Wednesday, August 17, 2011

Meata Culpa:
Methods for Well Done Experiments with Medical Devices and RF

This posting is a mea culpa of sorts to correct a research trend of using ground beef and bacon for in vitro experimentation with implanted medical devices in the context of computer communication and trustworthy computing. We have seen several research papers repeating our methods in a variety of computer science venues. While the methods consistently elicit laughter during presentations, our recommendation is that researchers should instead use a less amusing but more carefully calibrated saline bath or synthetic torso.

In 2008, members of the Medical Device Security Center published Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-power Defenses. The paper describes our security analysis of an Implantable Cardioverter Defibrillator (ICD). We found no mechanisms that prevented unauthorized reprogramming of an implant. For example, we demonstrated how to issue a command shock that is designed to induce ventricular fibrillation (a deadly heart rhythm). A number of privacy vulnerabilities were also identified. In concert with our analysis, we developed prototype zero-power defenses intended to mitigate the vulnerabilities that we uncovered. To validate our zero-power defenses, we needed to complete in vitro testing in a somewhat realistic environment. Crunched for time, but with a desire to do better than simple open air testing, we implanted our defensive prototype in a plastic bag full of ground beef and bacon. Kevin was walking through Whole Foods near Amherst in late 2007, and after a quick call with a cardiologist decided to buy some high-fat bacon and ground chuck beef. The cashier gave Kevin some strange looks when he asked if the meat would be a good stand-in for human tissue.

The bag of ground beef and bacon that we used to prototype
our defenses. The video on the bottom shows a batteryless, computational RFID called the WISP. We wirelessly powered the piezoelement (which is audible).

Providing further evidence of the importance of reversing this trend, Jeff Mogul from HP Labs composed this haiku poetry that reflects on our research presented at ACM SIGCOMM.
They can hear your heart beats
Through several layers of
Bacon and beef
Unfortunately, meat remains the state of the art testing methodology for computer scientists working with implantable medical devices (IMDs). We made our original decision to use a bag of meat based on time constraints, and our methodology lacked the scientific rigor for meaningfully reproducible results. As a practicing cardiologist told us, "Dead meat don't beat… a pig heart from the grocery store will be no more electrically active than a cold hot dog - the physiological processes that govern the propagation of electrical impulses through the heart require metabolically active, i.e. 'alive' cells."

We have recently begun to explore the question of how we should conduct in vitro testing in order to have greater confidence in our results. We would like to share what we have found. A scientist from the FDA Center for Devices and Radiological Health pointed us to a methodology that has been used by the FDA to test wireless interference with implantable devices caused by, e.g., RFID readers. This methodology is described in sufficient detail to reproduce in a paper titled, Electromagnetic compatibility of pacemakers and implantable cardiac defibrillators exposed to RFID readers. We have reproduced this experimental setup using ~$30 worth of parts from a hardware store and a handful of other items (see picture below). While this human analogue has the virtue of being a de facto standard used by the FDA, it is still not perfect. It does not conform to any fully specified standard that we are aware of and working with a tub full of water can be an experimental hazard. The next experimental setup that we intend to build conforms to the Association for the Advancement of Medical Instrumentation (AAMI) standard number PC69 and consists completely of discrete analog components. We will be sure to share the details of our experiences once we have completed this next step.

Our FDA-inspired prototype required only: a plastic tub,
steel plates, bolts, nuts, silicone caulk, a refactometer,
distilled water, and table salt.

We encourage any researchers interested in working with IMDs to carefully consider what in vitro testing methodology to use. If computer scientists and other security researchers wish to have an impact that reaches outside of our own community, we will need to adopt credible standards that are used by biomedical engineers and other domain experts. Moreover, experiments must be meaningfully reproducible.

In summary, please avoid beef and bacon in experiments to show that your prototype implantable medical device works effectively. Instead, use a calibrated saline bath or synthetic torso according to AAMI standard PC69. No in vitro apparatus will perfectly model the behavior of a device in vivo, but these methods will lead to more reproducible experiments of stronger scientific rigor. Meata culpa. And may your research now be more well done.