In my view it is very critical, there are already attack papers that show that you can read patient data or even remotely influence the operation of the device by changing its settings. The devices have to operate with very low power draw and cannot support complex crypto, but I guess that the manufacturers of current devices also underestimate the dangers because you have to be in the vicinity as an attacker.

You can browse the papers from Kevin Fu, he is very active in that area:

http://www.informatik.uni-trier.de/~ley/pers/hd/f/Fu:Kevin.html

There is also an interesting project at MIT:

http://groups.csail.mit.edu/netmit/IMDShield

Thank you for your answer Matthias. I agree there are potential threat in medical information database and medical devices. But it seems to me that this area has been something like an 'Emergency Scenario'. Police respond only after something goes wrong and potential threat is being ignored, while security engineers are always asked to prepare for any case that can happen. Are the industries adopting this idea?

Well, I guess most security research solves non-existing problems, it's hard to tell if attacks on medical devices will be relevant or not. But still, I'm sure there are strict guidelines and regulations for design and implementation of medical device hardware, and with good reason. I don't see why device security should be put at risk because the software does not get the same attention.

There is so much security research, and the people there should be able to design a provable secure way to interact with the implanted devices; there are only two devices/parties in it, how hard can it be?

I didn't do research in that field on my own so I don't know how good/bad the security situation is really or how the industry acts, but I wouldn't like the idea to let the software get out of beta phase after it was implanted.

A collegue of mine is supervising a student project working on exactly this topic in corporation with collegues at the hospital of our university (and a manufacturer of these devices, as I understand it).

As for the reason why: as a designer of these systems, you need to build something that provides sufficiently high level of security, because the device must never pose more of a threat to the patient than the default situation. What the default situation is exactly depends on the alternatives - if a device only rarely needs tuning, it may be safer for the patient if the device does not allow wireless communication. The device could then be tuned through physical access (which requires an operation, and thus also brings risks).

Challenges:

The most important and unique issue I see is the challenge of availability. How do you prevent an attacker from executing a denial of service attack by repeated authentication requests -- in the worst case knocking out the power supply of the device, causing (potentially) severe injury to the patient.

This is apart from the regular security challenges we have (such as protecting the confidentiality and integrity of configuration data).

With respect to your original question:

- How critical: From an economic perspective, apparently information security for medical devices is not very critical (yet). While some sort of information security might be required to comply with legislation, I am not aware of reported attacks on such devices which caused damage (i.e. liability) for the producer. As such, there is little incentive for a manufacturer to invest into security (other than compliance). All this could change with the first public attack (and a possible lawsuit). After such an attack, economic incentive would come from customer demand for security (fuzzy term, I know) and additional legal requirements.

- Challenges: Personally, I would say the longevity of the discussed devices and infrastructure. In medical devices, the design of a new pacemaker can take a long time including clinical trials etc (10 years as estimate). Then the device is going to be in use for hopefully 5-10 years (you don't want to cut open the patient). This means, at the end of life, any security is going to be 20 years old...

In addition, the devices are severely limited in battery life, bandwidth, computational capabilities, etc...

Then, as Rens mentioned, Safety concerns about interoperability in ad-hoc scenarios such as emergency response, different doctors over time, etc. This might turn any decent key-management scheme into a nightmare.

With respect to Industry adopting: without getting too specific, lets say that some features are already in place for some manufacturers, and they are aware of the general problem. But the challenges are hard, as I detailed before.