Active implantable medical devices: cybersecurity in a nutshell

If you have watched the espionage series Homeland, you may have laughed sceptically when the Vice President’s pacemaker was hacked by terrorists. Christos Strydis, however, was happy that this security problem finally got some mainstream attention. As an expert in cybersecurity of active implantable medical devices (AIMDs), he has already spent many years heralding and trying to prevent the perfect cybersecurity storm that is looming over us.

Christos Strydis‘Until perhaps fifteen years ago, hackers weren’t very interested in implants,’ says Christos Strydis, holding a dual position as an associate professor at the Neuroscience department of the Erasmus MC and at the Quantum and Computer Engineering department of TU Delft. ‘They were rather simple devices, each having some or no security provisions whatsoever, but that wasn’t a big deal since only a small minority of the population had an implant. Nowadays, we have deep-brain neurostimulators, cochlear implants, devices for pain suppression, for controlling urinary retention, you name it. Add to that some quick cybersecurity fix, such as Bluetooth-based communication, and you have modern implants that are virtually unprotected when it comes to cybersecurity and data privacy. It is every hacker’s dream: with little effort, one can have maximum impact.’

An afterthought

The highest priority of companies selling implants naturally is guaranteeing that their devices are medically safe, that they won’t harm the patient. And there are many challenges to overcome: these devices need to be very small, operate on ultra-low power and have to survive in the human body for at least a decade. ‘But cybersecurity is still too much of an afterthought,’ Strydis says. ‘Implants are a very special class of devices. You cannot simply copy solutions from smartphones. AIMD companies must really re-design their devices, with cybersecurity added to them, from the ground up. They also need to take any connectable devices into account, such as AIMD mobile readers, cell phones and Cloud storage. A holistic approach.’ That is what Strydis is working on, at many levels.  

   Modern implants are virtually unprotected when it comes to cybersecurity and data privacy

A free ride, for once

His group proposed using the patient’s own heartbeat for establishing trust (before any secure authentication or data exchange takes place) between implants and the outside world. ‘The heartbeat can be measured throughout the body with various means, and it can help build stronger security as it has sufficient variation to uniquely identify you,’ he says. Most importantly, as your heartbeat is always varying, a person who manages to hack the password won’t be able to use it again the next day. ‘It is a free ride. For once, the body is part of the solution, rather than just posing challenges.’ Strydis was also the first to prove it feasible to physically separate the security CPU from the medical CPU in an ultra-low-power device. Now, if the security CPU gets hacked, it can (be) shut down without compromising the medical function of the device. ‘It is only half a solution; you still need a security protocol taking advantage of this.’

bluetooth security strydis delft

Ultrasound = ultra-secure

‘Implant companies tend to think their devices are invulnerable because they hide the specifications of the communication protocol between their proprietary implant and proprietary reader,’ Strydis says. ‘But if you work in cybersecurity, you know such hiding in obscurity to be a really bad idea. Open-access scrutiny is the one weapon we have against cybersecurity attacks.’ True to his words, one of his students has recently devised and published a security protocol for the complete AIMD ecosystem. Strydis’ group has also been researching the use of ultrasound for secure AIMD communication. Rather than omnidirectional electromagnetic waves, as with Wi-Fi or Bluetooth, at frequencies above 1 MHz the ultrasound signal is highly targeted and has a very short range. Strydis: ‘The strength of the ultrasound signal drops exponentially with every extra millimetre of range. It makes eavesdropping or injecting malicious messages so difficult that we may not even need to protect the link; just sending plain (unencrypted) text commands may be enough.’ Together with Wouter Serdijn, professor in the TU Delft Bio-electronics Department, he even believes it feasible to retrofit existing AIMDs with ultrasound communication, making them much more secure.

Close to the problem

His research being so technical, you might expect Strydis to spend most of his time at TU Delft. Not so. ‘I did my PhD at TU Delft, and it was very difficult to get access to physicians, or to implants,’ he says. ‘I then promised myself that I wanted to work in a clinical or medical setting.’ Now, at Erasmus MC, he has medical personnel helping with his experiments and he only needs to make a single phone call to go and observe a surgery. ‘True implant solutions will only become possible when engineers come close to healthcare experts. You may think they have one problem, but they actually have a different problem.’ He has started discussions with expert urologist Bertil Blok on adding cybersecurity to urinary-retention implants. Strydis: ‘These devices are somewhat bulkier but tremendously important for the Dutch society.’

   True implant solutions will only become possible when engineers come close to healthcare experts.

Some public outcry, please

For many years now, Strydis has been calling, with ever-increasing urgency, for implant companies to take cybersecurity seriously. ‘We have solutions ready, but we have a very hard time transferring our technology to the industry,’ he says with frustration. ‘Cybersecurity is still low in their priority list, but it is a necessary evil in this new age of everything being interconnected. And it is not only for the safety of people; a company risks its own continuity should any of their devices be hacked.’ He believes these companies should have a clear cybersecurity roadmap and a dedicated R&D department for designing their next generation of cyber secure devices. They also need to conform to international standards and best practices, such as publishing their cybersecurity protocols, as other communities do. ‘Public outcry seems the only way to effect long-due changes,’ Strydis says. ‘Ask your doctor if your implant is truly secure. Or have your doctor ask the company. They should worry about those Dutch patients being so vocal and nosy.’

Read more interviews in the Cyber Security Research Collection