2009 Design of Medical Devices Conference Abstracts

Home Telemedicine: Encryption is Not Enough PUBLIC ACCESS

[+] Author and Article Information
M. Salajegheh, A. Molina, K. Fu

 University of Massachusetts, Amherst, USA

J. Med. Devices 3(2), 027503 (Jun 29, 2009) (1 page) doi:10.1115/1.3134785 History: Published June 29, 2009


Implantable medical devices and home monitors make use of wireless radio communication for both therapeutic functions and remote monitoring of patients' vital signs. While our past work showed that lack of cryptographic protection results in disclosure of private medical data and manipulation of therapies (Halperin , IEEE S&P, 2008) our present work shows that even using encryption is insufficient to protect the confidentiality of patient telemetry. Our experiment analyzes the security of data traffic patterns of two sets of real medical telemetry: a corpus from PhysioNet (an online biomedical research database) and a network trace of a live disaster drill using Harvard's CodeBlue medical sensor network (Chen , DCOSS, 2008). Our work shows that even if a wireless medical device uses encryption, patient data can leak to unauthorized parties who need not be near the patient. Our measurements show that data packet timing information and headers distinguish the types of medical and monitoring devices even if traditional cryptographic mechanisms are used. Furthermore, the highly repetitive nature of medical data, such as ECG or respiration signals, leads to additional privacy vulnerabilities that cannot be easily mitigated by means of encryption without significant modification. Data compression technology further exposes encrypted telemetry to cryptanalysis. The information leakage of telemetry could facilitate unauthorized tracking of a patient because an ECG is known to uniquely identify a person in a predetermined group (Biel , IEEE I&M, 2002). Moreover, our study shows that data packet padding, encryption, authentication, and other common defenses against security threats require significant energy, storage, and computation that impose on the already scarce battery and space resources. Two of our experiments show how to automatically recover data from encrypted telemetry using Bayesian classifiers. In one experiment, we encrypted an ECG signal. By observing only the length of the digitally encrypted data, we were able to reconstruct sufficient information about the original ECG data that we determined the patient's heart rate. Using similar techniques, we recovered a leaked respiration signal that visually matches the original signal. Our findings show the weakness of using common cryptographic techniques on highly periodic and often compressed medical telemetry. Our work further discusses techniques to mitigate these security and privacy risks in wireless medical telemetry systems. However, all known techniques require extra energy, computation, and bandwidth from the medical device. The lesson learned is that encryption is not enough to protect the privacy of medical telemetry, and that reasonable assurance for security and privacy will require an energy budget. Future design of medical devices will have to make difficult tradeoffs between battery life versus security and privacy. This work was supported by NSF grants CNS-0627529, CNS-0716386, and CNS-0831244.

Copyright © 2009 by American Society of Mechanical Engineers
This article is only available in the PDF format.






Some tools below are only available to our subscribers or users with an online account.

Related Content

Customize your page view by dragging and repositioning the boxes below.

Topic Collections

Sorry! You do not have access to this content. For assistance or to subscribe, please contact us:

  • TELEPHONE: 1-800-843-2763 (Toll-free in the USA)
  • EMAIL: asmedigitalcollection@asme.org
Sign In