Recently an MIT research team has developed a smart pillbox to help combat the problem of patients failing to take their medication at prescribed intervals. This problem of over/underdosing of the drug by the patient accounts for ~10% of hospital visits every year. To combat this problem the MIT research team has developed a smart pillbox, the “uBox” which stores and dispenses two weeks worth of medication and alerts the user to take the medication with an alarm. In addition the box records the exact time that the pills are taken and prewvents over dosing by only dispensing medication once per day. The smart pillbox then also communicates with a second component, dubbed the “uPhone” which can download the patients dosing information and configure the pillbox. The uPhone also records patient data collected by special software including temperature, weight, symptoms and answers to diagnostic questions. This information is then forwarded to a centralized location over the air so doctors can analyze the dosage patterns and overall health of a patient to determine effectiveness of a treatment.
Assets:
- Health of the patient, the primary goal of this pillbox is to help increase effectiveness of drug treatments.
- Patient information, the uBox collects timing data while the uPhone collects other medical information that should be kept private.
- Medication in the uBox, certain medications are quite expensive.
- Patient’s privacy, a patient may not want to follow the treatment for some reason.
Potential Adversaries/Threats:
- Drug companies might want to gain access to this information directly for purposes of increasing sales of a drug.
- Insurance companies might want to gain access to the information to determine whether or not to insure a particular patient.
- An enemy might want to harm the patient by over/under dosing the patient.
- The patient might desire more or less drugs than prescribed.
Weaknesses:
- The data collected by the uPhone is transmitted over the cell phone to some server, if this information isn’t encrypted before transmission then it could be easily accessed.
- The programming of the uBox occurs via cell phone, what happens if say the communication protocol were discovered and the uBox could be programmed to do whatever an attacker wanted to do.
- Collecting data on a cell phone, a very small device puts a large amount of information at risk, if the phone were lost/stolen an attacker could fabricate false information or access the data stored on the phone.
- While the uBox dispenses the drugs a day at a time, it really doesn’t look like it provides that big of a defense against a physical attack (i.e. screwdriver, hammer, etc)
Potential Defenses:
- Encryption of all the communications between the uBox, uPhone and server should all be encrypted. By encrypting these communications the data transmitted will be protected as well as the configuration of the uBox since only authorized users could program the uBox.
- Have the uPhone only forward information to the server, ensure that no data is actually stored on the phone.
- Strengthen the physical structure of the uBox, although a balance must be achieved between size and strength.
Conclusion:
The uBox/uPhone together look like a promising tool for dealing with drug delivery and effectiveness monitoring for doctors. However many measures must be taken to ensure the integrity and privacy of the data being transmitted between all the components of the system. As medical devices become increasingly connected with one another, the transmission of the data securely becomes the largest security issue being faced today.
Original article here