now. UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 45

Future Healthcare Infrastructure http://www.thei3p.org/repository/whitepaper-protecting_global_medical.pdf UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 46

Going the Distance Eventually, Vanu s [software radio] technology could be used to create a phone. UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 47

Future Threats: Viruses? Software updates? SQL injection? Buffer overflows? Radio as infection vector? Computer viruses, full circle? Image credit: Health & Development Initiative, India 48

Achoo! The Weekly World News: the only reliable journal UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 49

Non-Technical Challenges Manufacturers beholden only to regulators Remit to regulate safety & effectiveness, but not security & privacy in U.S. Unfinished legislation (U.S. Medical Device Safety Act of 2009) No database of ICD reprogrammers Thousands of reprogrammer consoles No way to check if an adversary has one UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 50

Medical Device Trends Further computerization of care Longer range communication Tight integration with the Internet Cooperation among devices Issue: These trends breed S&P risks that must be kept in check. UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 51

Summary of IMD Sec. & Priv. Risks today: Unintentional interference Threats: Metal detectors, accidents, misidentification Metric of evaluation: Safety and effectiveness Significance: Risks increase with device complexity Coming risks: Intentional interference Threats from wireless and Internet connectivity Metric of evaluation: Security and privacy Significance: Risks increase with communication complexity Malware: Human-computer-immunodeficiency (HCI) virus? Tough problems: Software updates, remote monitoring,... UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 52

Challenging Technology Landscape! Auditability Safety (open access) Patient Usability High Impact Psychological Effects Security (closed access) IMD Response Time Storage Constraints Battery Life

Wireless + Internet Can Improve Healthcare But not without fully understanding security and privacy Insulin pump Artificial pancreas Neurostimulators Photos: Medgadget Artificial vision Obesity control Programmable Vasectomy UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science

For More Information Links on secure-medicine.org and bing:kevin fu New England Journal of Medicine Neurosurgical Focus CACM Inside Risks Column Design of Medical Devices Conference USENIX Workshop on Power Aware Computing and Systems (HotPower) American Heart Association Annual Scientific Sessions USENIX Workshop on Hot Topics in Security (HotSec) IEEE Symposium on Security and Privacy IEEE Pervasive Computing, Special Issue on Implantable Electronics Conference on RFID Security UNIVERSITY OF MASSACHUSETTS AMHERST Department of Computer Science 55

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback