Researchers have found a way to encrypt a heartbeat that can be used as a biometric security identifier for implanted medical devices, such as defibrillators and insulin pumps.
Studies show that hijackers can take control of these devices and cause implanted defibrillators to stay inactive despite a cardiac emergency, deliver a 700-volt jolt or drain batteries of power. Device makers haven't implemented security measures in the devices because even requiring a first responder to punch in a password might take too much time in an emergency--and passwords can be forgotten, lost or stolen, the article points out.
Researchers from Rice University and security company RSA have come up with an authentication system that requires anyone trying to reprogram such a device or download data from it to match the encrypted heartbeat with the patient's real one, reports MIT Technology Review.
This method requires the doctor or paramedic to merely hold the device against the patient's chest to verify that the signals match. And it can't be done remotely.
"The fact that you are reading a random changing symbol means the attacker can't profile the heartbeat at one time and use the information later to attack the device," Ari Juels, chief scientist at RSA Laboratories, told MIT Technology Review.
Because it would require U.S. Food and Drug Administration approval, however, it could be years before the technology might go on the market.
Passwords tend to create vulnerabilities in an array of systems. The Department of Homeland Security this summer warned of password vulnerabilities in roughly 300 medical devices from 40 vendors. At the same time, the Food and Drug Administration released guidance to encourage developers and healthcare facilities to beef up medical device security.
The non-profit Center for Internet Security said it would start with insulin pumps in its efforts to develop guidelines on securing Internet-enabled medical devices.
To learn more:
- read the article