EE Times has an interesting story about a 10USD single chip platform for building wireless medical devices. This immediately made me thinking about the research around hacking of implantable medical devices. The Vena platform is not intended for implants so the potential cost of an attack is lower but not by much.
Of the two standards mentioned in the article, IEEE 11073 appears to be solely a data exchange and transport specification and only the Bluetooth Medical Device Profile seems to speak to security. However, I could not find much substantial information on what that means. Would this be the standard security built into Bluetooth itself or something more? Would the security components, beyond device pairing, be optional or required? These are important questions when the story spends so much time explaining how Vena will make it easy to fling confidential and sensitive medical information around on otherwise imminently sniffable RF.
Worse, the Vena platform provides other connectivity mechanisms with which an implementer may choose to provide naive, non-secure options. The fact that it is capable of a full TCP/IP stack says to me that we could easily see standard wired connectivity with data exchange entirely in the clear. Such a commodity chip is unlikely to have the horse power to use standard encryption like SSL and unless Cambridge Consultants is provided hardware support for appropriate data protection, I am skeptical OEMs will add anything in their software and firmware implementations.
I’d love to see better adoption of technology in the medical field, to improve patience care and reduce cost. The potential for technology to help here is enormous especially given how resistant the field has been to date. But to see initiatives that don’t focus on patient confidentiality and the appropriate security worries me more than any potential advantage we could gain.