Emergency Aware, Non-invasive, Personalized Access Control Framework for IMDs

  • Monika Darji
  • Bhushan H. Trivedi
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 420)


Implantable Medical Devices have helped patients suffering from chronic diseases by providing continuous diagnosis, treatment and remote monitoring without hospitalization and at a less expense with increased flexibility. Incorporation of wireless bidirectional communication has introduced vulnerabilities like unauthorized wireless access which might get realized as a security attack and endanger patient privacy and safety. Traditional security and privacy techniques cannot be directly applied to these devices because of their miniaturized size which leads to power, computational and storage constraint. Moreover their positioning inside the human body makes battery replacement possible only through surgery. Security and privacy technique for these devices must balance security and safety and should also be acceptable and usable. Moreover it should not reduce the clinical effectiveness of the device. Security researchers have proposed ways of providing security but have kept the property of fail openness in order to make IMD accessible during emergencies. Fail openness is defined as a property of Implantable Medical Device due to which during emergency condition access is granted bypassing all security techniques. We argue that the patient is all the more vulnerable during an emergency situation and complete removal of security may be dangerous for the safety of the patient.We propose a solution to provide fine grained Access Control which also takes emergency condition into notice. The security needs for IMD communication requires dynamic and flexible policy enforcement. While providing strong Access Control during normal situation, our solution accommodates emergency access to the data in a life-threatening situation. We propose personalized Emergency Aware role based Access Control (EAAC) framework. This framework can work in conjunction with Authentication and Encryption to provide a strong security solution as compared to other solutions. In fact we believe that the possibility of an attacker inducing false alarms to introduce fake emergency situation and take control of the IMD is likely to increase and the solution that we propose here may be more useful in such cases.Our paper highlight security challenges when fail open access is given and provide a solution using EAAC framework.


IMDs security authentication access control 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Insulin pumps - global pipeline analysis, opportunity assessment and market forecasts to 2016. GlobalData,
  2. 2.
    Halperin, D., Heydt-Benjamin, T.S., Fu, K., Kohno, T., Maisel, W.H.: Security and privacy for Implantable medical devices. IEEE Pervasive Computing 7(1), 30–39 (2008)CrossRefGoogle Scholar
  3. 3.
    Roberts, P.: Blind attack on wireless insulin pumps could deliver lethal dose. Threatpost (blog post) (October 2011),
  4. 4.
    Li, C., Raghunathan, A., Jha, N.K.: Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system. In: Proceedings of the 13th IEEE International Conference on e-Health Networking, Applications, and Services, Healthcom 2011 (June 2011)Google Scholar
  5. 5.
    Burleson, W., Clark, S.S., Ransford, B., Fu, K.: Design challenges for secure implantable medical devices. In: Proceedings of the 49th Annual Design Automation Conference (DAC 2012), pp. 12–17. ACM, New York (2012)CrossRefGoogle Scholar
  6. 6.
    Bergamasco, S., Bon, M., Inchingolo, P.: Medical data protection with a new generation of hardware authentication tokens. In: Mediterranean Conference on Medical and Biological Engineering and Computing (MEDICON), Pula, Croatia, pp. 82–85 (2001)Google Scholar
  7. 7.
    Schechter, S.: Security that is Meant to be Skin Deep: Using Ultraviolet Micropigmentation to Store Emergency-Access Keys for Implantable Medical Devices. In: USENIX Workshop on Health Security and Privacy (2010)Google Scholar
  8. 8.
    Rasmussen, K.B., Castelluccia, C., Heydt-Benjamin, T.S., Capkun, S.: Proximity-Based Access Control for Implantable Medical Devices. In: ACM Conference on Computer and Communications Sexscurity (2009)Google Scholar
  9. 9.
    Halperin, D., Heydt-Benjamin, T.S., Ransford, B., Clark, S.S., Defend, B., Morgan, W., Fu, K., Kohno, T., Maisel, W.H.: Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses. In: IEEE Symposium on Security and Privacy (2008)Google Scholar
  10. 10.
    Denning, T., Fu, K., Kohno, T.: Absence Makes the Heart Grow Fonder: New Directions for Implantable Medical Device Security. In: HotSec (2008)Google Scholar
  11. 11.
    Gollakota, S., Hassanieh, H., Ransford, B., Katabi, D., Fu, K.: They Can Hear Your Heartbeats: Noninvasive Security for Implanted Medical Devices. In: ACM SIGCOMM (2011)Google Scholar
  12. 12.
    Sandhu, R., Samarati, P.: Access control: Principles and practice. IEEE Communications Magazine 32(9), 40–48 (1994), CrossRefGoogle Scholar
  13. 13.
    D. of Defense, Department of defense trusted computer system evaluation criteria, Department of Defense Standard, Tech. Rep., (December 1985),
  14. 14.
    Sandhu, R., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role Based Access Control Models. IEEE Computer, 38–47 (February 1996)Google Scholar
  15. 15.
    Covington, M.J., Long, W., Srinivasan, S.: Secure Context-Aware Applications Using Environmental Roles. In: Proc. of 6th ACM Symp. on Access Control Models Tech. (2001)Google Scholar
  16. 16.
    Al-Muhtadi, J., Ranganathan, A., Campbell, R.H., Mickunas, M.D.: Cerberus: A Context-Aware Security Scheme for Smart Spaces. In: Proc. IEEE Percom (2003)Google Scholar
  17. 17.
    Hu, J., Weaver, A.C.: Dynamic, Context-aware Security Infrastructure for Distributed Healthcare Applications. In: Proc. 1st Workshop on Pervasive Security, Privacy Trust (2004)Google Scholar
  18. 18.
    Gupta, S.K.S., Mukherjee, T., Venkatasubramanian, K.: Criticality Aware Access Control Model for Pervasive Applications. In: Proceedings of the Fourth Annual IEEE International Conference on Pervasive Computing and Communications (PERCOM 2006), pp. 251–257. IEEE Computer Society, Washington, DC (2006)CrossRefGoogle Scholar
  19. 19.
  20. 20.
    Venkatasubramanian, K., Gupta, S.: Security for pervasive healthcare. In: Security in Distributed, Grid, Mobile, and Pervasive Computing, pp. 349–366 (2007)Google Scholar
  21. 21.
    Cherukuri, S., Venkatasubramanian, K.K., Gupta, S.K.S.: Biosec: a biometric based approach for securing communication in wireless networks of biosensors implanted in the human body. In: International Conference on Parallel Processing Workshops, pp. 432–439 (October 2003)Google Scholar
  22. 22.
    Harland, C.J., Clark, T.D., Prance, R.J.: Electric potential probes - new directions in the remote sensing of the human body. In: Measurement Science and Technology, vol. 13, p. 163 (2002)Google Scholar
  23. 23.
    Hansen, J.A., Hansen, N.M.: A taxonomy of vulnerabilities in implantable medical devices. In: Proceedings of the Second Annual Workshop on Security and Privacy in Medical and Home-care Systems (SPIMACS 2010), pp. 13–20. ACM, New York (2010)CrossRefGoogle Scholar
  24. 24.
    Savci, H., Sula, A., Wang, Z., Dogan, N.S., Arvas, E.: MICS transceivers: regulatory standards and applications [medical implant communications service. In: Proceedings of IEEE SoutheastCon 2005, pp. 179–182 (April 2005)Google Scholar
  25. 25.
    Calero, J.M.A., Perez, G.M., Skarmeta, A.F.G.: Towards an Authorization Model for Distributed Systems based on the Semantic Web. IET Information Security. IET 4(4), 411–421 (2010)CrossRefGoogle Scholar
  26. 26.
    Ni, Q., Bertino, E., Lobo, J., Calo, S.B.: Privacy aware Role Based Access Control. IEEE Security and Privacy 7(4), 35–43 (2009)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Monika Darji
    • 1
  • Bhushan H. Trivedi
    • 2
  1. 1.LJ Institute of Computer ApplicationAhmedabadIndia
  2. 2.GLS Institute of Computer TechnologyAhmedabadIndia

Personalised recommendations