Wireless Medical Devices – Is there a Security threat?
Maslow’s hierarchy of needs, depicted in the form of a pyramid establishes the changing human needs with general progression in life that affects Individual lifestyle. External factors contributing to the level of dynamism in re-defining “lifestyle” of generations would be — technological advancement and general prosperity in society.
Wireless is one such technology that touches user lifestyle right from mobile telephony to wireless power in device operation; the very fundamentals of applications have been revolutionized with a touch of wireless technology.
Medical Electronics, in particular, have benefitted from the advancement in Wireless Communication. Medical devices like pacemakers, defibrillators, implantable drug delivery systems, Neuro – stimulators have made life easy for patients with chronic conditions. Further advanced solutions like Smart Pills, wearable life recorders are designed to revolutionize the way healthcare is provided. The personal healthcare market is getting re-designed on wireless technology to suit the demands of the users.
As predicted by Parks Associates, the Wireless Homecare Devices US Market alone would stand at US $4.4Bn by 2013. According to Booz and Co, the Personal care and Home Equipment market was US $8.7 Billion in 2007 and would to grow to US$ 14.3 Billion in 2012.
While Wireless Technology offers ‘ease of use’ to the user, it also makes him vulnerable to security issues like eavesdropping, data theft and integrity.
If some unscrupulous element establishes unauthorized communication with a patient’s implantable drug delivery system controlled by the physician’s handheld unit and sends a wrong signal to deliver more drugs, the result could be adverse to the patient’s health, even fatal at times.
Or take a hypothetical situation where a diabetic monitors his blood glucose level every day at home and uploads the same info wirelessly to his personal health record through a wireless web interface. A hacker strikes in between. He exploits the vulnerability in the wireless communication, breaks into the personal health records and departs with the patient’s personal details like Social Security Number and even Credit Card details leaving the patient facing a possible situation of identity theft and financial loss.
So does a common man stop using wireless communication all together? What happens to the lifestyle we are used to? Do we let it go or be vulnerable to breach of our security? The debate is still on.
Let’s look at what the Government Agencies are doing in terms of regulations:
- FDA has taken steps towards regularizing wireless communication in medical devices. The first steps were taken way back in 1998 when DTV signals started interfering with work in hospital in Texas.
The purview of regulation for FDA and FCC is broadly defined along below mentioned lines. General-purpose communications devices are regulated by FCC. Medical devices that critically monitor patient health or provide treatment or therapy are regulated by FDA. Devices that do provide critical care and also use communications, such as life-critical wireless devices like remotely controlled drug-release mechanisms, are regulated by both agencies. In addition, device applications that would not be governed by FCC but transmit over wireless networks might warrant FDA oversight, while FCC might have better capability to assess the reliability of their Communications capability.
Present FDA guidelines talk about design requirements for wireless medical devices on issues like coexistence of RF and Wireless (Medical band, Wi-Fi, Bluetooth), EMI/EMC. While it mentions security as a feature, it doesn’t delve deep into bringing design requirements. What it has done is jointly organized a public meeting to bring all stakeholders on the same platform on issues ranging from data integrity, reliability, system security, spectrum allocation, risk management by defining level of criticality of device function as of July 2010.
Is this good enough of FDA or FDA needs to move real fast in a proactive manner than a reactive way to meet market situations?
Let’s now see what could be a technically possible solution.
We are looking at fulfilling two objectives. Conceal “patient device” information and secure the “patient data” communicated through the device. Prior information on Patient Device may help exploit the known vulnerabilities and “patient data” is highly sensitive info with multiple implications.
Key-based encryption would be the first possible solution that comes in one’s mind for securing patient data. However, it’s been proven to be vulnerable to failure through data “traffic pattern” analysis. The fallback option is masking pattern through cover traffic.
K- Anonymous message transmission can also be employed to secure “patient device” info. Here, the possible adversary can narrow down to the possible “patient device” to set of size k. Mixes could be used to further anonymize sender traffic.
However, all this would also mean greater burden on device critical resource like battery life or would need additional hardware/resource in the device.
The HCL solution team is closely monitoring the developments in the industry and is studying changes as industry leaders deliberate on the possible options. Important questions to be answered are how much is desirable and how much is too much. This is critical to set the perspective in this context. What do you think?
Hi Arindam,
The market research on wireless security for med devices done by you is really appreciable.
It’s true that battery life and data traffic are real challenges for such devices but apart from that I feel we need to also look into the availability of memory to port the security features and response of the memory chip, because with high refresh rate memory chip you can achieve real-time performance.
So, the selection of the memory should be such it should provide minimum space for the security algorithms along with other applications and should not drain the battery to achieve the real-time performance.
Thanks & Regards,
Sourabh Kumar Biswas
thanks for the post
Interesting Article.
Heartening to know that the Medical Companies are willing to focus on the patients rights and their safety ( in terms of breach of mental peace) as well. Regarding to FDA and their guidlines and rules, I think most of the general population have started to loose their faith on their judgmental capabilities as it too is a money making enterprise. It is time we take responsibilities of our own lives and safety. And if Medical companies viz HCL and others indulge themselves into matters of patient safety and optimum product output ( making money with care), patients will feel much relieved to be in good hands.
Very Interesting & informative Blog Arindam..
Though implementation of high end security algorithms & systems for the wireless medical devices is a subject of debate, one cannot ignore the potential risks involved in keeping such wireless communication unsecured!
While you mentioned about Home Care Segment as one of the important segment for implementation of wireless security, I also feel that it’s the wireless communication within hospital environment where requirement of wireless security might be stronger. This is mainly because Hospital environment is an easy spot for an hacker to get multiple Patient Information. The wireless range at which these Hospital Devices will operate, is more susceptible to hacking as it can go beyond walls of a normal Patient room and magnitude of harm one can do to the patient is more in Hospital based devices. Plus in current scenario, such wireless device solutions are implemented widely in Hospitals.
Arindham, it is very interesting blog.
It requires immediate attention by various players of the medical industry community as described below…
I feel lot more focus needs to be given by the medical devices companies and standards body in ensuring there is a security aspect in place and regulatory bodies to enforce the presence of these security aspect in every medical device that is available in the market. As you have rightly indicated the trust lies on regulatory bodies and I believe they are in the process of coming up with more precise definitions necessary for security in the near future which would then be mandated on by the medical device manufacters.
Also the upcoming standards like IEEE 802.15.6 (Wireless Body Area Networks) have given a lot of thought it into this subject and have a seperate section dedicated to wireless security aspects including a secure key management procedures. I also feel it is the right time for medical devices companies to start playing a significant role in implementing the security aspects currently in place and design services companies like HCL to provide a quick time to market solutions in the wireless medical device security space.
Hello Arindam,
I like the way you have gone about with the blog. i do have a couple of question
Q1. Are we skipping slots [i mean are we prematurely climbing up the maslows pyramid]
Q2. I am sure there will a hype curve for this market too, any idea in which phase it is?
Q3. I do agree with Chinmay s view that hospital devices are more vulnerable, and i want to know whether there is giong to be adifferent approach to personal & hospital devices or its going to be one big solution.
Q4. Has there ever been a reported foul play in wireless devices?
Hi Rajiv
Very Good Questions. Please find below my replies.
A1. By referring Maslow’s Pyramid, i have tried to highlight the changing nature of human needs and its impact on the lifestyle. I believe good health will very much feature in all stages of physiological, safety, belonging, esteem and self actualization
A2. I am very happy to answer this. As per Gartner’s “ The Hype Cycle for Healthcare Provider Technologies an d Standards..” security and authentication lies in between “trough of disillusionment” and “slope of enlightenment”
You may refer the link below for further understanding
http://www.gartner.com/it/content/1100100/1100113/82109.pdf
Also, you have to see this need of security in conjuncture with other technology developments like Home Health monitoring which as per Gartner, lies between “peak of inflated expectations” and “trough of disillusionment”.
A3 . Security as concern is universal. However, I see two different solution approaches for Personal Healthcare Device and Patient Care Hospital Devices.
From embedded technology solution point of view, Personal Healthcare devices pose more challenges.
Factors I want to highlight here are
• Form factor
• Device resources like – computing power (processor), memory
• Cost sensitivity.
A4. Yes.
More than 122 medical devices were affected by malware in the last 14 months, according to a U.S. Dept. of Veterans Affairs official. ( this is a june 2010 news)
You may refer the link below for more info
http://www.massdevice.com/news/va-medical-device-security-breaches-threaten-patients
@Dr.Rajiv
Hi Sourabh
You are correct. we can choose high end resources to boost performance
However, the challenge would be to maintain the fine balance between performance and cost.
@Sourabh Kumar Biswas
Hi Ananya
I appreciate your reflection of consumer view point.
A proactive approach would be desirable than a reactive.
However, point here is that all the OEMs have to take their product/solution thru FDA before it can be launched in market for the consumers.
@Ananya Roy
Absolutely correct Chinmay.
Hospital devices are too vulnerable to security breaches.
I believe devising a security solution for hospital environment would be less technical challenging compared to home environment based on the sheer volume of resources at disposal.
A token based authentication from Hospital IT team could be one of the possible solutions
@Chinmay
Thanks Dr Rangaraj for sharing the details on W BAN. can you please let us know if it caters to hospital environment or personal healthcare domain?
@Dr G V Rangaraj
WBAN is expected to act as a replacement to the Zibgee networks used in healthcare industry and hence would cater to both hospital environment and personal healthcare domain. There is seperate provision in the standard for implants which is primarily in the personal healthcare domain, apart from which I feel there will be more focus towards the hospital environment.