Encrypted heartbeat could secure implanted devices

Researchers have found a way to encrypt a heartbeat that can be used as a biometric security identifier for implanted medical devices, such as defibrillators and insulin pumps.

Studies show that hijackers can take control of these devices and cause implanted defibrillators to stay inactive despite a cardiac emergency, deliver a 700-volt jolt or drain batteries of power. Device makers haven't implemented security measures in the devices because even requiring a first responder to punch in a password might take too much time in an emergency--and passwords can be forgotten, lost or stolen, the article points out. 

Researchers from Rice University and security company RSA have come up with an authentication system that requires anyone trying to reprogram such a device or download data from it to match the encrypted heartbeat with the patient's real one, reports MIT Technology Review.

This method requires the doctor or paramedic to merely hold the device against the patient's chest to verify that the signals match. And it can't be done remotely.

"The fact that you are reading a random changing symbol means the attacker can't profile the heartbeat at one time and use the information later to attack the device," Ari Juels, chief scientist at RSA Laboratories, told MIT Technology Review. 

Because it would require U.S. Food and Drug Administration approval, however, it could be years before the technology might go on the market.

Passwords tend to create vulnerabilities in an array of systems. The Department of Homeland Security this summer warned of password vulnerabilities in roughly 300 medical devices from 40 vendors. At the same time, the Food and Drug Administration released guidance to encourage developers and healthcare facilities to beef up medical device security.

The non-profit Center for Internet Security said it would start with insulin pumps in its efforts to develop guidelines on securing Internet-enabled medical devices.

To learn more:
- read the article

Suggested Articles

The Department of Health and Human Services announced proposed changes to privacy restrictions on patients' substance use treatment records.

An FDA official said the agency is in discussions with multiple stakeholders to create a universal unique medical device identifier to be stored in EHRs.

Virtual care, remote monitoring, telehealth and other technologies have long been on the “nice to have” list for healthcare. But that's changing.