Security Review: Edible Chips

By cuijunwu at 6:14 pm on January 16, 2009 | 2 Comments

The California based company Proteus has created an edible computer chip designed to mark a new way of monitoring patient drug intake. The process involves two pieces of technology: a small chip containing sensors and a small patch worn by the patient. The chip is attached to a pill, swallowed by the patient, and then activated once it enters the patient’s stomach. Once activated the chip sends signals to the patch. The patch can track data like heart rate, respiratory rate, temperature, and body angle. This data is then automatically uploaded via Bluetooth to an online repository and given a timestamp. Doctors can use this data to monitor whether a patient is correctly taking his or her medication or the effects of the medication from the convenience of their cell phones or personal computer. This product, named Raisin, is currently in clinical trials.

Assets/Security Goals
– Convenience: If Raisin is working properly, patients do not need to sit and be constantly be monitored by healthcare professionals. These patients can continue with their regular routines. Doctors are also given convenience by being able to monitor patent data online.
– Patient’s Health: The patient must ingest a chip and is in constant contact with the patch. Either piece could potentially expose the patient to undesired health risks if they were tampered with.
– Medical information: The data uploaded by the product should be the same data that a doctor sees. The product must be secure enough to prevent someone from altering the data collected from patients.

Potential Adversaries/Threats
– Malicious people: There are two technological components that are in contact with the patient. Manufacturers, employees, or a third party could possibly intercept or alter either piece before it reaches the patient.
– Thieves: There may be people trying to steal the personal and medical information collected by these chips. Perhaps the information could be used to embarrass a patient, or be sold to some medical agents with malicious intents

Potential Weakness
– Database: The data could not be encrypted or secured properly in the online database. This could lead to someone unauthorized to view a patient’s data.
– Personal Property: Doctors would be allowed to access patient data from their cell phones or computers. If either were stolen it may make accessing the patient’s data easier.
– Data transfer: While the data is being uploaded from the patch to the internet, it could be intercepted by a third party.
– Product transfer: While the product goes from manufacturer to patient, there are many opportunities for a third party to intercept and tamper with it.

Potential Defenses

Since there are multiple levels involved in Raisin, there are multiple defenses that need to be in place. The chip and patch itself need to be made tamper proof. There needs to be a security seal or check in place by the manufacturers that lets doctors and other medical professionals know if either product has been tampered with after manufacturing.

The data is uploaded with Bluetooth, which does provide some protection. Bluetooth provides authentication and encryption of data. Although it is not completely secure, Bluetooth does provide some protection while the data is being uploaded.

To maintain data integrity there could be policies implemented to potentially limit who can access the information and how they can access it. Perhaps keeping a log of who accesses the data would provide an audit trail in case there is a breach.

Risks

There are many opportunities for a malicious attack to affect this product. The chip or patch itself could be intercepted before they are used and tampered with by someone. The patch could be reprogrammed to also send the data to another receptor, or perhaps alter the data send. Since both are in contact with the patient’s body, either could be tampered with or coated with something to possibly cause harm to the patient.

The data is also vulnerable to a malicious attacker. Bluetooth is not completely secure and there is the possibility of data being intercepted while it is being uploaded to the internet. Having the data stored online not only allows more doctors to access it, but potentially more adversaries as well.

This technology has the potential to evolve into sensors that can stay in the human body for prolonged periods of time, instead of moving through the digestive system. However, these same risks would still apply.

Conclusion

The security issues with Raisin are not new; they are the accumulation of many other security issues involving databases, Bluetooth, and product tampering. Each of these issues must be addressed in order to insure the health of the patient and the effectiveness of the product. Even though Raisin is still in clinical trials, these security issues should not be ignored. This technology provides promise for people with chronic diseases, like diabetes, who need constant monitoring and could facilitate the development of more personalized medication. This potential would be wasted if the patient’s privacy and health were not secured.

Filed under: Security Reviews2 Comments »

2 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Brent Couvrette

    January 16, 2009 @ 7:34 pm

    One thing I was unclear of when reading the article is exactly how the data gets to the internet. The article says the “information is transmitted via Bluetooth to an online repository”, but Bluetooth is not a technology used to connect to the internet. There would need to be some sort of gateway device, such as a computer or cellphone to get the data to the internet. If the computer had a virus allowing an attacker to access files remotely on the computer, this could be another avenue of attack to maliciously gather the patient’s medical information. If they could modify the data as well, it could lead the doctor to prescribe possibly harmful medicine based on incorrect information. To protect against such a threat, one possible defense would be to apply both a MAC and encryption to the data before it leaves the patch, and only decrypt it when it is on the trusted server that the doctor will be accessing. Granted it is still possible for this server to be compromised, but one would hope that it would be in a data center with a dedicated IT staff working to mitigate such threats.

  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by liaowt

    January 23, 2009 @ 6:04 pm

    For different patients, I think Raisin should enable different signals sending based on the patient’s requirement, not uploading everything. For example, if that patient only needs to take care of heart rate, then the respiratory rate should not upload automatically. Therefore, this can increase the security of private data.
    Moreover, there should be an agreement or contract between patient and doctor. If the patient takes the drug without being notified by the doctor that there is a small chip, the doctor can get the patient private data. The doctor can then use these data to do research without getting permission from the patient. On the other hand, the malicious people can create a fake server so that they can receive the signal of patient’s data.
    If the malicious people interrupt the signal sending back to the repository and modify the identity for that patient. Thus, if the patient gets bad side effect, the doctor may not notice right away. This could lead to possible dangerous for the patient. In addition, if health people try to take the same medicine, then the doctor might prescribe useless medicine to the patient next time.

RSS feed for comments on this post