Security That Is Meant to Be Skin Deep: Using Ultraviolet Micropigmentation to Store Emergency-Access Keys for Implantable Medical Devices

Implantable medical devices, such as implantable cardiac defibrillators and pacemakers, now use wireless communication protocols vulnerable to attacks that can physically harm patients. Security measures that impede emergency access by physicians could be equally devastating. We propose that access keys be written into patients’ skin using ultraviolet-ink micropigmentation (invisible tattoos). 1 The IMD Key Storage Problem Life-critical implantable medical devices (IMDs) are becoming increasingly commonplace. The most familiar, the pacemaker, is implanted into a million patients each year [11] and generates $1.98 billion for market leader Medtronic alone [10, p22]. Implantable cardiac defibrillators (ICDs) grew in popularity starting in 1990 [8]. Recently, researchers have raised concerns about IMDs use of wireless protocols; the of lack authentication and integrity mechanisms put patients at risk from attack by anyone with a transmitter [5, 6, 7]. Cryptographic authentication and integrity-protection would require an access key available to authorized physicians but not attackers. In emergencies, patients may require the care of physicians not previously authorized to access the device. Emergency physicians cannot rely on patients to be conscious to provide access keys. RFID tags, such as the VeriChip [13], cannot be used to store access keys as they provide no defense against malicious key requests. Access keys could be stored on medical bracelets, as are used to disclose conditions such as diabetes in emergencies [7]. Denning et al. proposed a medical bracelet that would prevent access to IMDs when worn and that would be removed in an emergency [3, 4]. Regardless of whether bracelets provide or prevent access, patients may lose or forget these bracelets and the mere presence of a bracelet reveals a patient’s condition to potential attackers. 2 Encoding keys as UV-Ink Tattoos We propose that a user-selected human-readable key be encoded directly onto patients using ultraviolet-ink micropigmentation, adjacent to the point of implantation. To increase reliability the encoding could be augmented to include an error correcting code and/or be replicated in full on the base of the patient’s leftmost foot—at the arch. All devices used to communicate with the IMD would be equipped with a small, reliable, and inexpensive ultraviolet light emitting diode (UV LED) and an input mechanism for key entry (a keypad or touch-screen). A single key would be sufficient for multiple devices and could be re-used when devices are replaced. The key encodings could take the form of user chosen character strings (optimizing for user choice), random character strings (optimizing for minimal size), or strings of hieroglyphic-like images chosen from a subset deemed acceptable to the user. The first option gives the greatest control to reluctant patients, whereas latter two options guarantee a minimum level of key entropy and can easily be augmented with error correcting codes. Each patient would be allowed to request new random encodings until finding one he or she deemed acceptable. 3 Safety, security, and reliability The biggest safety concern with UV micropigmentation the UV ink formulations used in tattoo’s today have not yet been sufficiently refined to minimize skin irritations and proven free of long-term health risks [12]. Unlike bracelets, UV micropigmentation does not advertise the presence of the IMD to potential attackers. When not covered by clothing, the UV ink can be hidden by UV-blocking sunscreen. Anyone close enough to read a patient’s tattoo is already close enough to kill the patient using other forensically untraceable mechanisms. Also unlike bracelets, patients cannot forget their tattoo. Placing micropigmented encodings adjacent to scars