Security and Privacy Applied Research Lab

Implantable Medical Devices: Security and Privacy for Pervasive, Wireless Healthcare

Kevin Fu
UMass Amherst, Computer Science


An incredible array of implantable medical devices treat chronic ailments such as cardiac arrhythmia, diabetes, Parkinson's disease, seizures, and even obesity with various combinations of electrical therapy and drug infusion. These devices use tiny embedded computers to control therapies and collect physiological data. To improve patient care and detect early warning signs, implantable medical devices are rapidly embracing wireless communication and Internet connectivity. Implantable cardioverter defibrillators (ICDs) are wirelessly reprogrammable and relay medical telemetry over the Internet via at-home monitors. Such devices will vastly improve care for chronic disease, but will also introduce fundamentally new risks because of global computing infrastructures such as the Internet that are physically infeasible to secure. Thus, new devices must not only prevent accidental malfunctions, but must also prevent *intentional* malfunctions caused by malicious parties lurking on the network.

Our interdisciplinary research team implemented several software radio-based methods that could compromise patient safety and patient privacy (e.g., disclosing patient data or inducing ventricular fibrillation via a wireless command). Addressing these new risks, our zero-power approaches help to mitigate the risk of intentional malfunctions. Attendees will learn about (1) the challenging security and privacy risks that result from the incorporation of wireless communication and Internet connectivity in healthcare; (2) the key factors for balancing medical safety and effectiveness with security and privacy; and (3) three new zero-power defenses based on RF power harvesting that balance security and power consumption to improve patient safety. This line of research is an important step in understanding how to provide better security and privacy as more medical devices rely on wireless communication. Wireless communication has the potential to improve patient care, but researchers have yet to fully understand the effects of wireless communication on security and privacy of pervasive devices. We do not believe that our discovery poses a significant threat today, but we are certain that the risks will grow as the technology develops. This research was carried out at the University of Massachusetts Amherst in collaboration with the University of Washington and the Harvard Medical School.


Kevin Fu is an assistant professor in the Department of Computer Science at the University of Massachusetts Amherst, and is the co-director of the Medical Device Security Center and the director of the RFID Consortium on Security and Privacy (RFID CUSP). Kevin investigates the security and privacy of pervasive and invasive computation --- including RFID, implantable medical devices, and file systems. Kevin's contributions include the security analysis of an implantable cardioverter defibrillator, RFID-enabled credit cards, Web authentication, and software updates; the SFS read-only file system for fast integrity-protected content distribution; key regression for efficient decentralized access control of storage; and proxy re-encryption file systems for managing distributed access control. Kevin received his M.Eng. and Ph.D. in Electrical Engineering and Computer Science at the Massachusetts Institute of Technology in 1999 and 2005 respectively, and his S.B. in Computer Science and Engineering from MIT in 1998. Kevin's research received a number of best paper awards from premiere conferences in computer security and cryptography. His research has appeared in The New York Times and The Wall Street Journal. Kevin also holds a certificate of achievement in artisanal bread making from the French Culinary Institute.