Health & Wellbeing

Patients' own heartbeat could work as anti-hacking password for implants

Patients' own heartbeat could ...
Rice University researchers use the heartbeat as a random signal generator to make medical implants more secure (Image: Sergey Nivens/Shutterstock)
Rice University researchers use the heartbeat as a random signal generator to make medical implants more secure (Image: Sergey Nivens/Shutterstock)
View 1 Image
Rice University researchers use the heartbeat as a random signal generator to make medical implants more secure (Image: Sergey Nivens/Shutterstock)
Rice University researchers use the heartbeat as a random signal generator to make medical implants more secure (Image: Sergey Nivens/Shutterstock)

Remotely hacking a pacemaker or insulin pump should be impossible, but sadly it isn't. It puts the millions of people who use wireless medical implants at potential risk. Researchers at Rice University believe they have a solution: a touch-based device that will use a person's own heartbeat as a password to permit or deny access to their implant.

Making wireless medical implants totally secure is tricky business because of the need to make them instantly accessible to emergency medical personnel, who might need the information to save lives. "The current generation of devices do not typically have security functions," Rice electrical and computer engineer Farinaz Koushanfar tells Gizmag, "They can be hacked rather easily, once a hacker spends the time to figure out the communication protocol by eavesdropping on packages sent or received by the device."

Many known security measures can't be incorporated into IMDs because they are either too computationally intensive (which causes a power drain) or so tough that they affect emergency response times. The famous hacker Barnaby Jack, who was due to speak at the Black Hat conference earlier this year, planned to reveal his findings on security flaws in insulin pumps that would allow someone 300 feet away to release a fatal dose, before his unfortunate death. Hackers have shown that it's possible to change the software on a pacemaker, change the heart rate and even deliver shocks to the heart.

"The possibilities are endless," Koushanfar tells us. "Whatever function which can be remotely controlled from the wireless channel can be a subject to hack." Scientists have looked into solutions like wearable wireless signal jammers, identification numbers and secondary authentication to solve the problem. The Rice University team's approach calls for matching unique characteristics within a patient's heartbeat that requires software within the IMD to communicate with a programmer, an external touch device that emergency workers can carry.

The programmer device picks up the electrocardiogram (EKG) signature of the heart as soon as the medical technician touches the patient. It then compares the EKG signal with the IMD's signal and a matching result becomes the password that permits further access.

"The EKG is used as a biological source for generating instantaneous true random numbers which is shared between the device and the programmer who can touch the body," Koushanfar tells us."This truly random signal cannot be predicted or faked by somebody who is further away. An exciting contribution of our work is the introduction of secure algorithms for comparing the noisy EKG readings from the IMD and the programmer, without the possibility of having the values eavesdropped on the wireless channel."

It's secure from attacks, the researchers say, because the signal from a heartbeat differs every second, making it impossible for anyone else to use even moments later. "The duration of each heart beat can not be predicated completely by any modeling method – it will always have a random component it," Masoud Rostami, a graduate student on the team, tells Gizmag. "This is because the heart beat is governed by a very complex and chaotic system. We basically find and extract this random component."

It wasn't easy to develop as they had to sort out numerous challenges dealing with cutting out signal noises in the measurement process. The researchers say they settled on using EKG signals because they are already measured by many existing IMDs and can be accessed throughout a person's body. Called Heart-to-Heart (H2H), their authentication solution is easy to implement, they claim, because it can be introduced as a software update into the millions of IMDs already being used and only needs a little of the IMD's power. The technology can also applied to body area networks, they claim.

"It can probably be used in brain implants too, since they will be able to measure the heart rate in the brain area as well," adds Koushanfar whose team is in the process of getting the device approved by the Food and Drug Administration. They are also engaged in the process of contacting IMD companies to discuss integrating H2H in their design.

H2H was developed with Ari Juels, a former chief scientist at RSA Laboratories, a security company based in Massachusetts and is due to be presented at the Association for Computing Machinery’s Conference on Computer and Communications Security in Berlin in November. The research was supported by the Army Research Office and the Office of Naval Research.

Source: Rice University

I cannot believe anyone seriously wants to control access to an implantable defibrillator or pacemaker by ECG biometric authentication.
What could the consequences be of a False Negative (where the device won't properly recognise the patient's rhythm)? Biometric vendors and advocates are rarely forthcoming with objectively measured False Accept & False Reject statistics. That's bad enough in normal security practice but when patient safety is at stake, we will need better transparency from ECG biometrics researchers.
Ok, so I assume there will be an over-ride mechanism so doctors can still access the implant if the biometrics won't trigger. But hang on: it's the existing over-ride protocol that Barnaby Jack used to demonstrate his pacemaker "hacks". So let's be honest, biometrics cannot correct the actual vulnerabilities he exposed. Poor Barnaby will be rolling in his grave.
Where's the fundamental science to suggest that QRS waves in the ECG should be distinctive? The empirical measurements are not encouraging. One of the prime references for ECG authentication (Singh & Singh 2012, "Evaluation of Electrocardiogram for Biometric Authentication" in Journal of Information Security) said ECG alone is not suitable because the accuracy is too low. The currently topical Bionym product that commercializes ECG biometrics is promoted as a three factor device, so it doesn't rely on the ECG alone, as would an implantable.
Further, Singh's work was based on libraries of signals sampled using clinical 12 lead ECG equipment. I cannot believe (after actually working in implantable defib design for years) that a QRS sampled from just two leads inside the heart will be meaningful for identification. For one thing, the tightly constrained analogue electronics in an implantable wouldn't be up to the job; for another, the alleged individuality of an ECG measured at the skin depends on the geometry of the person's chest, and that information is lost when the ECG is sampled from within.
Steve, the system doesn't use EKG as a biometric at all. It uses EKG to extract an instantaneous password. The pacemaker and the programmer then compare their 'password' for authentication. I agree with you that EKG does not have enough entropy to be a biometric.
I am one of the authors.
My apologies for misunderstanding the measurement method. I will read your "heart to heart" paper with interest.
Nevertheless, any biometric system will suffer false negatives. Or in the case of this implantable security method, it could be rendered inoperable by a pacing lead failure. Your system will need an over-ride protocol will it not, so that physicians can still access the device? It was such an over-ride channel that Barnaby Jack was exploiting in his attacks.
Do you think your solution can be deployed without an over-ride mechanism?
Steve, these types of systems will have both false positive and false negative rates. The correct design practice is fixing the false negative rate to an acceptable rate and then minimizing the false positive.
In this paper, we assumed that false negative of 10^-4 is acceptable and then we minimized the false positive rate. That rate of false negative means that an honest party will fail at authentication, twice in row only one in 100 million times. If this is not acceptable, one can further play with the system parameters to arrive at the sweet spot of false positive and false negative rates. So, I don't think an override is necessary.
An "honest party will fail at authentication, twice in row only one in 100 million times". But only if false negatives are distributed randomly. In the case of a lead failure (a not uncommon problem with ICDs and pacemakers) you won't have an internal ECG signal. Is an over-ride not necessary to cover that scenario?