In 2022, Lakhs of people watched South Indian, thriller movie named, "Enemy"
wherein a fictional Union Minister was about to be assassinated via terrorist
cyberattack on her pacemaker. While the movie wasn't an exact replica of life
incidents, the episode was inspired by real-life Vice President Dick Cheney's
security issues of his implanted defibrillator, as well as by the issues raised
by a new generation of Implanted medical devices. Devices like pacemakers,
insulin pumps, and bladder stimulators monitor body functions, deliver
medications, and even communicate remotely with doctors.
However, the price for
such improved healthcare can be an increased cybersecurity risk and potential
civil liability for device manufacturers. The article seeks to address the main
reasons and strategies ahead for the question pertaining to cybersecurity for
implanted medical devices as it has already transgressed from the world of
fiction and theory to the real world.
What is the mechanism behind IMDs and how do Cyberattacks occur on such devices?
The attack on such medical devices could be categorised as "passive cyberattack"
due to the fact that it infringes the security of the device and wrongfully
obtains the patient's data which are usually used by doctors to analyse the
health of the patient. An IMD is usually defined as "an electronic device that
is permanently or semi-permanently implanted on a patient with the purpose of
treating a medical condition, improving the functioning of some body part, or
providing the user with a capability that he/she did not possess before.
most common IMDs include cardiac implanted devices (such as pacemakers and
implanted cardioverter defibrillators, or ICDs), which are designed to treat
cardiac conditions by monitoring the heart's electrical activity and applying
electrical impulses or shocks to restore the heart's rhythm to the appropriate
However in "active cyberattacks", the attacker is not only capable of
interfering with the patient's data which is exchanged through radio waves but
is also capable of sending commands to the IMDs which could be used to induce
shock to the patient or repeatedly request information from the IMD to drain its
battery or deliver overdose of medication which could be fatal.
Though such instances of cyberattacks are rare, yet one must not ignore its
potential threats keeping in view the statistical data of usage of such implants
and the past incidents across the globe. In the US alone in the year 2010, 2.6
million people relied on IMDs. While in 1998, the radio waves from television
station had interfered with the electromagnetic frequency of medical devices
situated in a nearby hospital which made them incapable to function thereby
affecting the critical care readings.
In 2003 and in 2009 respectively, the
Slammer and Conficker worms had each infected some networked hospital systems
responsible for monitoring heart patients. And in one of the first computer
attacks in the year 2008, to actually cause physical harm, hackers added
flashing computer animation to an epilepsy support group's online message brings
trauma to the group 
Cybersecurity measures for IMDs
India has observed an exponential spike in cybersecurity related incidents, the
number stands at 1.4 million incidents in 2021 and 212,000 incidents in January
and February 2022 alone. The cybersecurity department of the the Indian Computer
Emergency Response Team has executed a new cybersecurity design to attack on the
issues of cybersecurity- threats and in India. However, there exists a need for
the parliament to frame laws specifically for IMDs and its cybersecurity
But improving security for IMDs is problematic, since manufacturers must
necessarily take various factors into consideration, such as usability, patient
values, battery life and system performance, and cost. Other approaches, like
adding encryption, might require updates of the software on certain IMDs and
controllers." A more radical measure, on the other hand, may demand completely
new devices or components such as manufacturers to design a 2 way communication
system instead of previously used unilateral apparatus.
As IMDs become smaller, more functional, and ever more complex, the challenge of
making them secure becomes more daunting than ever. In the end, to
accommodate patient preferences in additional to meeting the evolving realities
of the technological landscape, manufacturers and healthcare providers may need
to implement different security measures in different contexts. Here are some
different approaches to cybersecurity and IMDs.
The Proprietary approach
This approach is more focused towards narrowing the challenge of security. The
IMDs are designed in such a manner that they would work for some but not for
others, hence it is a
"Custom-tailored" measure. It is to be noted that any security measure that is
unique to specific manufacturer would change depending upon the type of device
and its internal functions.
The Patient �Centred Approach
According to research conducted at the University of Washington's Value
Sensitive Design Research Lab, cardiac patients with IMDs preferred security
solutions that "warned of potential problems. User authentication, such as the
use of passwords, can provide a measure of security from cyber threats while
placing more responsibility in the hands of the patient, and simultaneously
reducing reliance on more "inconvenient" security measures.
There is a drawback, however; doctors who might not know the password would be
unable to control the IMDs in the event of an emergency in which the patient was
unconscious. Bracelets with the passwords on them are one option, but patients
lose medical alert bracelets all the time. One potential solution is to have IMD-access
passwords tattooed on patients in a discreet manner, such as a barcode visible
only under ultraviolet light.
The Heart-to-Heart Approach
This method involves encrypting the heart itself by using reading of heartbeat
as biometric authentication that confirms that the individual trying to download
data or access or reprogram critical features of the IMD is an actual person
authorized to do so and in direct contact with the patient, not a remote hacker.
In it, a doctor holds a device against the patient's body, and the device reads
the patient's heartbeat and compares it to one relayed in a wireless signal from
the IMD itself, before confirming that the signals match. It doesn't depend on
any registration of a biometric reading however it operated by checking that the
signals are identical before medical personnel gain access to the implant. This
method avoids the cumbersome, time-consuming process that might otherwise
confront doctors or paramedics during an emergency. The rhythmic dynamic
character of the human heart makes this security measure possible. It produces a
unique rhythm, so the "password" is different in each measurement.
Researchers at Princeton University and Purdue University, recognizing the
danger of hacking into IMDs like pacemakers and insulin-delivery systems, found
that most of the typical security solutions developed for other types of
computing platforms wouldn't work on medical devices because of factors like
battery constraints and the unique way in which IMDs are used. So they developed
a different approach-a firewall known as Medmon. Similar to how firewalls secure
home or business computer networks by spotting and blocking malicious traffic,
Medmon "triggers response mechanisms that could warn the user or jam the
The Zero-Power Defense
Another option explored by researchers addresses the concern of adding more
complex security features to IMDs that could jeopardize the device's utility,
because of the high rate at which they would consume the IMD's limited battery
life. In order to provide enhanced security without draining a device's battery,
scientists have suggested using an energy-harvesting computer as a gateway
device. Those trying to communicate with an IMD, such as medical personnel,
power the gateway device with their own radio transmissions.
Those who are
unauthorized, like cyber attackers, would be deterred at the gateway stage,
preventing the IMD's limited battery power form being drained. Historically,
however, while some wireless medical devices use data encryption and communicate
over medical-grade band frequencies, most do not. Encryption capabilities add
complexity and demand more system resources to function properly, and many IMDs
lack sufficient battery and computing power to implement the sort of encryption
algorithms that would be needed.
Civil liability implications for IMDs
In situations where there has been a breach of consumer information, it is
almost inevitable that class-action lawsuits will be filed against the company
or entity that owned or licensed the data subjects' information that was subject
of the breach.
Historically, plaintiffs in these cases have had a difficult time prevailing
given the uncertainty surrounding how information was taken in a data breach
scenario, which makes showing the actual harm resulting from the data subject
difficult to prove as it relates to standing. Plaintiffs in a lawsuit are
required to prove standing as an essential element of their claim.
to meet this burden, they must prove they have "suffered a concrete and
particularized injury that is fairly traceable to the challenged conduct, and is
likely to be redressed by favorable judicial decision."This requires
plaintiffs to show they have either suffered actual harm, or that they will
suffer future harm to a sufficient degree to confer standing.
data breach cases are primarily premised on the plaintiffs' concern that their
personal information will be used to commit fraud against them in the future,
such claims are generally couched as a future harm that has not yet occurred,
which will be the same analysis when dealing with healthcare information. 
Concerns about what may happen in the future are necessarily unpredictable and,
thus, the issue of standing has proved to be problematic for plaintiff consumer
data breach litigation cases where the plaintiffs have not already suffered
actual cognizable harm. The year 2015 marked what, at first blush, appeared to
be a watershed moment in the development of this body of jurisprudence with the
United States Court of Appeals for the Seventh Circuit's opinion in Remijas
v. Neiman Marcus Group
For several years courts looked to the United States Supreme Court's Clapper v.
Amnesty Int'1 USA decision for guidance on the standing issue in cases premised
on allegations of future harm. In Clapper, the Court set forth the framework for
this analysis. To satisfy this framework, an injury must be 'concrete,
particularized and actual or imminent; fairly traceable to the challenged
action; and redressable by a favourable ruling."
- Joseph p. mcclain, phd, director of clinical engineering division, time to upgrade: new telemetry standards call for a new generation of wireless equipment
- Kevin Poulsen, Hackers Attack Epilepsy Patient Via Computer, WIRED (Mar. 28, 2008)
- Daniel Halperin, et al., Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses.
- Hammond v. The Bank of N.Y. Mellon Corp., 2010 WL 2643307
- Lujan v. Defenders of Wildlife
- Hollingsworth v. Perry, 133 S. Ct. 2652, 2661 (2013)
- Dana Post, Plaintiffs Alleging Only "Future Harm" Following a Data Breach Continue to Face a High Bar, THE PRIVACY ADVISOR (Jan. 28, 2014),
- Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015).
- Clapper, 133 S. Ct. at 1147 (quoting Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 149 (2010)
- Amy M. Rubenstein & Brittany Robbins, Hacking Health Care: When Cybersecurity Can Mean Life or Death
Written By: Vaishnavi S
- Amy M. Rubenstein & Brittany Robbins, Hacking Health Care: When Cybersecurity Can Mean Life or Death
- Joseph p. mcclain, phd, director of clinical engineering division, time to
upgrade: new telemetry standards call for a new generation of wireless equipment
- Kevin Poulsen, Hackers Attack Epilepsy Patient Via Computer, WIRED (Mar. 28,
- Daniel Halperin, et al., Pacemakers and Implantable Cardiac Defibrillators:
Software Radio Attacks and Zero-Power Defenses.
- Student at V.M. Salgaocar College of Law, Goa
Please Drop Your Comments