Never Lose Your ECG: A Novel Key Generation and Authentication Scheme for Implantable Medical Devices

Implantable medical devices, such as pacemakers, cardiac defibrillators, and insulin pumps, play a crucial role in monitoring patients' vital signs within healthcare systems. However, these networked devices are susceptible to external attacks and breaches of trust, hindering the potential innovation and social benefits of eHealth services. To address these concerns, we propose a novel ECG-based key generation scheme and blockchain-based authentication protocol to build a trustworthy healthcare service under any situation. The key will be extracted in a single heartbeat using fiducial features. Compared with the existing works, the proposed key generation achieves the most efficient and secure method by introducing newly designed techniques to identify the unique features based on the time differences within a small window of the ECG signals. In our key generation process, we utilized three distinct fiducial features: amplitude peak differences, time differences between peaks, and slope between each pair of peaks. After obtaining the distinct fiducial features, each set of features denoted as ${F}$ undergoes an encoding process, resulting in 16-bit vectors. To ensure randomness, the most significant bits of the encoded vectors are discarded due to their low entropy and least significant bits, which offer a greater degree of variability has been used. To validate our key generation method, we conducted the NIST statistical suite test. Our key generation process successfully passed all the necessary criteria and requirements set by the NIST suite test for ensuring the security and reliability of cryptographic systems. The proposed authentication protocol for the interaction between a patient and a doctor consists of three parts, addressing different scenarios that may arise including a patient visits a new doctor and emergencies which may be necessary for emergency medical services (EMS) personnel to immediately access the IMD. Experimental results demonstrate the efficiency and effectiveness of our key generation, as it produces a key of the same length within a second while maintaining a high level of randomness. Furthermore, the communication overhead for providing authentication services on the Internet is minimal. To evaluate the vulnerability of an authentication protocol, we performed a thorough security analysis, with a specific focus on the adversary model within the IMD (Implantable Medical Device) and DP (Device Programmer) interaction. Additionally, we implemented the proposed methods on a hardware setup by considering several factors, including time, key bit size, and memory usage. Furthermore, the proposed biometric key generation is tested using the NIST standard suite, where it successfully satisfied all the major requirements.