Companies such as the Massachusetts-based biotech company, MicroCHIPS, are developing what they call “intelligent implanted devices” for long-term internal patient monitoring and treatment. Patients which would normally require frequent blood tests, monitoring, or drug injections can instead implant a device which is able to deliver doses of drugs on command or at regular intervals as well as monitor the patient and transmit this data to a receiver. These devices tend to be made of titanium and are currently about the size of an Oreo cookie but miniaturization is in the works. They have many potential uses, such as continuous glucose level monitoring for diabetic patients, needle-less, pain-less insulin injections on command, scheduled, decreasing doses of morphine for recovering addicts, scheduled and targeted chemotherapy, and frequent and regular release of anabolic agents to treat osteoporosis. A cause for concern, perhaps, the MicroCHIP device can currently be activated and signaled to release drug doses over a wireless link.
Assets and Security Goals
- If the device works properly, it can provide monitoring which, although initially more invasive, could be much less damaging and more convenient for the patient in the long run. Further, the more frequent the monitoring, the better the treatment can be.
- Drug dosing regimens are constrained by how often injections can be made and how much drug can be injected at a time. With an implanted device, however, smaller doses can be given more frequently (which is much safer because it stabilizes the level of drug in the system) and more conveniently (no shot required).
- The device needs to ensure that drug dosing is performed exactly as specified and should be resistant to software and hardware malfunctions, especially those which could cause too much or too little drug to be delivered, a potentially fatal error.
- The device needs to ensure that the wireless link is secure so that only authorized individuals can activate it or cause it to deliver a drug dose. Otherwise, a third party could trigger all reservoirs of the drug to be released at once, potentially killing the patient.
Adversaries and Threats
- The patient is a potential adversary, especially in cases of drug addiction rehabilitation. It used to be the case that the drug reservoir was not enclosed in a metal case, but after getting their device filled with morphine, addicts used needles to remove this reservoir and inject it all at once to get high. Further, the patient may try to activate drug delivery more than is safe.
- Another adversary is a third party attacker who either desires to eavesdrop and collect the monitor output of the device (for later analysis, publication, or sale) or maliciously tamper with the operation of the device (wirelessly or physically).
- An additional threat is that of effect of environmental electromagnetic fields experienced in daily life. The device operation must somehow be shielded from these effects.
- The monitor data might be insecure in a variety of ways: through eavesdropping if not/poorly encrypted, through modification en-route, through unauthorized access of the data received and stored.
- The device might not be shielded against strong electromagnetic radiation. Thus, one can imagine a situation in which a patient passes through airport security and the scanner causes the implanted device to malfunction and either shut down or release unscheduled doses. Similarly, the electromagnetic radiation from headphones has recently been implicated in the malfunctioning of pacemakers. This could pose a serious threat do implanted drug delivery devices as well.
- The wireless control link might not be sufficiently secure, allowing a malicious person to sent requests to the device and control it remotely.
- The software of the device might not protect against errors in programming or reading the dosing schedule. For instance, if a high-order bit switched from a 1 to 0, the device might release a drug dose every minute instead of every 8 hours.
- The monitor data must be authenticated and encrypted en route to the receiver and stored in an encrypted form until transfer to the doctor.
- The entire device (except conceivably the wireless antennae) needs to be shielded from electromagnetic radiation. Because the rest of the device interacts with the antennae, this is still potentially vulnerable to a EMP pulse which could overload the circuitry and shut it down (as a form of DoS attack).
- The wireless link must have several forms of authentication and encryption to ensure that no third party has the ability to activate the device.
- Further, triggered drug dosing needs to be restricted to within a safe limit in the hardware so that even if the software is compromised, the device cannot deliver a lethal dose to the patient.
Risks and the Big Picture
- There is a large risk that the device might malfunction (provoked, or unprovoked) and provide too much or too little drug to the patient. Not even the patient can be trusted with more than a small measure of control of the device’s operation. The system needs to be secure to tampering by any of the parties involved.
- As with any device which interacts wirelessly, authentication and encryption are critical. The data transmitted might reveal private information about the patient, and allowing a third party to control the device in any way could cause serious harm to the patient.
- This technology has been in development for a long time and has many applications, but by implanting a computer into a patient in any way, especially a computer which has control over something as important as drug delivery, exposes the patient to all of the vulnerabilities associated with computers.
It is clear that not even the software running on the device should be authorized to deliver doses in lethal amounts to the patient, but what if the drug is life-saving? Then, not even a fail-off mode is acceptable because shutting off the drug delivery could also kill the patient. Thus, a denial-of-service attack becomes a way of killing the patient. These devices have the potential to drastically increase the quality of life of diabetics and improve the effectiveness and safety of cancer treatments, among other applications. But, care needs to be taken to ensure that security is a paramount consideration in the development of these devices, because the patient’s life is at stake.