Implanted medical devices (IMDs) that communicate wirelessly with external monitoring and control systems are becoming commonplace in the medical world. Certain pacemakers, for example, are subject to reprogramming by medical personnel over the telephone. One vendor sells human-implantable radio frequency identification (RFID) tags to combat the “John Doe” problem in medical environments, cases in which disoriented or unconscious patients lack adequate identity documents. Similar implanted devices are already in widespread use for identification of lost house pets. More broadly, a new medical frontier is developing around both implantable sensors that relay physiological values by radio to monitoring devices and medical control devices subject to external reprogramming. These and other types of IMDs offer the prospect of continuous, automated production of diagnostic data and physiological intervention.
Of course, IMDs are computing devices of the utmost security sensitivity. A sensor or identification tag can expose privacy-sensitive data to compromise. A malefactor capable of reprogramming an implanted medical control device can injure or kill a victim.
At the same time, IMDs must allow rapid, unimpeded access by medical personnel. A patient's life may depend on the ability of first responders to gain swift access to his or her IMDs. An access-control system that requires emergency medical technicians to reference a secure database, obtain a password from the patient, or access a patient's wallet or handbag poses a threat to timely medical intervention.
A conventional approach to providing secure access to IMDs is described in S. K. S. Gupta et al. “BioSec: A biometric based approach for securing communication in wireless networks of biosensors implanted in the human body,” ICPP Workshops: International Workshop on Wireless Security and Privacy,” pp. 432-439, 2003. This architecture assumes communication between IMDs and a base station. The base station acts as a point of aggregation of IMDs and as a point of contact for external medical systems. The base station makes use of a pre-established, long-term shared symmetric key to communicate with each IMD. The IMDs communicate with one another using a freshly derived key based on a current physiological value.
Other security architectures for IMDs rely on standard cryptographic access-control approaches involving the pre-provisioning of keys in IMDs and their associated monitoring devices. See, for example, K. Lorincz et al., “Sensor networks for emergency response: Challenges and opportunities,” Pervasive Computing, 3(4):1623, 2004.
Unfortunately, these and other conventional techniques fail to provide an adequate solution to the problem of emergency access to IMDs.
It is apparent from the foregoing that a strong tension exists between the requirements of IMD security and IMD accessibility. What is needed is an approach that achieves a suitable balance between these competing requirements.