Securing implantable cardioverter defibrillators using smartphones

Implantable Cardioverter Defibrillators (ICDs) are small battery powered Implantable Medical Devices (IMDs) that are placed in the patient's body to treat irregular heartbeats called arrhythmias, especially those that can cause sudden heart arrest. These devices are programmed and accessed for diagnosis and therapy, wirelessly by an External Programmer (EP). Previous studies have shown that ICDs are vulnerable to wireless attacks. These attacks can not only extract private patient information but can physically hurt the patient, including turning lethal. Some efforts have been made to address this problem in the past. One of the challenges with security in implantable medical devices, such as ICDs, is patient safety. While it is crucial that these devices should be secured by all means possible, a medical practitioner should always be able to access them at anytime including unpredictable emergency situations. This thesis proposes investigates utilizing a patient's smartphone to address the above problem and provides concrete solutions under the realistic assumption that most patients carry a phone, more increasingly a smartphone in the future. The patient's smartphone acts as a security management "hotspot" between the patient, the patient's ICD and an EP that needs to interact with that ICD. Using the smartphone, the patient can precisely control which EP can access her ICD. Several scenarios are discussed where the smartphone plays a central role in access control including emergency situations where the smartphone may be unavailable or absent or the patient is incapacitated. As a proof-of-concept, the proposed security protocols are implemented using simulated EPs, ICDs and an Android-based smartphone.