Securing Next Generation Multinodal Leadless Cardiac Pacemaker System: A Proof of Concept in a Single Animal

As the next generation of implanted medical devices for cardiac rhythm management moves towards multi-nodal leadless systems that do without the limitations of transvenous leads, new security threats arise from the wireless communication between the systems’ nodes. Key management and the key distribution problem used in traditional cryptographic methods are considered to be too computationally expensive for small implanted medical devices. Instead, inherent human biometrics could provide a reliable alternative. In this work, we tested the key generation process across different nodes of a mimicked dual-chamber leadless cardiac pacemaker system and a subcutaneous implantable relay (S-relay). The proposed key generation process utilizes the randomness available from inter beat intervals (IBIs). A pre-clinical in-vivo experiment was performed in one dog in order to validate the concept by implanting conventional bipolar cardiac pacemaker leads in the right atrium, the right ventricle and the subcutaneous space. Based on the available randomness and entropy of recorded IBIs, 3-bits were extracted per IBI by approximating a sequence of intervals with a normal distribution. This allowed for the generation of a 128-bit key string across the nodes with an average bit mismatch rate of about 3%. Parity check methods were used to reconciliate the keys across the multiple nodes of a multi-nodal leadless pacemaker and subcutaneous device system. The findings are encouraging and demonstrate that IBIs can be used to generate secure keys for data encryption across different nodes of a leadless pacemaker system and S-relay.


I. INTRODUCTION
Technological innovations in wireless body area networks (WBAN) have led to the development of many wireless wearable and implantable medical devices and systems. In the field of cardiac rhythm management, this was seen with the transformation of decades-old implantable medical devices such as cardiac pacemakers.

A. CLINICAL BACKGROUND
Pacemakers are implanted in patients presenting abnormal heart rhythms. There are over one million annual pacemaker The associate editor coordinating the review of this manuscript and approving it for publication was Lorenzo Mucchi . implantations worldwide [1]. Traditionally, pacemakers and similar systems consist of a device casing or 'can' that is implanted subcutaneously in a pectoral pocket. This can is connected to transvenous wires or 'leads' that run down through veins and are fixed to the inner walls of the right atrium or right ventricle of the heart. Additionally a third lead can be introduced to the coronary sinus above the left ventricle for cardiac resynchronization therapy (CRT). Bipolar electrodes on the distal ends of these leads record cardiac electrophysiological signals known as electrograms (EGMs) and electrically stimulate the heart. The surface of the subcutaneous can, implanted in the pectoral pocket, also serves as a unipolar electrode. VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ Transvenous leads have been identified as the weakest element of the system -they may fracture, they may lead to infection, and their explantation is associated with a high risk of mortality [2]. Consequently, the next generation of pacemaker systems is becoming wireless, and doing without the transvenous leads that connect the various electrode nodes of the system together via the device's processor, in the can. Currently there is only one such leadless pacemaker that is commercially available: the single chamber Micra TM (Medtronic) [3].
As multi-nodal pacemaker and similar systems become leadless, a wireless communication challenge arises between the various nodes of the systems. Depending on the exact cardiopathology being treated, there will be different embodiments of future leadless cardiac pacemaker (LCP) systems: from an autonomous single chamber leadless pacemaker like the Micra to a triple-chamber leadless CRT system.
The intracardiac pacemaker nodes could be wirelessly configured and programmed by using a subcutaneous relay node between the intracardiac leadless pacemaker nodes and an external programmer at a distance from the patient. One other possible configuration could consist of only multi-chamber leadless pacemaker nodes that communicate wirelessly with each other and with an external programmer directly without a relay. Fig. 1a shows the traditional (i.e. transvenous) dual chamber pacemaker system whereas one of the variant of next-generation leadless pacemaker systems with subcutaneous relay is shown in Fig. 1b.

B. MOTIVATION AND SECURITY OF IMPLANTED DEVICES
The wireless nature of these multi-nodal leadless pacemaker systems acts as an important source of security risks, as patient physiological information and therapy-related commands are communicated wirelessly, making the communication more visible and thus facilitating eavesdropping and potential hacking [4], [5]. Due to the sensitive and often life-critical nature of these systems, it is essential to protect the communication between their various nodes. To illustrate this concern, Halperin et al. [6] performed software-based attacks on implanted cardioverter defibrillators (ICDs) using off-the-shelf programmer and directional antennas, demonstrating that patient safety and privacy can be compromised due to insecure wireless communication links.
Several approaches have been reported in the literature to secure WBAN communications and preserve confidentiality and integrity. These include techniques ranging from traditional cryptographic algorithms and keys, to wireless physical layer security methods (PLS). A survey on privacy and security issues related to implanted medical devices (IMD's) is provided in [7]. The cryptograhic algorithms utilizes cryptographic keys in order to encrypt and decrypt the information. Therefore, the keys should be kept secret by the manufacturers and require servers to manage and store them. The infrastructure based key management and distribution servers are difficult to implement in emerging paradigms like in-body wireless sensor networks. Another alternative could be using PLS methods. The idea of PLS was first introduced by Shannon in 1948 [8]. Number of methods and techniques have been developed since, utilizing the physical layer to provide information confidentiality including methods based on the spread spectrum [9], modulation techniques [10], [11], or methods that can be implemented using keyless or key-based security approaches. Keyless security involves pre-coding strategies to hide the communicated information from the eavesdropper (Eve) [12]- [15] and mostly depends on the performance metric of secrecy capacity [16]- [18]. The key-based approach involves the use of cryptographic keys which are not already stored but generated from a common information source among legitimate communication nodes. The common source could be the wireless channel or any third-party source. Using PLS methods for securing WBAN, one can exploit different characteristics of the wireless channel e.g. Angle of Arrival AoA, Phase, and Received Signal Strength RSS [19], [20]. Key generation using these characteristics relies on channel reciprocity. 1 An attractive and feasible key generation alternative for WBAN is using a third party common source such as the physiological signals of the patient. Although physiological signals such as the electrocardiogram (ECG), electromyogram, electroencephalogram, or blood pressure vary in morphology and amplitude depending on where they are recorded, but certain underlying physiological metrics, such as the heart rate, do not, irrespective of position where they are recorded. Further the acquisition of these physiological signals is performed via direct contact to the body, avoiding the risk of being eavesdropped by an external third-party.
Monrose et al. [21], proposed the first biometric-based key generation method. These techniques were based on behavioral biometrics and are provided in [22], [23]. Biometric traits for key-generation can be divided into external and internal. The external traits refer to those that remain the same throughout the subjects life and include the iris, fingerprints, hand geometry, DNA and facial morphology [24]- [26]. The main drawback of external biometrics is that they can be easily forged (e.g we leave our fingerprints on all the objects we interact with on a daily basis). Conversely, internal biometrics are those that vary with time and typically represent internal physiological phenomena. They are therefore more resilient in this respect. These internal biometrics include the ECG, the photoplethysmogram (PPG), and the electroencephalogram (EEG) [27]. The use of inter-beat-intervals (IBIs) for key generation was proposed in [28] where PPG and ECG were utilized to extract IBIs. The IBI is the time elapsed between contiguous heart cycles and varies with time depending on different physiological factors. Other similar works are also available in the literature utilizing heart rate as a random source to generate the cryptographic keys [28]- [33].
In this work an IBI-based 128-bit group secret key generation method is tested by utilizing synchronous intracardiac EGM (local depolarization) and subcutaneous ECG (S-ECG) signals. The proof of concept was provided by performing an acute in-vivo experiment on a single dog.
The rest of the paper is organized as follows. Section II describes the Materials and Methods. Section III delivers the Results. Discussions and Conclusion are provided in section IV and V respectively.

II. MATERIALS AND METHODS
A dual-chamber pacemaker with a subcutaneous relay was chosen as the potential future embodiment of a multi-nodal leadless pacemaker system. Such an embodiment is illustrated in Fig. 2a, and consists of two leadless pacemakers (one in the right atrium, and the other in the right ventricle), and a subcutaneous relay (S-relay). The S-relay in turn consists of a subcutaneous lead connected to a subcutaneous can which runs parallel to the sternum, on its left side. The subcutaneous can lies on the axillary midline, at the height of the fifth intercostal space. This particular embodiment of a multi-nodal leadless pacemaker system with an S-relay was chosen because it features both an intracardiac-intracardiac

A. EXPERIMENTAL PROTOCOL
A pilot experimental protocol was performed on one dog (golden retriever, male, 32 kg, 3.5-years) at the Institut Mutualiste Montsouris de Recherche, in Paris, France. All the ethical European guidelines and regulations for animal handling in laboratory were met and fulfilled. The experimental procedure was not performed specifically for this study, but rather for multiple other purposes, among which some were previously reported in [34].
The animal was put under general anesthesia, intubated and ventilated at a fixed rate of 12 breaths per minute. To mimic the leadless dual-chamber pacemaker with an S-relay embodiment, two commercially available bipolar intracardiac pacing leads were implanted in the heart from a subclavian venous access (see Fig. 2b). One of these was fixed in the right atrium, and the other in the apex of the right ventricle. The sensing dipoles used in the leadless pacemaker are very similar to those used in bipolar transvenous pacemaker leads. Both consist of a ring and tip electrode separated by 10-20 mm, across which electrophysiological signals are recorded and the heart is paced. The EGM of the right atrial pacemaker lead was referred to as the AEGM, and the EGM of the right ventricle pacemaker lead was referred to as the VEGM. Each ring and tip electrode pair of the pacemaker leads made up a single node of the multi-nodal system.
The S-relay can was mimicked using an inactive casing that housed electronics unrelated to the present study. The surface of this can served as an electrode. The can was implanted by performing a cut along the anterior axillary line and manually creating a pocket in the subcutaneous space. The can was then inserted into this pocket, which was sutured close. The S-relay lead was mimicked by implanting a conventional (i.e. transvenous) pacemaker lead in the subcutaneous space, parallel and 5 mm to the left of the sternum using a pacemaker lead tunneling tool. The subcutaneous node consisted of the dipole created between the electrode on the tip of the subcutaneously-implanted pacemaker lead, and the surface of the can. This dipole recorded a subcutaneous ECG (S-ECG).
A median-plane X-ray as shown in Fig. 3 describes the implanted intracardiac and subcutaneous leads, the can, as well as several other sensors that are not relevant to this work.

B. SIGNAL ACQUISITION AND IBI EXTRACTION
The three physiological signals (AEGM, VEGM and S-ECG) were sampled at 1000 Hz using a multi-channel custom digital-acquisition platform. The recorded signals were exported to MATLAB TM (Mathworks) for offline processing. Exemplary AEGM, VEGM, and S-ECG signals recorded during normal sinus rhythm are shown in Fig. 4. The IBI extraction from S-ECG was performed using the Pan-Tompkins algorithm [35]. IBIs 15% greater or smaller than the median of the last five IBIs were considered ectopic and discarded. This was to eliminate erroneous detections or premature-ventricular contractions. To extract the IBIs from EGM signals, we used the Multilevel-Teager Energy Operator (MTEO). More details on MTEO can be found in [36].

C. KEY GENERATION PROTOCOL
The block diagram of a key generation protocol for multi-nodal LCP is shown in Fig. 5. In Fig. 5, the normal fitting, binary encoder and parity check methods are adapted from [37] whereas the rest of the procedures utilized for IBI extraction and key generation are novel. This includes effective IBI extraction from EGM and ECG signals using Pan-Tompkins and Teager Energy operator and then utilizing the DIFF operation to reduce the intra series auto-correlation.
By obtaining the physiological signals at different locations inside the body, we want to generate the symmetric key between different nodes of next-generation LCP systems. After signal processing and using the MTEO operator, the timing information of the IBIs was extracted at each node and this information was used to generate a secret key independently. Each node generates a series of IBI values from consecutive beats. Fig. 6a shows the extracted IBI values across the nodes. A strong correlation is observed in measured IBI's across all the nodes. The correlation between the IBI sequences can be expressed as where x and y are the IBI values extracted from AEGM and VEGM, n is the total number of IBI values (120 samples)  and σ is the standard deviation from the mean. The observed correlation is about 0.9937. Similarly, almost the same correlation is found between intra-cardiac EGMs (AEGM) and S-ECG signal and is 0.9946. In order to generate a completely random sequence of bits from a given source, the correlation within each of the time series IBI sequence samples should be zero. Fig. 6b shows the auto-correlation between the time series IBI samples generated from the node in the right atrium. A high correlation of 0.7, 0.5, and 0.3 is observed between the adjacent IBI samples (see Fig. 6b), which is not considered as a favorable scenario to generate completely random bits from each sample. This adjacent sample correlation is also reflected on the bits generated, specifically on most significant bits (MSBs) (see Fig. 6c). In order to reduce the auto-correlation between the adjacent IBI samples to a level that it can be treated as independent identical distributed (i.i.d), the strategy of difference operator is applied. The difference sequence is evaluated by taking the difference between adjacent IBI samples which can be expressed as, The reduction in adjacent sample correlation can be observed in both sample (see Fig. 6d) and MSB (see Fig. 6e) after the difference operator. From a statistical point of view, the IBI values at each node can be fitted with the normal distribution [38]. The histogram of the IBI values accumulated from 120 cardiac cycles is shown in Fig. 7. With a large sample size, the IBI values can be assumed as normally distributed as shown in Fig. 7d, which is the histogram of large data set obtained from online repository. 2 The fitting parameters evaluated are transformed to zero mean with standard deviation of 0.015 seconds and can be expressed as N (0, 0.015).

1) QUANTIZATION ALGORITHM
The entropy of a random source evaluates the number of random bits that can be generated from each IBI sample. In case of normally distributed independent identical (i.i.d.) source with standard deviation σ , the entropy can be expressed as It can be seen from (3) that approximately 4 random bits can be generated per IBI sample. In this work, the utilized quantization algorithm is modeled in a way that it generates only 3 bits per IBI sample. This is to reduce the potential mismatches between generated bits across the nodes. Thus, based on the assumption that IBIs follow a normal distribution with given (µ, σ ), the probability density function is divided into eight regions. The regions are segregated in such a way that cumulative distribution function of each region is 1 8 . For evaluated values of µ and σ , the segregated regions are listed in Table 1. During a cardiac cycle, the quantization algorithm of all the nodes, samples the physiological signal and extracts the IBI. The sampled IBI is then matched to a region it belongs. The resultant gray code of a region is generated for a given IBI sample. Thus, each IBI sample generated from two consecutive cardiac cycles is sampled to 3 bits by quantization algorithm. We have assumed that all the nodes are synchronized and sample the same IBI index. Realistically it is quite difficult to completely synchronize all the modules, but the design of future leadless cardiac pacemakers will guarantee a certain level of synchronization in order to effectively perform CRT therapy [39]. This synchronization between the leadless modules will be within a few 10s of milliseconds (ms) and not within 100 ms,  for k =1 to 8 do 12: if (IBI i R k ) then 13: Output = strcat(Output,GC k ) 14: end if 15: end for 16: end for 17: return Output 18: Reconciliation -Parity Check bit resulting in sampling the same IBI index (even if they sample it at a different point in time within the cardiac beat). As a single IBI results in 3 bits, thus in order to generate the secret key of 128 bits, a total of 43 cardiac cycles are required. The generated keys across multiple nodes always have slight mismatching, which must be reconciled before using it for data encryption.

2) KEY-RECONCILIATION
The parity check method for key reconciliation is used, since it is simple and efficient. For each IBI sample, the nodes generate 3-bit gray code along with a parity bit. The parity bit is shared across the nodes. If parity across the nodes for a given gray code is different, the nodes discard the generated block. If the parity bit is identical, then the first 3-bits are extracted from a given block. The process continues until 128-bits of reconciled key is generated across all the nodes.
The key generation algorithm is provided in Algorithm 1.

III. RESULTS
In this section, the generated key is evaluated for a randomness test. The key mismatch rate and the possibility of similar key generation from patients medical history is also examined.

A. KEY RANDOMNESS ANALYSIS
The 128-bit generated key must be tested for a required degree of randomness. National Institute of Standards and Technology (NIST) provides the widely used set of randomness tests. We run the NIST randomness test suite [40] for evaluating the randomness in the generated key string. In total 15 NIST tests are available, 6 of them are for long bit strings whereas the rest are for short key strings. Our generated key passes all the NIST tests suitable for short keys. For NIST test suite the decision rule is provided in terms of pvalue. The randomness hypothesis is rejected if p-value is less than the threshold (1%). Table 2 lists the p-value evaluated for generated keys. The details of the tests are provided in Appendix.

B. TEMPORAL VARIATION
To evaluate the temporal variation, we utilize the hamming distance, which evaluates the independence among the keys generated from past measurements. Hamming distance is the number of bits that varies between two key strings. For keys to be random, they must follow the binomial distribution, according to which the hamming distance should be around half of the key length, representing maximum distance between the keys. Fig. 8 shows the hamming distance between the keys with comparison to actual binomial distribution. The hamming distance is concentrated around 60 providing an evidence of being independent keys. 3 This proves that the keys generated at different time instant will be different and the Eve will not be able to take an advantage from the previous patient records. 3 for temporal test purpose, we utilize key strings of 120-bits FIGURE 8. Hamming distance between keys from past records.

C. KEY MISMATCH RATE
To evaluate the key mismatch rate before the reconciliation phase, the same metric of hamming distance is used. The hamming distance for perfectly matched keys should be zero. We determine the hamming distance between generated keys across the nodes. The key mismatch rate between the 128-bit key generated in the atrium and subcutaneous relay is 3.89 % whereas the mismatch rate between the keys in the right ventricle node and subcutaneous relay is 2.2 %. The key mismatch rate requires a single round of reconciliation phase.

D. KEY GENERATION RATE
The system requires single IBI to generate 3-key bits. Thus if the normal heart beat rate of 70 bpm is considered then on average 37 seconds will be required to generate the 128-bit secret key. Similarly, by considering the two extremes e.g. in case of 30 bpm, on average the key generation process will require 86 seconds whereas for elevated heart rate of 120 bpm, it will require on average 21 seconds.

IV. DISCUSSION
The results from animal experiment are encouraging and support the process of effective cryptographic key generation from IBIs for next-generation multi-nodal leadless cardiac pacemaker. The entire process can be initiated by the S-relay that generates a network wide synchronous signal for key generation. Each individual node collects the local physiological signal for a sequence of IBI extraction. From each IBI, nodes generate a block of 3-bit gray code, followed by a parity bit for reconciliation. Parity bit is then shared between the nodes. If the parity across the nodes is the same, the block is stored otherwise it is discarded. The process continues until all the nodes of multi-nodal leadless pacemaker system have generated a 128-bit key. Once the key is generated, the pacemaker system will utilize the key for a specific duration that may consist of either multiple sessions or a fixed duration of 30 minutes to an hour. Afterwards, the keys are refreshed again by the S-relay. The method can be extended to off-body programmers with ECG recording.
The described key generation method has two advantages. One, it removes the need of complex key generation and distribution methods as per traditional cryptography. Second, it can be stacked to provide extra layer of security at the physical layer. In addition, instead of utilizing a 128-bit key for data encryption, the proposed method can generate 64-bit key for authentication purposes.
There are also some limitations to the current key generation method. The described method fails if the Eve with knowledge about key-generation method can collect the IBIs at the same time instant as of legitimate nodes of the system. But in order to robustly extract IBIs, the Eve needs to be in physical contact with the patient or use remote sensing techniques based on radar [41] for example which can sense the sub-millimeter movement due to heartbeats.
The results of this work are based only on a single animal, which constitutes a limited test size. For this reason, we would like to replicate the results with more animals, and eventually human patients. Also, the conditions in which we perform the test were in normal sinus rhythm. The methods are not tested on different conditions that could include elevated heart rate, atrial fibrillation, or desynchronized ventricles. Moreover, in case of operating pacemaker, depending on the cardiac pathology, in some cases the heart rhythms will not be normally distributed e.g. the case of pacing at a fixed rate. For those cases, the pacemaker can be programmed for key generation without the assumption of being normally distributed.
Our future work will focus on prototyping the IBI based encryption algorithm. A comparison will be provided between traditional cryptographic and IBI-based methods in terms of system complexity, level of privacy and device longevity. Furthermore, the variation in time required for key generation based on heartbeats will also have an impact on energy consumption and will deserve a specific study. In addition, key generation method in case of different cardiac pathologies will also be tested.

V. CONCLUSION
In this article, a proof of concept in a single animal is provided, for evaluating the potential of securing next generation multi-nodal leadless cardiac pacemaker systems using inherent cardiac physiological signals (intracardiac EGM as well as subcutaneous ECG signals in the presence of a subcutaneous relay). A symmetric group key is generated across all the nodes that includes: right ventricle, right atrium, and a subcutaneous relay. The proposed key generation method provides a promising alternative to establish symmetric keys for data encryption between legitimate nodes, thus avoiding need of key management and distribution servers and conserving substantial computational resources. For an average healthy heart rate of 70 bpm, the proposed method generates 3.65 key bits per second with an average mismatch rate of approximately 3% for a key length of 128-bits. The method can be extended to off-body programmers with ECG recording.

APPENDIX NIST TEST SUITE
The tests performed are:

A. THE FREQUENCY (Monobit) TEST
This test provides the distribution of zeroes and ones in an entire bit string. The test evaluates that the proportions of zeroes and ones are approximately the same, which is the requirement of a random sequence.

B. BLOCK FREQUENCY TEST
This test evaluates the portions of zeroes and ones in an M-bit defined blocks with in a key sequence.

C. THE RUNS TEST (R-TEST)
This test evaluates the total number of runs in a binary sequence, where a run is the uninterrupted sequence of identical bits.

D. LONGEST-RUN-OF-ONES IN A BLOCK
This test evaluates the longest runs of ones with in M-bit blocks.

E. APPROXIMATE ENTROPY
The purpose of the test is to evaluate and compare the frequency of overlapping blocks of adjacent lengths against the expected result for a random sequence.

F. DISCRETE FOURIER TRANSFORM
The test is performed to evaluate the peak heights in the discrete Fourier transform of the sequence in order to predict the periodic features.

G. NON-OVERLAPPING TEMPLATE MATCHING TEST
It evaluates number of occurrences of pre-specified target strings.