Security Review: Implantable Drug Delivery Device

By Orion at 9:08 pm on January 16, 2009 | 4 Comments

Companies such as the Massachusetts-based biotech company, MicroCHIPS, are developing what they call “intelligent implanted devices” for long-term internal patient monitoring and treatment. Patients which would normally require frequent blood tests, monitoring, or drug injections can instead implant a device which is able to deliver doses of drugs on command or at regular intervals as well as monitor the patient and transmit this data to a receiver. These devices tend to be made of titanium and are currently about the size of an Oreo cookie but miniaturization is in the works. They have many potential uses, such as continuous glucose level monitoring for diabetic patients, needle-less, pain-less insulin injections on command, scheduled, decreasing doses of morphine for recovering addicts, scheduled and targeted chemotherapy, and frequent and regular release of anabolic agents to treat osteoporosis. A cause for concern, perhaps, the MicroCHIP device can currently be activated and signaled to release drug doses over a wireless link.

Assets and Security Goals

  • If the device works properly, it can provide monitoring which, although initially more invasive, could be much less damaging and more convenient for the patient in the long run. Further, the more frequent the monitoring, the better the treatment can be.
  • Drug dosing regimens are constrained by how often injections can be made and how much drug can be injected at a time. With an implanted device, however, smaller doses can be given more frequently (which is much safer because it stabilizes the level of drug in the system) and more conveniently (no shot required).
  • The device needs to ensure that drug dosing is performed exactly as specified and should be resistant to software and hardware malfunctions, especially those which could cause too much or too little drug to be delivered, a potentially fatal error.
  • The device needs to ensure that the wireless link is secure so that only authorized individuals can activate it or cause it to deliver a drug dose. Otherwise, a third party could trigger all reservoirs of the drug to be released at once, potentially killing the patient.

Adversaries and Threats

  • The patient is a potential adversary, especially in cases of drug addiction rehabilitation. It used to be the case that the drug reservoir was not enclosed in a metal case, but after getting their device filled with morphine, addicts used needles to remove this reservoir and inject it all at once to get high. Further, the patient may try to activate drug delivery more than is safe.
  • Another adversary is a third party attacker who either desires to eavesdrop and collect the monitor output of the device (for later analysis, publication, or sale) or maliciously tamper with the operation of the device (wirelessly or physically).
  • An additional threat is that of effect of environmental electromagnetic fields experienced in daily life. The device operation must somehow be shielded from these effects.

Potential Weaknesses

  • The monitor data might be insecure in a variety of ways: through eavesdropping if not/poorly encrypted, through modification en-route, through unauthorized access of the data received and stored.
  • The device might not be shielded against strong electromagnetic radiation. Thus, one can imagine a situation in which a patient passes through airport security and the scanner causes the implanted device to malfunction and either shut down or release unscheduled doses. Similarly, the electromagnetic radiation from headphones has recently been implicated in the malfunctioning of pacemakers. This could pose a serious threat do implanted drug delivery devices as well.
  • The wireless control link might not be sufficiently secure, allowing a malicious person to sent requests to the device and control it remotely.
  • The software of the device might not protect against errors in programming or reading the dosing schedule. For instance, if a high-order bit switched from a 1 to 0, the device might release a drug dose every minute instead of every 8 hours.

Potential Defenses

  • The monitor data must be authenticated and encrypted en route to the receiver and stored in an encrypted form until transfer to the doctor.
  • The entire device (except conceivably the wireless antennae) needs to be shielded from electromagnetic radiation. Because the rest of the device interacts with the antennae, this is still potentially vulnerable to a EMP pulse which could overload the circuitry and shut it down (as a form of DoS attack).
  • The wireless link must have several forms of authentication and encryption to ensure that no third party has the ability to activate the device.
  • Further, triggered drug dosing needs to be restricted to within a safe limit in the hardware so that even if the software is compromised, the device cannot deliver a lethal dose to the patient.

Risks and the Big Picture

  • There is a large risk that the device might malfunction (provoked, or unprovoked) and provide too much or too little drug to the patient. Not even the patient can be trusted with more than a small measure of control of the device’s operation. The system needs to be secure to tampering by any of the parties involved.
  • As with any device which interacts wirelessly, authentication and encryption are critical. The data transmitted might reveal private information about the patient, and allowing a third party to control the device in any way could cause serious harm to the patient.
  • This technology has been in development for a long time and has many applications, but by implanting a computer into a patient in any way, especially a computer which has control over something as important as drug delivery, exposes the patient to all of the vulnerabilities associated with computers.

Conclusion

It is clear that not even the software running on the device should be authorized to deliver doses in lethal amounts to the patient, but what if the drug is life-saving? Then, not even a fail-off mode is acceptable because shutting off the drug delivery could also kill the patient. Thus, a denial-of-service attack becomes a way of killing the patient. These devices have the potential to drastically increase the quality of life of diabetics and improve the effectiveness and safety of cancer treatments, among other applications. But, care needs to be taken to ensure that security is a paramount consideration in the development of these devices, because the patient’s life is at stake.

Filed under: Security Reviews4 Comments »

4 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by ando

    January 23, 2009 @ 10:29 am

    Great post. I thought of some other interesting aspects regarding the device. You mentioned the device should have the ability to give certain rights depending on the role of the user. For instance a user should not be given as much access as the physician because they could be malicious and abuse the device. One problem with this is what if the user happens to have an emergency and cannot reach their regular doctor? How might another doctor access the device to supply or reduce the endangered patients medicine? Would there be a specific access code given to all physicians? What if this access code fell into the wrong hands. Or would their be an access code for each individual physician? Then the device would have to have a large database to store all of these codes which would be out of the question. Would there be an online service to access the device remotely where all physicians could be authenticateed? If so, this opens up considerably more risk. Attackers could exploit the web service an pretend to be doctors. They could attack the server with a DoS strategy and prevent real doctors from accessing the devices. I’m sure these questions are currently being answered, but this is something that needs to be addressed. There will definitely be times when a patient’s device will have to be accessed from other doctors, so some reliable protocol needs to be in place to successfully use the device during an emergency. This really is a great new technology that will help countless people. I just hope security issues can be solved to eliminate as much risk as possible.

  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Zac

    January 23, 2009 @ 11:05 am

    As convenient as wireless communication is, I think this post shows why we should think twice about using it for medical devices. Devices that dispense medications usually include a portacath for refilling the device. A portacath is analogous to a port on a computer. A catheter (tube) runs from the device to the skin, where there is an injectable surface (port).

    Using a similar setup for control would greatly improve the security of the device. Requiring a physical connection between the controller and the device would eliminate remote attacks that try to take control of the device (although not necessarily all attacks that could disable it). Once remote attacks are eliminated, the remaining threat would be no greater than that of a generic violent attack.

  • 3
    Get your own gravatar for comments by visiting gravatar.com

    Comment by stasis

    January 23, 2009 @ 9:00 pm

    The only problem with requiring a physical connection is that then you have to break the skin, increasing the risk of infection. If you have to have a portacath in all-day everyday, your risk for infection will be dangerously high and it cannot be in for very long. Plus, you’ve just limited the patient’s quality of life dramatically, since they are not going to be able to do a lot of normal physical activities. It may increase the convenience of providing each dose, and reduce the number of shots needed, but it isn’t really a viable option if you are trying to preserve the patient’s way of life.

  • 4
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Ivayla Dermendjieva

    January 23, 2009 @ 9:51 pm

    Interesting article!

    I agree that this sort of technology is very useful and will provide a much improved experience to patients of various sort. Now diabetics will no longer have to prick their fingers constantly to check their blood glucose level, or have to administer their own insulin. But as with any new technology
    advancement it comes with a new set of questions and vulnerabilities. This technology introduces a new medium (wireless) to the human system,
    which brings about many benefits, but as the article suggests, comes with a new set of challenges. A big advantage of using wireless to control implanted devices is that it is much less invasive. However casting all coding bugs aside, this poses the question of authentication and ease of access.
    The difficulty arising with securing most devices is that the more interaction we require with the outside world, the more vulnerable the device becomes from a security stand point.
    A very interesting facet arises when accounting for authentication: how do you decide who should have authority to control the device in any way and who should not? Setting the
    technical challenges of authenticating a particular party (such as a personal physician aside), what happens when multiple
    medical providers need to control the device, such as a paramedic. If the paramedic cannot have proper control over the device, it may render it useless, or worse yet, prevent some other form of treatment to be used(since it may interfere with the device in a negative way). It is important to consider the various factors that may come into play in the environment in which this device is used, and be careful not to over-secure (essentially secure in the wrong way) as to create adverse effects.

RSS feed for comments on this post