The future of cybersecurity: Your body as a hacker-proof network

Could a 'body area network' be the key to keeping medical devices safe or transferring data between individuals?

Security issues with IoT medical devices could put patients at risk The consequences of security lapses in connected health devices could be serious, research has warned.

What do insulin pumps, pacemakers, and MRI scanners have in common? If you said they're all medical devices that can help to save your life, you're right. If you guessed that they're all medical devices that can be hacked, you're sadly all too correct too. 

Increasing numbers of implantable medical devices are now gaining internet connectivity, giving doctors the ability to monitor patients health remotely, and even update the devices to tweak a treatment plan. Unfortunately, that flexibility offers a way for hackers to hijack that hardware, and even potentially make changes to the way the devices work. While so far no attacks have been successful, proof-of-concept attacks have been available for years. 

And while it might be tempting to hope that cybercriminals might see corrupting life-sustaining devices as a step too far, they haven't historically shown much of a conscience, cheerfully extorting money away from hospitals, for example, and putting patients at risk.

SEE: Sensor'd enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)

In future, as connected medical devices not only monitor health condition but also dispense drugs and actively treat patients, keeping health hardware locked down is going to take on greater significance not only for tech companies, but for the individuals whose life might depend on them. But will it really be possible to keep personal health networks secure?

Traditionally, connected medical devices have used wireless to share data with healthcare systems. Using wireless, however, means signals from the devices can be read from tens of metres away -- and so potentially hacked. (The Department of Homeland Security recently gave a severity rating of 9.3 out of 10 to a flaw that allowed implantable defibrillators to be hacked from 20 feet away.)

Researchers at Lafayette's Purdue University have come up with a new approach to protecting implantable medical devices. As that wireless connectivity is one major way medical devices could be open to attack, one way around the problem is to use the device-wearer themselves as a conduit, routing the signal through their body -- which dramatically cuts the distance over which any data can be read.

The Purdue researchers aren't the first to come up with the idea of using the human body as the carrier for a network, but earlier versions of 'human body communication' still ended up radiating signal over a distance outside the body, leaving them theoretically open to attack. 

The Purdue researchers have created Electro-Quasistatic Human Body Communication (EQS-HBC) which uses low-frequency, carrier-less broadband transmission, and so keeps the signal almost entirely within the human body. That means data from pacemakers and other implantable medical devices would only be readable a handful of centimetres outside the wearer.

"From the security perspective of EQS-HBC, if it can confine the data transmission within the human body, it would enable a form of physical layer security, which is presently non-existent in WBANs [wireless body area networks]. Thus, the data transmission would be fully secure from an external malicious attacker. The adversary needs to be in direct physical contact with or almost touching the person to gather any EQS-HBC data," the researchers write -- in other words, anyone who wanted to hack your pacemaker would have to be touching you first.

As well as making implantable medical devices more secure, EQS-HBC also offers lower energy consumption.

"When you take information and put it onto electromagnetic carriers to communicate, which is what we do with our wireless technology -- Bluetooth, 5G -- you take a lot of energy because you have to generate that high-frequency electromagnetic wave, in the order of 5-10 nanojoules to send one bit," Dr Shreyas Sen, assistant professor of electrical and computer engineering at Purdue University, tells ZDNet. 

"When you communicate over a wire, that only takes in the picojoules per bit, it's 1000x more efficient. We started exploring how we might use the human body as a wire -- bringing the wireline kind of techniques into the human body to make it act like a wire. It really created interest in this technology." 

That means EQS-HBC has a practical advantage over wireless body networks: less energy demand means longer battery life for any implantable devices using the network. And a longer battery life means such devices won't need replacing as often -- for someone with a pacemaker, that could add up to a whole lot fewer invasive surgeries over their lifetime.

"If you look at the computing energy versus communication energy, communication energy is significantly greater. You take information which is relatively lower frequency and put it onto this high-frequency electromagnetic carrier, which comes outside the body, through the airways and to the device you want it to go to, which means you're blasting out energy in all directions and can't channel it to the intended device. It's extremely inefficient; whenever connectedness comes into devices, it drains the battery significantly," Sen says.

The technology has already drawn interest not only from startups, but from health companies and mainstream technology firms, which are increasingly targeting the sector.

The system uses frequencies under 1Mhz, and transmits the signal through the epidermal layers of the skin, which are picked up by on-body receivers, which could include devices such as health-tracking bands, watches, or other wearables. 

Ultimately, the researchers envisage EQS-HBC gathering data from any number of sensors within the body, from head to feet, and feeding that back to healthcare systems, either within a band itself or in the cloud. While the most imminent use of such technology could be for simply monitoring biomarkers or adjusting implantable devices, it could ultimately be used for preventative medicine and population health, scanning data from the sensors for anomalies that could be suggestive of the first signs of disease that may yet be undetectable to the wearer.

"We are living in the age of AI, where AI is bringing benefits through data. For the application of AI in healthcare, it needs a continuous stream of data from many, many sensors around our body. Once this data is gathered in a hub, like a watch, or in the cloud, with not only my data, but my data compared with an anonymised pool of other people's data, that really brings the power of analysis and hence we can prevent [disease] before it becomes noticeable to us. When we go to the doctor, sometimes it's too late," Sen says. 

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

The researchers already have already created the first generation of the dust-sized integrated circuit based on EQS-HBC, and are working on the second, although it's likely to be several years before a system using the technology becomes commercially available, by which time the researchers are hoping there will be even more devices and use cases that will require human body communication networks, including being able to transmit data between two people with just a handshake, or using biological data as a form of password-free identification. 

Neuroscience too could prove fertile ground for in-body networking: the researchers suggest that it could be used for closed-loop neurostimulation (where electrical signals are used to stimulate nerves in conditions such as epilepsy and movement disorders), and even for human-brain interfaces. 

"When we communicate between two devices without a physical medium in between, say a phone and cell tower, we have used electromagnetic frequencies for 100, 150 years now. When you have two devices around the body, we have the medium -- the body itself. Trying to use radio-frequency signals when you have a medium is not the correct thing to do -- it would be much better to use the medium. There will be that philosophical change and I see this field catching up as we have more devices around the body," Sen says.