- Using the human body to enable a physical layer of security could possibly eliminate certain mobile data security and medical device security concerns, according to recent research.
University of Washington researchers explain in a paper that sensors on commodity devices, including smartphones laptops, could potentially generate wireless data transmissions that are confined to the human body.
“Specifically, a communication primitive that transmits information directly through the body would create links immune to eavesdropping or man in the middle attacks,” wrote Mehrdad Hessar, Vikram Iyer, and Shyamnath Gollakota.
For example, a user would touch a fingerprint scanner on a smartphone and then place his or her hand on a doorknob. The smartphone could then send information securely to the doorknob or glucose sensors on the body.
This approach could also eliminate the need for typing in a serial number or a password to wirelessly pair medical devices with smartphones. Instead, a glucose or blood pressure monitor would receive information via a user’s body as he or she touches a finger to the smartphone.
“Bluetooth and Wi-Fi chipsets are designed to transmit data as far as possible over air; an attacker familiar with the communication standard can easily intercept these wireless transmissions,” the researchers wrote. “In fact, researchers have raised security and privacy concerns about the vulnerability of even custom radio protocols for wearable and implantable devices.”
For on-body transmissions to work, the researchers explained that the following three requirements would need to take place:
- The component should be in direct contact with the body
- The component should reliably produce electromagnetic (EM) signals required to implement the physical layer of a body-coupled communication system
- As EM signals above tens of megahertz do not propagate well through the body, it should generate EM signals below these frequencies
The paper also acknowledges that security is a key factor for wearable medical devices, and that the devices often encrypt data based on a secret key or password for secure communications.
“We can envision that a user would touch their fingerprint sensor, which would in turn transmit a secret key to medical devices on the body,” the researchers explained. “Once the secret key is transmitted, an encrypted pairing process can be used to establish a traditional wireless communication link, allowing the wearable device to communicate with smartphones or other devices.”
Both mobile device security and medical device security are increasingly popular topics in the healthcare industry. While there has not yet been a case of a hacked medical device affecting a patient, the concern for such a scenario is growing.
In September 2016, the National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) started working with Clearwater Compliance to investigate how best to improve the wireless IV medical infusion pump security.
The pumps now utilize wireless technology, Gavin O’Brien, senior cybersecurity engineer with NCCoE told HealthITSecurity.com. Providers may have less maintenance involved, as software updates can be pushed to the devices, rather than conducting manual updates. In newer models, the dosing information can also potentially be sent wirelessly.
However, this has also created potential risk in that same wireless component, he added.
Both device manufacturers and healthcare providers need to work to find the right balance between innovation and security, O’Brien said.
“On the one hand, manufacturers build products that infuse drugs into patients and did that well,” O’Brien explained. “But now that everything has a computer on it, they added their wireless component, so these devices need to consider cybersecurity.”