Adding Security to Implantable Medical Devices: Can We Afford It?

Implantable Medical Devices (IMDs) belong to a class of highly life-critical, resource-constrained, deeply embedded systems out there. Their gradual conversion to wirelessly accessible devices in recent years has made them amenable to numerous successful ethical-hacking attempts. These attacks were made possible due to the absence of proper security provisions in IMDs. IMD manufacturers have only very recently started taking cybersecurity threats seriously, a move that will force development teams to overhaul IMD designs and grow sharper reflexes in an industry that has historically opted for small, careful steps. Thus, valid concerns arise regarding the technical feasibility but, chiefly, the economic viability of adding security to IMDs. In this work, we assess the economic repercussions of securing IMDs by employing the concept of technical debt (TD) on the evolving IMD software. Our quantitative analysis reveals that security-related costs are currently well in hand, however, security-code TD amasses faster and will eventually overtake medical-code TD. The economic viability of IMDs will, thus, be ensured only if security-development efforts are allocated significant resources within the next decade.

[1]  Chris F. Kemerer,et al.  A Metrics Suite for Object Oriented Design , 2015, IEEE Trans. Software Eng..

[2]  Andrea De Lucia,et al.  On the impact of code smells on the energy consumption of mobile applications , 2019, Inf. Softw. Technol..

[3]  W H Theodore,et al.  Seizure Frequency in Intractable Partial Epilepsy: A Statistical Analysis , 1991, Epilepsia.

[4]  Carl G. Davis,et al.  A Hierarchical Model for Object-Oriented Design Quality Assessment , 2002, IEEE Trans. Software Eng..

[5]  Chang-Seop Park Security Mechanism Based on Hospital Authentication Server for Secure Application of Implantable Medical Devices , 2014, BioMed research international.

[6]  Kevin Fu,et al.  On the Technical Debt of Medical Device Security , 2015 .

[7]  Martin Deterre Toward an energy harvester for leadless pacemakers , 2013 .

[8]  Elvira-Maria Arvanitou,et al.  Software metrics fluctuation: a property for assisting the metric selection process , 2016, Inf. Softw. Technol..

[9]  Wouter A. Serdijn,et al.  An implementation of a wavelet-based seizure detection filter suitable for realtime closed-loop epileptic seizure suppression , 2014, 2014 IEEE Biomedical Circuits and Systems Conference (BioCAS) Proceedings.

[10]  K. Lehnertz,et al.  Seizure prediction — ready for a new era , 2018, Nature Reviews Neurology.

[11]  Antonio Martini,et al.  Identifying and visualizing Architectural Debt and its efficiency interest in the automotive domain: A case study , 2015, 2015 IEEE 7th International Workshop on Managing Technical Debt (MTD).

[12]  Gustavo Pinto,et al.  Refactoring for Energy Efficiency: A Reflection on the State of the Art , 2015, 2015 IEEE/ACM 4th International Workshop on Green and Sustainable Software.

[13]  Noureddine Boudriga,et al.  Powerless security for Cardiac Implantable Medical Devices: Use of Wireless Identification and Sensing Platform , 2018, J. Netw. Comput. Appl..

[14]  C. Strydis Universal Processor Architecture for Biomedical Implants: The SiMS Project , 2011 .

[15]  C. Doerr,et al.  IMDfence: Architecting a Secure Protocol for Implantable Medical Devices , 2020, IEEE Access.

[16]  M. Jaatun,et al.  Managing Security in Software: Or: How I Learned to Stop Worrying and Manage the Security Technical Debt , 2019, ARES.

[17]  Dimitrios Tzovaras,et al.  An Empirical Evaluation of the Relationship between Technical Debt and Software Security , 2019 .

[18]  P. Laguna,et al.  Impact of Sampling Rate Reduction on Automatic ECG Delineation , 2007, 2007 29th Annual International Conference of the IEEE Engineering in Medicine and Biology Society.

[19]  P. Avgeriou,et al.  Establishing a framework for managing interest in technical debt , 2015, BMSD 2015.

[20]  Zhihua Wang,et al.  An on-chip security guard based on zero-power authentication for implantable medical devices , 2014, 2014 IEEE 57th International Midwest Symposium on Circuits and Systems (MWSCAS).

[21]  Kyriakos C. Chatzidimitriou,et al.  QATCH - An adaptive framework for software product quality assessment , 2017, Expert Syst. Appl..

[22]  Colleen Swanson,et al.  SoK: Security and Privacy in Implantable Medical Devices and Body Area Networks , 2014, 2014 IEEE Symposium on Security and Privacy.

[23]  Christos Strydis,et al.  A system architecture, processor, and communication protocol for secure implants , 2013, ACM Trans. Archit. Code Optim..

[24]  Xiaojiang Du,et al.  POKs Based Secure and Energy-Efficient Access Control for Implantable Medical Devices , 2019, SecureComm.

[25]  Christos Strydis,et al.  IMD security vs. energy: are we tilting at windmills?: POSTER , 2019, CF.

[26]  Ward Cunningham,et al.  The WyCash portfolio management system , 1992, OOPSLA '92.

[27]  Jean-Louis Letouzey,et al.  The SQALE method for evaluating Technical Debt , 2012, 2012 Third International Workshop on Managing Technical Debt (MTD).

[28]  Apostolos Ampatzoglou,et al.  Estimating the breaking point for technical debt , 2015, 2015 IEEE 7th International Workshop on Managing Technical Debt (MTD).

[29]  Kevin Fu,et al.  Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).