Estimating Eavesdropping Risk for Next Generation Implants

Implanted medical devices are expected to be wireless in near future. Wireless nature of sensing, controlling and transmission brings along diﬀerent security threats. In this work, an analysis of eavesdropping risk is performed for an unencrypted data transmissions from an implanted medical device such as cardiac leadless pacemaker. This work utilizes statistical attenuation model along with measures of capacity, information rate and outage probability. Re-sults show that eavesdropping risk depends on pathloss with shadow fading, distance and information rate( R ). In addition, probability of successful eavesdropping increases if legitimate nodes transmits at lower rate. Thus, a proper tradeoﬀ between information rate ( R ) and eavesdropping risk should be made. Numerical results show that at an information rate of 650kbps, an IMD has a 5% risk of successful eavesdropping at a distance of 500mm. This work also consider diﬀerent transmission parameters like heart rate, blood pressure, ECG and EMG with their information rates and ﬁnd probability of successful eavesdropping at diﬀerent distances. This study provide basis for designing secure implantable cardiac leadless pacemaker with associated risks involved due to wireless nature of transmission.


INTRODUCTION
Rapid development in personal health systems based on implantable and wearable medical devices results in better quality of diagnosis. This along with automatically treating different medical conditions, improves quality of life. Implantable medical devices(IMD's) continuously monitor and treat physiological conditions inside the body. Notable among these devices are cardiac pacemakers and implanted cardiac defibrillators (ICD's). They help treating different Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org.  [1] in the USA. With help of sensors these devices sense different conditions and provide proper actuation e.g. by maintaining heart rhythm.

Bodynets '17 Dalian, China
IMD's are mostly equipped with on-board transceivers to transmit wirelessly over certain distance. These transmissions facilitate remote monitoring of a patient. The wireless nature of modern IMD's is a significant source of security risks. Security risk for an IMD increases, when patient is in non-medial or in an open environment. Wireless nature of an IMD makes it more visible and can facilitate an eavesdropper to listen. Thus an insecure communication channel makes it easier for an eavesdropper to perform attacks on an implant similar to attacks on other computing devices. Successful eavesdropping may result in retrieval of patient information (medical and non medical) or performing attacks like forging and data altering. In addition, it may enable the modification of implant configuration without knowledge of the patient or physician. Security and privacy of implantable medical devices received a lot of attention when it was revealed that US Vice President Dick Cheney disabled the wireless telemetry on his ICD [2] [3]. The work of Halperin et al. [4] is considered as pioneer work in security analysis of IMD's, followed by different research activities providing security for IMD devices. Most of research is focused on mitigating the security risks via providing different encryption mechanisms in order to protect data between sender and legitimate node [5] [6] [7].
Cardiac pacemakers are designed to facilitate proper functioning of human heart. Currently these pacemakers are mostly implanted using wired electrodes. The next generation of these pacemakers are expected to be wireless. Data transmitted by these devices include transmission of real time patient data, offline patient data and device information along with different indicators. Heart rate, blood pressure etc are considered to be real time data whereas patient name, patient date of birth, patient history lies under offline data transmission. Pacemakers also transmit device information like battery status, device number etc. Furthermore, it may transmit indicators with different diagnosed conditions along with therapies performed. These data transmissions are vital in order to keep pacemaker with right configurations and continuous remote monitoring of a patient. They also help physician to have an updated report regarding heart condition of a patient. Frequency of transmissions depends upon the configurations used for a pacemaker. In case of wireless capsule inside a heart and subcutaneous node under the skin as shown in Figure 1, the data is transmitted every heart beat whereas wireless subcutaneous node with leads, logs an activity to a bed side external device on daily basis or data is retrieved during a visit to a physician. Table 1 shows examples of different types of traffic and their typical information rate for an IMD [8]. In order to perform the security analysis the first thing to do is analyzing different types of threats [9]. Providing a threat model is always considered to be starting point in security analysis. Among different threats one of the important threat is eavesdropping which provide basis for further attacks. Thus for the aforementioned purpose, this paper focus on finding probability of successful eavesdropping for legitimate transmission between leadless capsule inside human heart and subcutaneous implant. This work considers that an implant is using Medical Implant Communication system(MICS) band for telemetry between legitimate nodes with an assumption that encryption is not used in data communication. We find probability of successful eavesdropping by using a concept of outage probability. We show that eavesdropping risk depends upon information rate, distance, and antenna gains. We utilize statistical attenuation model [10] to find path loss between legitimate nodes and path loss between legitimate node and an eavesdropper. This helps finding the distribution of signal to noise ratio (SNR γ) at different distances (d). We can then set different cutoff thresholds for SNR (γ th ) depending upon various information rates (R) and find the corresponding outage probability. We finally provide the design details which help setting an appropriate information rate (R) between legitimate nodes.

Sensing
The rest of the paper is formulated as follows: Section II gives system model followed by eavesdropper model in section III, section IV provides numerical results, and finally we conclude and provides future work in section V.

SYSTEM MODEL
Our system consists of an eavesdropper, an IMD, and a subcutaneous node as shown in Figure 1. We consider implanted leadless capsule inside a right ventricle of human heart. This leadless capsule transmits unencrypted data to subcutaneous implant at a distance of 150mm. We consider the famous Alice, Bob and Eve model which can be seen in Figure 1 for our case scenario.
In case of IMD's, Eve can be categorized as • An eavesdropper, eavesdropping legitimate transmission can be an active or passive node.
• There is possibility of single eavesdropper or it may be part of well organised group.
• Eavesdropper is most likely to be an external intruder but there can be the case where an eavesdropper is It can be seen that each eavesdropper may have different intensions or goals. There may be possibility that some one eavesdrop just to get the private information of a patient or there may be a case where there is competition between manufacturers and they would like to obtain information on an IMD equipment. Eavesdropper may have higher capabilities than that of legitimate node like higher computational power, higher antenna gains, etc. In this work we consider single passive eavesdropper having same capabilities as a legitimate node trying to eavesdrop the communication. We also consider a case where the eavesdropper has high gain antenna.

EAVESDROPPER MODEL
This section focus on providing the probability of successful eavesdropping by utilizing path loss model for MICS band. We need to predict the received power from a transmitted node along with associated path loss at a certain distance (d). This helps finding distribution of signal to noise ratio (SNR). Then by considering different values of information rate (R), we can set different cutoff thresholds and find probability of successful eavesdropping at a certain distance (d).

Received power/Attenuation
We consider that IMD (leadless pacemaker) is transmitting with power Pp to subcutaneous node at a distance of 150mm. The eavesdropper is trying to listen the transmission and receives power Pe at a distance (d) away from the IMD. The power received by the eavesdropper can be given as In (1), Gp and Ge are antenna gains of implant and eavesdropper antenna whereas α is path loss exponent and w is a random variable given by Equation (2) is used to model log normal shadowing effect. Here S h is Gaussian random variable with zero mean and standard deviation σ ranging from 4-12 dB[10] [11]. This randomness is because of propagation through different materials (e.g bone, muscle, etc.).
In order to compute the numerical results, we generally work with signal attenuation from sender to receiver, and then can utilize it into any case scenario. Here we consider sender as a legitimate node (IMD), where as the eavesdropper is considered as a receiver. Thus instead of received signal strength, attenuation between IMD and the eavesdropper can be given as In this paper, we utilizes path loss model provided by [10] in order to find attenuation at distance (d). Thus, a pathloss/attenuation in logarithmic scale (dB) can be given as In (4), P L(d) dB is the path loss at distance d between the implant and the eavesdropper, do is the reference distance and is equal to 50mm. Path loss exponent α is equal to 4.26 in [10]. Furthermore P L(do) is the path loss at reference distance and is equal to 47.14 dB. Similarly, S h is random scattering around the mean and is equal to 7.85dB.

Outage Probability, Information rate and Detection threshold
The main focus of this section is outage probability(OP), information rate(R) and detection/cutoff threshold. This section also provide relation between these quantities for main link(link between legitimate nodes) and show how they provide eavesdropping risk. Outage probability is the probability that "When signal to noise ratio (SNR γ) at the input of a receiver chain fall below certain threshold level [12]". It can be expressed as where γ is signal to noise ratio (SNR) and γ th is the threshold SNR. For a communication between legitimate nodes, the value of SNR (γ) should be greater than threshold otherwise the communication link will be in outage. Based on this threshold, which can also be referred as cutoff threshold, we define the probability of successful eavesdropping at any distance (d). In (5) SNR (γ) can be expressed as where P e, is received power at input of receiver chain, Pp is power transmitted, δ(d) is attenuation at a distance (d), B is bandwidth and No is noise spectral density. In logarithmic (dB) scale (6) can be expressed as where, a constant per channel transmit power P pdBm and constant (NoB) dBm is considered. In (7), P L(d) dB is mean path loss obtained from (4) at any distance (d). Furthermore S h is Gaussian random variable with zero mean and σ dB = 7.85dB. Thus, (7) show that SNR (γ dB ) has Gaussian distribution with mean as and standard deviation of σγ dB = 7.85dB. Our approach basically uses the concept of channel capacity as a measure. According to the concept of capacity, for a given information rate R , there exist a minimum received power to successfully decode the transmission based on certain threshold SNR. Using this concept, the capacity of a link is given by the famous Shannon capacity formula Where B is per channel bandwidth and is equal to 300kHz in case of MICS band and C is capacity. In order to find threshold SNR γ th ,(9) can also be expressed as In logarithmic scale (10) can be expressed as γ th dB (R) = 10 log 10 γ th (11) Equation (10) shows that threshold SNR is function of information rate (R). With variation in information rate (R), cutoff threshold (γ th ) varies and have different information rate R due to different traffic transmitted by an IMD. If we solve (10), by taking B = 300kHz and R = 600bps, we have γ th dB as −28dB which shows that we have successful, error free decoding at that threshold. By reducing information rate (R), the cutoff threshold reduces where as by increasing, it increases the detection or cutoff thresholds. Thus, at a same distance d outage probability increases because of higher cutoff threshold and decreases because of lower cutoff threshold(γ th ) (5).

Probability of successful eavesdropping
In order to find the probability of successful eavesdropping, we use the concept of outage probability as shown in (5). We have to take certain cutoff threshold represented by γ th dB . Eavesdropper is able to eavesdrop communication with certain probability, when SNR (γ dB ) between Alice and Eve is greater than set cutoff threshold γ th dB . Here we express both SNR(γ) and cutoff threshold (γ th ) in dB scale, i.e. γ dB > γ th dB (7) (11). The probability of successful eavesdropping can be given as As SNR (γ dB ) is Gaussian distributed (7) with mean µγ dB (8) and standard deviation σγ db , we can express (12) by Qfunction as Where, PSE is probability of successfull eavesdropping, γ th dB is cutoff threshold depending upon R (10) and µγ dB is mean of signal to noise ratio (γ dB )(8) at any distance (d). Equation (13) can also be expressed as The eavesdropper can increase probability of successful eavesdropping by using high gain antennas. An antenna with high gain, have a reception from greater distances and have higher SNR. But nothing comes without cost, higher gain results from larger dimensions of an antenna. In case of MICS band the transmitting antenna gain is considered to be part of path loss model [10]. Different antennas has different antenna gain and aperture relation but in general it can be expressed as From the eavesdropper perspective, she wants to eavesdrop without noticing. But with large aperture antennas it can not happen easily. So, the gain of an antenna can not be increased above certain limits e.g. if we are using MICS band and want to have an antenna gain of 20dBi then the effective aperture of an antenna will be around 4.4m 2 which can not go without noticing within short distance of a patient.

NUMERICAL RESULTS
This section focus on numerical results by considering scenario as shown in Figure 1 which focus on communication between implanted leadless capsule(pacemaker) and a subcutaneous node under the skin. For communication between the implant and subcutaneous node, we are interested to find the probability of successful eavesdropping. First, channel attenuation is predicted by utilizing pathloss model in [10], which give an SNR γ dB distribution (7). Then different cutoff thresholds γ th dB for an SNR are considered based on information rates (10)(11). We take different cutoff values by considering information rates from Table 1, whereas Table 2 provides different information rates with corresponding threshold SNR. Now, by looking into different threshold values, we utilize (14) and find probability of successful eavesdropping PSE. Figure 2 shows probability of successful eavesdropping for different information rates (R) at different distances.
The results in Figure 2, shows that if an eavesdropper is exactly at same distance as that of subcutaneous node i-e 150mm for an information rate of 650kbps, then in practice the probability of successful eavesdropping is about 100 %. But when an eavesdropper distance is increased the probability of successful eavesdropping reduces with distance e.g. for the same case at 400mm, the probability of successful eavesdropping is reduced to around 19%. Each curve shows   Table 2: Cutoff threshold SNR for IMD traffic probability of successful eavesdropping for certain information rate (R) over different distances. An eavesdropper can also increase its receiver sensitivity against path loss by using high gain antennas, resulting in successful eavesdropping over larger distance because of higher SNR e.g as shown in Figure 2 the dashed lines show that probability of successful eavesdropping is increased over a distance by using an antenna gain of 4dBi for the same respective cases without antenna gain (green and red curve). Here it is notable to mention that from a design perspective, a proper tradeoff is required between information rate and eavesdropping risk.
We refer to the same example by considering 650kbps information rate, which shows successful eavesdropping probability of 19 % at 400mm. But in case, if information rate is reduced to 0.6kbps, at a same distance of 400 mm probability of successful eavesdropping is close to 100 %.   Figure 3 gives probability of successful eavesdropping for different information rates, against certain fixed distance. Alice and Bob link is considered as 150mm whereas Alice and Eve link is changed. For our case, we consider Alice-Eve distance of 150mm, 350mm, 550mm, 750 and 1000mm. The eavesdropping risk is calculated for these distances with different information rates (R). For each information rate, we calculated corresponding cutoff SNR (γ th dB ) and then find PSE by (14). Figure 3 shows that if we have Alice-Eve distance of 1 meter and an Information rate of 1kbps, probability of successful eavesdropping is 85 % and reduces to 10% at a rate of 60kbps. Thus by increasing information rate, probability of successful eavesdropping reduces. We also provide results of eavesdropping risk against outage probability of main link (Alice-Bob). Figure 4 is in logarithmic scale, which shows that as outage probability of Alice-Bob link increases, probability of successful eavesdropping reduces. It can also be seen that for Alice-Bob link outage probability of 0.01, the minimum distance should be approximately 1.5m for having the eavesdropping risk of 0.001.

CONCLUSION & FUTURE WORK
In this paper we perform analysis of eavesdropping risk for a communication between an implant and subcutaneous node. We analyze probability of successful eavesdropping for different distances with different information rates. We analyze that proper tradeoff is required between information rate and corresponding eavesdropping risk. Our numerical results show that for the information rate (R) of 650kbps, there is 5% probability of successful eavesdropping at a distance of 500mm. If the information rate is reduced, eavesdropping risk increases over a larger distance. Our results also show that path loss reduces eavesdropping risk whereas antenna gains increases the risk. In future, it will be interesting to take different scenarios where we can consider transmission from subcutaneous node to external programmer or directly from leadless capsule to a programmer. We would also like to perform risk analysis using UWB band and finding probability of successful eavesdropping.

ACKNOWLEDGMENTS
"This work was supported by the Marie Curie Research Grants Scheme, with project grant no 675353 WIBEC ITN".