Towards Realistic Battery-DoS Protection of Implantable Medical Devices

Modern Implantable Medical Devices (IMDs) feature wireless connectivity, which makes them vulnerable to security attacks. Particular to IMDs is the battery Denial-of-Service attack whereby attackers aim to fully deplete the battery by occupying the IMD with continuous authentication requests. Zero-Power Defense (ZPD) based on energy harvesting is known to be an excellent protection against these attacks. This paper establishes essential design specifications for employing ZPD techniques in IMDs, offers a critical review of ZPD techniques found in literature and, subsequently, gives crucial recommendations for developing comprehensive ZPD solutions.


INTRODUCTION
Implantable medical devices (IMDs) such as cardiac pacemakers, neurostimulators, infusion pumps and more, are autonomous devices with extremely high dependability and safety constraints. The typical operational lifetime of these battery-powered devices is around a decade or so while implanted in the patient's body. Almost all of these devices are equipped with wireless connectivity via a transceiver in order to support and complement their treatment capabilities [37]. They can communicate with an external reader (see Figure 1) for e.g. monitoring patient health, updating IMD settings, Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. CF ' Figure 1: A Reader/IMD system and so on. However, despite their benefits, these communication capabilities open the door for malicious entities to wirelessly connect to the device in order to steal private patient data, achieve mis-diagnosis, or even cause physical harm. An attacker can cause physical harm either by changing the IMD functionality (e.g., by managing to send incorrect commands) or through a Denial-of-Service (DoS) attack. One such attack is the battery DoS where the attacker can force the IMD to continuously run an energyconsuming operation, which ultimately results in power loss and IMD shutdown. As an example, he/she can repeatedly request the IMD to establish a secure channel using incorrect credentials. Consequently, the IMD will run part of an energy-consuming authentication protocol for analyzing every request, which will drain the battery. As indicated in the IMD-threat-modeling analysis in [37], battery DoS is one of the easiest to mount and highly effective attacks. This is also backed by the majority of the IMD-specificethical-hacking efforts in which the batteries of commercial IMDs were depleted using black-box approaches [12,25]. The only robust way of protecting an IMD against a battery DoS is by running the above-mentioned (energy-consuming) authentication operation using only free harvested energy. It can be argued that there is no necessity for this zero-power defense (ZPD) mechanism since technology exists to wirelessly charge IMD batteries when they are running low (as discussed in Section 2). However, this recharging feature is only available in less critical IMDs, such as spinal-cord stimulators. For critical devices such as pacemakers, there is a reluctance among the medical community to give recharging responsibility to the patients, in order to avoid patient errors. Moreover, the physicians prefer to replace the whole IMD after a certain period to get the latest technology [19]. Besides, even by assuming that all IMDs have this capability, the attacker can still drain the battery before the patient or doctor has a chance to recharge it.
Energy harvesting is a widely used concept employed in a variety of devices including RFIDs. However, ZPD for IMDs introduces new challenges that do not apply in other domains. This paper is the first to facilitate the transition from concept to practical ZPD designs for IMDs. Based on a clear-cut set of design considerations, we survey and evaluate the current state of the art and proceed to propose specific recommendations for enhancing existing IMDs. Essentially, this work makes the following novel contributions: • We consolidate ZPD design considerations for the specific domain of IMDs. • We perform a survey of existing systems and highlight their limitations based on the above considerations. • We provide recommendations in order to develop comprehensive protection of IMDs against battery-DoS attacks. The rest of the paper is organized as follows. We provide brief background on the use of energy harvesting in IMDs in Section 2, and then provide motivation for using it to enhance IMD security in Section 3. In Section 4, we provide detailed ZPD design considerations. Based on these considerations, we review and evaluate state-of-the-art ZPD solutions in Section 5. In Section 6, we provide recommendations for improving ZPD designs. We conclude the discussion in Section 7.

ENERGY HARVESTING IN IMDS
The use of energy harvesting in IMDs is not new. The application of this concept, however, has been very narrow in this domain, i.e., in wireless power transfer (WPT) 1 to recharge IMD batteries. For instance, there are several rechargeable neurostimulators that are commercially available [1,28]. In this specific category of implants, there is a rising trend towards increased IMD-power requirements due to recent advances in neuromodulation-related pain relief. For such power-hungry devices, a non-rechargeable battery would result in a very short IMD lifespan and subsequently require expensive surgeries in order to replace the battery-depleted implants. One way of avoiding this is to use larger battery sizes, which can quickly become impractical to implant. Hence, the natural solution is to use rechargeable systems, which can prevent the need for frequent surgeries and would result in smaller battery sizes and implants as a whole [29].

ENERGY HARVESTING FOR IMD SECURITY
As indicated in Section 1, battery DoS is one of the easiest to mount and highly effective attacks. In light of the fact that energy harvesting has already been employed by some classes of IMDs, the use of this concept, in the form of ZPD, has now become quintessential to protecting all IMDs against battery DoS. In this scheme, the IMD, while authenticating the external entity that is trying to communicate, can run the energy-consuming security primitives using the RF energy harvested from the incoming communication messages. The IMD is allowed to use the battery for subsequent operations only after the entity is authenticated. This prevents the IMD depleting its battery to entertain continuous bogus messages from a malicious entity. 1 The term energy harvesting generally refers to harvesting energy from ambient sources, whereas WPT refers to the intentional transfer of energy from a dedicated charging device [5]. In this paper, we use the terms interchangeably.

DESIGN CONSIDERATIONS
In this section, we enumerate and discuss various considerations that should be taken into account when approaching the design of an IMD-specific ZPD system.

Choice of WPT technique
Since ZPD is based on the concept of wireless energy harvesting, it is important to briefly discuss the WPT techniques that enable such strategies. A typical WPT setup is shown in Figure 2 [16,23]. Stateof-the-art IMD-specific WPT techniques can be broadly categorized into three types 2 [2]: 4.1.1 Inductive Coupling (IC). Near-field WPT is usually categorized as inductive coupling or inductive power transfer (IPT). IPT usually involves the use of two coupled coils that have the same inductance. The transmitter coil is placed outside the body. When an AC current passes through it, voltage is induced due to electromagnetic induction in the receiver coil, which is located inside the body. IPT is the dominant method that is used to wirelessly recharge commercial IMDs, specifically neurostimulators [1,28].

Radio Frequency (RF).
If the transfer is in the transition region (mid field) [13] or far field then the WPT system is usually categorized as RF power transfer (RFPT). Here, antennas are not just limited to coils for the transmission of power. A typical RFPT system is shown in Figure 2 4.1.3 Acoustic/Ultrasound. This WPT category harvests acoustic waves, which are usually from ultrasound frequencies. In acoustic power transfer (APT), the transmitter node, while in contact with the skin, generates these waves using a piezoelectric transducer. These waves induce voltage on a piezoelectric device in the receiver node, which is located inside the body along with the IMD.
The advantages and drawbacks of the three WPT techniques are summarized in Table 1 in terms of operating range, potential biological effects, amount of transferred power and receiver area. The choice of WPT scheme and associated transferred-power amount has an impact on the real-time IMD performance, and also on the size of the energy reservoir and, subsequently, the IMD as a whole. This is further discussed in the subsequent sections.

Medical safety constraints
The ZPD technique should satisfy the various requirements by the FDA, FCC, IEEE etc., in order to prevent any adverse biological effects on human tissue due to excess electromagnetic-energy exposure. IEEE puts constraints on the intensity of RF signals and defines maximum-permissible-exposure (MPE) limits for magnetic and electric fields [15]. In addition to RF-signal intensity, the signal frequency has a significant impact on the amount of energy absorbed in the human tissue and the resulting potential to cause harm. This absorption is characterized by specific absorption rate (SAR), which is expressed in W kд or mW kд . The peak-spatial-average SAR values for exposure of the public and controlled environments are 2 W kд and 10 W kд , respectively (over 10 д of tissue) [15]. FDA also has guidelines regarding intensity of acoustic signals in W cm 2 , namely spatial peak temporal average intensity (I S PT A ) and spatial peak pulse average intensity (I S P P A ) [10]. Satisfying these constraints impacts the choice of WPT scheme (as discussed in Section 4.1).

Frequency-band constraints
Certain FCC constraints also need to be met in order to avoid interference with the devices operating in the same frequency band. For example, the MedRadio band, which is reserved for IMD communication, does not allow an equivalent isotropically radiated power (EIRP) of more than 25 µW [9]. Since this amount of power is unrealistic for WPT, a separate band should be used for power transfer, whereas the MedRadio band can be used for data communication. This implies increased cost and size due to the use of two antennas. One solution could be to use a single ISM-band (13.56 MHz) antenna for both WPT and data communication, however this would result in lower data rates due to smaller allowed bandwidth than that of MedRadio [26].

Harvested vs. Consumed power
Harvested energy needs to stay above the consumed power in order for the energy consumers to work seamlessly. Otherwise, an energy reservoir should be employed so that it can collect sufficient energy before the IMD can use it. Technically, due to this reservoir, the ZPD scheme should always work, but the charging delay limits usability and real-time behavior, which can be critical in the case of emergencies.

Choice of energy reservoir
Either a supercapacitor (supercap) or a rechargeable battery can be employed as the energy reservoir. Supercaps in general have a longer lifespan and support more recharge cycles than batteries [24], and thus are more suitable for IMDs. The supercap, if used, could limit the range of applied charging voltage, since these components Passively powered comm. devices in terms of return (TX) path Passive TX (RFID) Active TX -that uses supply from the energy reservoir (1) Inductive coupling (LF-HF) EM Backscatter (UHF) Reflecting the signal used for PT Reflecting a non-PT signal (4) Figure 3: Classification of passive communication devices in terms of transmitter implementation have low operating-voltage limits. Also, as indicated by [17], the capacitor size has to incorporate the losses due to the decoupling capacitors connected to the energy consumers.

Passive wireless communication
Passive communication relies on WPT schemes in order to function without the need of an on-board battery. This concept forms the basis of ZPD strategies, which will be discussed in Section 5. The most critical component of these passive devices is the wireless transceiver that can cause significant peak power consumption based on the design choice. Based on the choice of transmitter, which subsequently impacts the receiver implementation, we categorize these devices into four schemes, as depicted in Figure 3.
The different schemes at the leaf nodes are numbered accordingly and are subsequently explained. The first part of the scheme name indicates the type of wireless communication whereas the suffix indicates whether the communication shares the power-transfersignal frequency band (PB) or uses an independent band (IB).
4.6.1 ActiveTX-IB. The passive device has an active transceiver, i.e., it actively transmits (using supply from the energy reservoir) instead of reflecting the incident RF signal, as shown in Figure 4a. This scheme is employed by the design in [36].
4.6.2 IC-PB. The forward direction (reader to passive device) communication uses the same signal that is used for inductive power transfer, which lies in the low-or high-frequency band (LF-HF). For the reverse direction, the electrical properties of the inductive coil are changed (by load modulation, in this case Load Shift Keying), which affects the same inductive coupling field, and is thus detected by the reader (see Figure 4b). The design in [3] employs this scheme.

EMB-PB.
Compared to the previous scheme, RF/Electromagnetic backscattering (EMB), which reflects the incident RF, is used for data transmission instead of inductive coupling. Here, the incident RF is used for both energy harvesting and data communication (see Figure 4b). The RF is reflected if the load across the antenna feed-point is minimum, and vice versa. One of the works that employ this scheme is [35]. The use of EMB helps eliminate  Figure 4: Schematics of different passive communication schemes for ZPD the high peak power consumption of a conventional RF transmitter. This is important for passive devices because even to transmit just a few bits of data, the peak power may exceed the incoming power, which will result in device malfunction in the absence of a reservoir. Note that the use of EMB for transmission is fully beneficial only if a simple and low-power circuit is used for the receive path, such as an Amplitude-Shift-Keying (ASK) envelop detection. 4.6.4 EMB-IB. Compared to EMB-PB, here the difference is that the WPT signal is different than the one used for EMB (as shown in Figure 4c). The design in [23] uses this scheme.
ActiveTX-IB and EMB-IB offer the most flexibility since they use separate antennas for WPT and data communication. As discussed in Section 4.3, these configurations are helpful in meeting the FCC constraints while maintaining both the sufficient power transfer and data rates. On the other hand, IC-PB and EMB-PB are more economical in terms of resources since they only employ one antenna [26]. This is, however, at the cost of reduced flexibility in terms of data rate.

Fundamental security services
ZPD schemes primarily address Availability from the CIANA security services [37]: Confidentiality, Integrity, Authentication, Nonrepudiation and Availability. Ensuring the first four services can have an indirect impact on Availability. As an example, if the IMD has a dedicated processor that is responsible for authenticating an external entity, the peak-power consumption of the implant will increase when this peripheral is active. As a result, the bogus messages sent by an attacker will draw more energy from the battery than in the case of a less-secure IMD. Hence, ensuring one service should not be at the expense of the other.
The choice of cryptographic primitives, which are needed to provide these services, plays a critical role in the design of the energy-harvesting circuit. For example, lightweight block ciphers are preferred candidates for achieving data confidentiality because of their low energy profile. Moreover, in order to achieve integrity and authentication, a cipher-based Message Authentication Code (MAC) should be used instead of a hash-based MAC (HMAC) because of lower energy consumption in software implementations. For dedicated hardware implementations, however, this does not always hold [32]. Furthermore, for these systems mutual authentication should be employed instead of just authenticating the reader unilaterally. This is required to prevent spoofing attacks on the reader [38]. This implies that the harvested energy should be able to support both transmission and reception of data.

Emergency access
In the case of emergencies, the paramedics or first responders should have seamless and fast access to the IMD, without compromising patient safety and security. Hence, an appropriate balance should be attained between usability, safety and security. It is of paramount importance that the choice of WPT and the associated energy reservoir results in acceptable charging delay in order to ensure real-time performance. Otherwise, it will block legitimate access to the IMD in emergency scenarios.

Design suitability
Existing IMD designs take a long time from concept to market due to pedantic regulatory hurdles. Therefore, any new ZPD solution should fit in seamlessly in the existing designs resulting in minimal changes and short review cycles. For example, as mentioned in Section 4.4, technically-speaking a large energy reservoir should always work but this increases the size of the ZPD solution and introduces unnecessary delay, which impacts suitability.

Conformity to touch-to-access principle
Any ZPD scheme shall ensure that only the entity in close proximity to the patient for a prolonged period of time is allowed to access the IMD. This touch-to-access principle assumes that it is infeasible for the attacker to get in close proximity since the patient would reject physical contact with untrusted entities [34,37].

Range of operation
The ZPD solution shall be able to work correctly independently of the implantation depth. Appropriate balance should be attained between the WPT and the associated thermal effects and energy absorption in the human tissue. Also, the ZPD solution shall allow the provision of a bedside-base-station operation for the convenience of the patient (see Figure 1). This device by definition can be less than 10 feet away from the patient [27]. However, in order to conform to the touch-to-access principle, this communication should be strictly limited to the bedside range (less than 5 feet away).

A SURVEY OF EXISTING ZPD TECHNIQUES
In light of the design considerations mentioned in Section 4, we now survey works from literature and discuss their limitations. We hope that this survey will help us construct more complete solutions. These works are presented in chronological order, which, to the best of our knowledge, are the only works pertaining to ZPD for IMDs.
Halperin et al. [12] presented the pioneering work of RFIDstyle energy harvesting for zero-power defense of IMDs. They use an RFID module called WISP [35], which employs EMB for the data transmission from the implant to the reader, and simple ASKenvelop detection in the reverse direction, while using RFPT for wireless power transfer. Their scheme, however, does not perform mutual authentication and its acoustic-communication-based key transport is susceptible to attack, as shown in [11].
The scheme from Liu et al. [22] is the only ZPD work that takes FCC regulations into consideration. They employ the ISM band for RFPT and the MedRadio band for data communication. It employs a dedicated passive RFID wake-up module, which performs RFenergy harvesting from the incoming signal in order to authenticate the other entity. Upon successful authentication, the main module is woken up. This scheme uses pre-shared keys between the reader and the IMD, which makes emergency access impossible. This is because in emergencies, the IMD and the paramedic reader are likely unknown to each other and therefore do not share a key.
Strydis et al. [38] propose an IMD architecture that isolates the implant functionality from the security tasks by using dedicated processing cores for the respective applications. They designed the security co-processor from scratch, which was optimized for executing the MISTY1 cipher in terms of energy and performance. The choice of this dual-core architecture helps in dealing with repeated communication requests that may prevent the implant from performing its primary task. Battery DoS is tackled by ensuring that the security core and the transceiver run on harvested RF energy before mutual authentication of reader/IMD. After successful authentication, these modules are allowed to use battery power for subsequent communication. However, they did not present a full system implementation.
Ellouze et al. [6,7] propose an RFID-based, energy-harvesting solution, that uses the same WISP module as employed by [12]. In contrast to [12], their solution additionally provides mutual authentication. They use cardiac-signal-based biometrics for authentication and the generation of session keys. However, the fuzzyvault-inspired protocol (OPFKA) [14] employed in their scheme is vulnerable to attacks as demonstrated in [33].
Yang et al. [40] use IPT, and employ the same coil for power transfer and data communication. Their scheme provides mutual authentication. However, it employs pre-shared keys, and is thus unable to support emergency access. Moreover, they did not implement a unified ZPD-system since the hash-based authentication was verified separately on an FPGA.
Chang et al. [3] propose a generic ZPD solution that is not specific to IMDs per se, however, it covers a spectrum of devices that have more or less the same profile. They propose IPT for the power transfer from the reader. This signal is also used for bi-directional communication. However, they do not give any description of the employed security protocol. Table 2 compares the above ZPD techniques based on the various parameters and design considerations highlighted in Section 4. We can see that all listed works lack the evaluation of hazardous biological effects of the employed WPT schemes. They also do not consider the possibility of a bedside-base-station operation, which is a rising trend in the reader/IMD systems. Moreover, all the techniques offer insufficient security-services and/or have security vulnerabilities in one form or another.

RECOMMENDATIONS
We, next, provide recommendations on how existing solutions can be improved in order to better meet the design constraints highlighted in Section 4.

Adaptive ZPD
In modern IMD setups, in addition to the doctor's programmer, we also have a bedside base-station, as shown in Figure 1. For the convenience of the patients, these wireless devices are required to communicate with the IMD from a few feet away [27]. With this constraint, IPT-and APT-based ZPD cannot be used for the base-station/IMD authentication. Hence, with this setup, it is advantageous to employ RFPT for energy harvesting, since they are more flexible compared to IPT and APT in terms of range. Though the amount of power transferred through RFPT is significantly small compared to IPT/APT, it is not an issue in this specific case since the base-station communication is only used for non-critical daily monitoring. As a result, this setup can afford long delays due to energy-reservoir charging. In light of the above, an adaptive ZPD approach should be considered, that e.g., uses IPT/APT for doctor-programmer/IMD communication, and switches to RFPT for base-station/IMD communication. In terms of implementation cost, it is more economical to use IPT for programmer/IMD communication instead of APT. This is because same coils can potentially be employed for near-field (programmer communication) and farfield (base-station communication). On the other hand, the use of APT (for programmer communication) would require the use of piezoelectric transducers in addition to the RF antenna (needed for base-station communication).

Main-implant-battery size
We now discuss how realistic it is to achieve battery DoS when considering actual IMD battery sizes. The IMD-battery-lifetime  Figure 5. For instance, the pacemaker design in [21] has a processor duty cycle of 5%. For the calculations, it is assumed that the IMD has a state-of-the-art ultra-low-power ARM Cortex-M0+ based 32bit MCU [18], running at 19 MHz, and an implantable-grade radio transceiver [30], with an effective data rate of 265 kbps. The duty cycle of the transceiver is assumed to be 0.21%, which corresponds to 3 minutes of active data communication per 24 hours with a bedside base-station [27]. The data points correspond to actual implantablegrade battery sizes [39]. The time required to completely deplete the IMD battery through battery DoS is illustrated in Figure 6. On average, we assume half the charge available in the batteries due to normal use. We also assume that the authentication steps are executed on active modes of the MCU and the transceiver with the current consumption of 0.78 mA and 4.9 mA, respectively. It can be deduced from these plots that, as a first layer of defense, the battery sizes for critical applications, such as pacemakers, should be as large as possible.

Reservoir size and charging delay
If the peak power of the load is always less than the harvested power then we do not need a reservoir. Otherwise, the size of the reservoir is determined by looking at the required energy consumption of all the consumers during the authentication operation. Moreover, if a reservoir is required, then it may seem that any ZPD scheme might work. However, this is not true since it can become impractical for high-energy-consumption solutions due to the long delay, which is required to store sufficient energy.
For capacitor reservoirs, in order to determine the required capacitance, the energy available in the capacitor (E cap ), should be greater than the authentication energy (E auth ). The capacitance can be calculated using (1) [4], where V max is the capacitor voltage when it is sufficiently charged and V min is when it has been used by the application or authentication process (see Figure 7).
RF-energy harvesters in general output constant power instead of constant voltage [31]. In this type of capacitor charging, the supplied voltage increases (instead of staying fixed) and current decreases with increasing capacitor voltage. The capacitor charging time 3 (t ch ) for this type of charging is calculated using (2) [31]. Here, P ch is the charging power supplied by the energy harvester to the capacitor (C), R is the capacitor's equivalent series resistance (ESR) and Q is the amount of coulombs stored during this time.
If the authentication-energy consumption is reduced then the required reservoir capacitance can be reduced as result. If this value is within 0.1 µF to 470 µF , then ceramic capacitors can be employed, which are ideal for energy harvesting because of low leakage current, small size and low cost [4]. These capacitors also have a very low ESR [8], which allows us to ignore the effect of the time constant (RC). Hence, (2) can be simplified as (3), which is also equivalent to (4). Here, E is the energy stored in the capacitor.
The time it takes to charge an empty capacitor (t ch ini t i al ), and in the case of subsequent charging operations (t ch r epe at ) when a capacitor has a residue voltage of V min can be calculated by (5) [4].
Here, E init ial = 1 2 CV 2 max , which is the energy attained by an empty capacitor when charged from 0 V to V max .
As an example, we use the evaluation setup from Section 6.2 and take the ISO/IEC 9798-2 based mutual authentication protocol from the ZPD solution in [38]. We use AES-128 for data confidentiality and cipher-based MAC. For WPT, we look at the IPT scheme from [20], which is specifically designed for IMDs and delivers P ch = 6.15 mW . Using V max = 3.3 V and V min = 2.1 V , which are within the operating supply voltage range of this setup (i.e., 2.05 V to 3.5 V ), we see that C for the resulting scheme turns out to be 6.19 µF (since the required E auth = 20.07 µ J ). Using a standard ceramic capacitance of size greater than this value e.g., 10 µF , t ch ini t i al and t ch r epe at turn out to be 8.85 ms and 5.27 ms respectively, which are quite reasonable in terms of real-time behavior.
In general, the simplest solution is always to choose a reservoir capacitance that is much larger than the required value (as long as the charging delay is reasonable). This margin is important since the authentication protocol or the employed cryptographic primitives can change in the future, e.g., due to security updates. However, in case C turns out to be outside the ceramic-capacitor range due to large E auth , we can employ the following schemes to reduce it, and the charging delay.
6.3.1 Use of sleep modes. The capacitor-charging delay can be minimized by using sleep modes and interrupts, instead of sizing the capacitor for the whole authentication, resulting in reduced required capacitance. One way of achieving this could be to achieve a minimum required voltage (V T H R H ) using a voltage-controlled switch, before the capacitor energy is used by the rest of the IMD (Figure 8a). After some processing, the implant MCU can then enter sleep mode based on a voltage-comparator-based interrupt when the capacitor voltage (V C ) falls below a lower threshold (V T H R L ). Subsequently, the MCU can wakeup 4 again if another such interrupt is set at V C > V T H R H [17]. In this case, a protocol step, such as a MAC calculation, can have multiple processing steps. Another way could be to go to sleep after each protocol step in order to reduce the number of wakeups and the associated delay at the cost of a larger capacitor. Here, the protocol step is the same as the processing step ( Figure 8b). In this case, the supercap size should be chosen based on the most energy-consuming protocol step. However, this can be problematic if such a step is changed in the future due to the reprogramming of the IMD with a different authentication protocol. Note that in this scheme as well the comparator interrupt will be required to wake up the device, indicating that the capacitor has been sufficiently charged.
6.3.2 Gradual switch to harvested energy. In another approach, the implant can use the battery for the first authentication request and if it fails, it can switch to harvested energy for subsequent accesses within a specified time-frame. This can allow for smaller reservoir sizes since we can afford the resulting delay due to frequent charge/discharge cycles in case of an inauthentic entity.

Timeouts
It can be argued that timeouts can be employed as a simpler alternative to ZPD. For instance, after a certain number of incorrect attempts, the IMD can be made to not accept further messages for a certain duration. For domains other than IMDs this can be a natural choice. However, for IMDs, these timeouts can significantly compromise patient safety. For instance, any timeout after a malicious access can subsequently block a valid authentication attempt, which impacts availability.

CONCLUSION
Over the last few years, energy harvesting has been touted as a solution for protecting IMDs against battery-DoS. In this paper, we have provided an extensive review of the IMD-specific ZPD works from literature. We analyzed these works based on our formulated design considerations, and highlighted their shortcomings. This paper is the first to substantiate these considerations and to provide specific recommendations towards practical ZPD implementations. One strong recommendation is to employ adaptive ZPD in order to facilitate bedside-base-station operation. As future work, we intend to develop a comprehensive ZPD scheme, which incorporates the lessons learned from this work.