Biometric-based Two-level Secure Access Control for Implantable Medical Devices during Emergencies Xiali Hei and Xiaojiang Du Department of Computer and Information Sciences Temple University Philadelphia, PA 19122, USA Email: {xiali.hei, dux}@temple.edu Abstract—Implantable Medical Devices (IMDs) are widely used to treat chronic diseases. Nowadays, many IMDs can wirelessly communicate with an outside programmer (reader). However, the wireless access also introduces security concerns. An attacker may get an IMD reader and gain access to a patient’s IMD. IMD security is an important issue since attacks on IMDs may directly harm the patient. A number of research groups have studied IMD security issues when the patient is in non- emergency situations. However, these security schemes usually require the patient’s participation, and they may not work during emergencies (e.g., when the patient is in comma) for various reasons. In this paper, we propose a light-weight secure access control scheme for IMDs during emergencies. Our scheme utilizes patient’s biometric information to prevent unauthorized access to IMDs. The scheme consists of two levels: level 1 employs some basic biometric information of the patient and it is light- weight; level 2 utilizes patients’ iris data for authentication and it is very effective. In this research, we also make contributions in human iris verification: we discover that it is possible to perform iris verification by comparing partial iris data rather than the entire iris data. This significantly reduces the overhead of iris verification, which is critical for resource-limited IMDs. We evaluate the performance of our schemes by using real iris data sets. Our experimental results show that the secure access control scheme is very effective and has small overhead (hence feasible for IMDs). Specifically, the false acceptance rate (FAR) and false rejection rate (FRR) of our secure access control scheme are close to 0.000% with suitable threshold, and the memory and computation overheads are acceptable. Our analysis shows that the secure access control scheme reduces computation overhead by an average of 58%. Index Terms—implantable medical devices; biometric-based security; access control; iris I. I NTRODUCTION Implantable Medical Devices (IMDs) have been widely used to treat chronic diseases such as cardiac arrhythmia and diabetes. Many IMDs are enabled with wireless communi- cation capabilities and can wirelessly communicate with an outside programmer/reader. With the rapid growth of IMDs, IMD security becomes a critical issue since attacks on IMDs may directly harm the patient. There are a number of attacks that an adversary could launch on IMDs. For example, pace- makers and Implantable Cardioverter Defibrillators (ICDs) contain a magnetic switch (or sensor) that can be activated by sufficiently powerful magnetic fields [1]. Vulnerabilities in the communication interface of wireless programmable IMDs may allow attackers to monitor and alter the function of medical devices without even being in close proximity to the patient [2]. IMDs contain sensitive patient data and information. An attacker could easily launch eavesdropping attacks on IMDs and harvest patient’s privacy information using a mobile phone with IMD reader function. Insurance companies also have motivations to perform such passive attacks. Traditional security schemes (those are designed for sensor networks and other systems) cannot be directly applied to IMDs, due to the severe resource constraints of IMDs, in terms of energy supply, processing, and storage. For example, an IMD manufactured in 2002 (still being used today) contains as less as 8 KB storage [3]. Furthermore, it is not easy to replace the battery for most IMDs, since an IMD is embedded in a human’s body and may need a surgery to do so. Hence, it is challenging yet critical to design effective and resource- efficient security and privacy schemes for IMDs. An intuitive approach for IMD access control during emer- gencies is to pre-configure a backdoor key in IMDs. In case of emergency, first the medical personnel need to obtain the backdoor key, and then use the key to access the IMD. However, the backdoor-key-based approaches have limitations. Some papers propose to store a global backdoor key in a server, and medical personnel could obtain the key via the Internet. This does not work if the unconscious patient is in another country where the doctors there do not have access to the server. Neither does storing the key in a hospital server. Maintaining a globally available backdoor key is costly. To sum up, none of the existing IMD access control schemes work well during emergencies. In this paper, we present a novel Biometric-Based two-level Secure Access Control (BBS-AC) scheme for IMDs when the patient is in emergency situations (e.g., in a comma). Most IMDs are embedded in (or closely attached to) a human’s body. Based on this fact, we propose novel access control schemes for IMDs by utilizing the human factor. Our BBS-AC scheme has two levels. The first level uses some patient basic biometric information,