Adding Security to Implantable Medical Devices - Can We Afford It?

Implantable Medical Devices (IMDs) belong to a class of highly life-critical, resource-constrained, deeply embedded systems out there. Their gradual conversion to wirelessly accessible devices in recent years has made them amenable to numerous successful ethical-hacking attempts. These attacks were made possible due to the absence of proper security provisions in IMDs. IMD manufacturers have only very recently started taking cybersecurity threats seriously, a move that will force development teams to overhaul IMD designs and grow sharper reflexes in an industry that has historically opted for small, careful steps. Thus, valid concerns arise regarding the technical feasibility but, chiefly, the economic viability of adding security to IMDs. In this work, we assess the economic repercussions of securing IMDs by employing the concept of technical debt (TD) on the evolving IMD software. Our quantitative analysis reveals that security-related costs are currently well in hand, however, security-code TD amasses faster and will eventually overtake medical-code TD. The economic viability of IMDs will, thus, be ensured only if security-development efforts are allocated significant resources within the next decade. Keywords Technical debt, implantable medical device, IMD, security, embedded software