Let’s have a Heart-to-Heart (H2H)…or better yet, let’s not

Implanted medical device

As someone who has an implanted medical device, I’ve been increasingly alarmed by the medical device industry’s blind rush to internet-enable every device they sell.  Sure, an embedded Wi-Fi connection makes it easy to download data and adjust therapy from anywhere in the world.  But it’s also a huge risk to personal security.  What if a hacker took over your heart?

In October 2012 the Obama Administration finally ordered the FDA to start taking medical device security seriously, including intentional hacking and unencrypted data transfer that exposes Personal Health Information (PHI).  In June 2013 the FDA called on the healthcare industry to start addressing medical devices’ vulnerability to cyber attack.

That brings us to Heart-to-Heart (H2H), a novel authentication approach that uses the human heart as a random number generator.  It relies on an external “programmer” being in physical touch with a patient’s body.  The “programmer” compares its electrocardiogram with the implanted medical device.  If they match, access is granted.

This physical proximity or “touch-to-access” model is intended to provide emergency responders with the ability to reprogram or extract data from implanted medical devices, when time is of the essence and any delay in treatment might prove fatal.  It would also offer protection against hackers seeking to exploit a Wi-Fi connection.

So what’s the problem with Heart-to-Heart (H2H)?  It fails to address the IDENTITY in Identity & Access Management (IAM).  Who is attempting to use the “programmer” and physical proximity is just as important to control as the access itself.

The ticking time bomb scenario of a healthcare emergency is no reason to drop the identity component of IAM.  SurePassID has figured out how to make the full spectrum of IAM security available to our customers – transparently, in the case of some implementations we’ve done.  If we can do it, the healthcare industry can too.

Throughout the rest of the healthcare enterprise, managing identities is a crucial pillar of HIPAA/HITECH.  I want my implanted medical device to be just as secure.