Thursday, October 10, 2013

Use Your Heartbeat as the Password and Prevent Your Heart from Hacking : We present Heart-to-Heart (H2H), a system to authenticate external medical device controllers and programmers to Implantable Medical Devices (IMDs) including pacemakers and cardiac defibrillators, which are partially or wholly embedded in the human body.

Farinaz Koushanfar, left, an associate professor of
electrical & computer engineering at Rice Univ.,
and graduate student Masoud Rostami have created
a system to secure implantable medical devices like
pacemakers & insulin pumps from wireless attacks.
(Photo by Jeff Fitlow)

Said : researchers - Farinaz Koushanfar, an associate professor of electrical and computer engineering at Rice University, and graduate student Masoud Rostami in a paper titled "Balancing Security andUtility in Medical Devices?" According to Rice University's news release, they have come up with a secure way to dramatically cut the risk that an implantable medical device (IMD) could be altered remotely without authorization. Pacemakers, insulin pumps, defibrillators and other implantable medical devices often have wireless capabilities that allow emergency workers to monitor patients. But these devices have a potential downside: They can be hacked. Their technology would use the patient’s own heartbeat as a kind of password that could only be accessed through touch. Their research was supported by the Office of Naval Research and Army Research Office.

"Docs warn pacemaker can be hacked" was the headline of a news item on March 13 at NBC News which cited a report that warned users of one specific pacemaker that their equipment faced the risk of hacking. A video showing this was also presented by the NBC.

Barnaby Jack

In fact, Barnaby Jack, a security researcher, who knew the secrets of pacemaker hacking and was going to reveal those secrets at a hacker conference in Las Vegas, was found dead in San Francisco in July this year only a few days before the conference. He had extensively examined the wireless functioning of these critical life devices - pacemakers and ICDs (implantable cardioverter defibrillators) - in order to find out their vulnerability to hacking using a remote control. His mysterious death raised a few eyebrows questioning the timing of it and some people even pointed fingers to the device makers' lobby responsible for his death. 

According to Daily MailNew Zealand-born Barnaby Jack, 35, was going to make a presentation on Hacking Humans. In his presentationhe was planning to highlight the shortcomings of commonly used pacemakers by demonstrating how he could hack into them and kill the heart patient from 50ft away with a deadly power surge triggered by a wireless transmitter. According to Barnaby,  some pacemakers could be commanded to deliver a deadly 830-volt shock from someone on a laptop up to 50ft away, confirming that the result was because of the poor software programming by medical device manufacturing companies. 
Steven Greenberg

Steven Greenberg, M.D., a leading cardiologist and a pioneer in the development and use of pacemakers - at St. Francis Hospital’s world renowned Arrhythmia and Pacemaker Center, was the first physician in the U.S. to implant the FDA-approved AccentTM RF pacemaker, the high-tech device manufactured by St. Jude Medical, Inc. 

Dr. Greenberg - who died on Dec. 12, 2012 at 56 - had said at that time : “Wireless communication is used everywhere today. Now, it can help us provide round-the-clock care for our patients through a secure notification system that can be programmed to meet a patient’s specific needs,” says Dr. Greenberg. “Rather than checking on a device a few times a year, daily alerts allow me to know about important changes in my patient’s condition or device functions so I can act more quickly in addressing any issues.”

"Cardiac pacing is a proven means of maintaining heart function for patients with various heart conditions. Over 650,000 pacemakers are implanted annually in patients worldwide, including over 280,000 in the United States. Over 3.5 million people in the developed world have implanted pacemakers. Another approximately 900,000 have an implantable cardioverter defibrillator (ICD) or cardiac resynchronization (CRT) device," reveals Daniel M. Storey in his patent application (number: 20130046368) for a related invention.

Heart-to-Heart Presentation by Farinaz and Rostami

Rice University engineers have created a system 
to secure wireless implantable medical devices 
like pacemakers and insulin pumps. 
Their system requires the medical worker to touch 
the patient with a programmer device to gain access 
to information on the implant. The patient’s 
unique heartbeat serves as a temporary password. 
(Credit: Masoud Rostami/Rice University)
Koushanfar and Rostami will present Heart-to-Heart, an authentication system for IMDs, at the Association for Computing Machinery’s Conference on Computer and Communications Security in Berlin in November 4-8, 2013. They developed the technology with Ari Juels, former chief scientist at RSALaboratories, a security company in Cambridge, Mass. IMDs generally lack the kind of password security found on a home Wi-Fi router because emergency medical technicians often need quick access to the information the devices store to save a life, Rostami said. But that leaves the IMDs open to attack. “If you have a device inside your body, a person could walk by, push a button and violate your privacy, even give you a shock,” he said. “He could make (an insulin pump) inject insulin or update the software of your pacemaker. But our proposed solution forces anybody who wants to read the device to touch you.”

The system would require software in the IMD to talk to the “touch” device, called the programmer. When a medical technician touches the patient, the programmer would pick up an electrocardiogram (EKG) signature from the beating heart. The internal and external devices would compare minute details of the EKG and execute a “handshake.” If signals gathered by both at the same instantly match, they become the password that grants the external device access.

“The signal from your heartbeat is different every second, so the password is different each time,” Rostami said. “You can’t use it even a minute later.” He compared the EKG to a chart of a financial stock. “We’re looking at the minutia,” Rostami said. “If you zoom in on a stock, it ticks up and it ticks down every microsecond. Those fine details are the byproduct of a very complex system and they can’t be predicted.” A human heartbeat is the same, he said. It seems steady, but on closer view every beat has unique characteristics that can be read and matched. “We treat your heart as if it were a random number generator,” he said.

The system could potentially be used with the millions of IMDs already in use, Koushanfar said. “To our knowledge, this is the first fully secure solution that has small overhead and can work with legacy systems,” she said. “Like any device that has wireless access, we can simply update the software.” Koushanfar noted the software would require very little of an IMD’s precious power, unlike other suggested secure solutions that require computationally intensive – and battery draining – cryptography. “We’re hopeful,” she said. “We think everything here is a practical technology.” Implementation would require cooperation with device manufacturers who, Koushanfar said, hold their valuable, proprietary secrets very close to the chest, as well as approval by the US Food and Drug Administration.

But the time to pursue IMD security is here, Rostami insisted. “People will have more implantable devices, not fewer,” he said. “We already have devices for the heart and insulin pumps, and now researchers are talking about putting neuron stimulators inside the brain. We should make sure all these things are secure.”

No comments:

Post a Comment

Thank you for your comments. The publication of the comments are subject to the admin approval.