Securing Change for Implants

Author: 
Shana Leonard

The subject of electronic implant hacking has been inducing periodic waves of panic among the general public since 2008, when researchers demonstrated that they could maliciously hack a Medtronic implantable cardioverter-defibrillator (ICD). The most recent headlines, however, come courtesy of Jay Radcliffe, a security researcher that presented at the recent Black Hat security conference on how he hacked his own insulin pump. To many in the industry, the presentation merely represented the latest proof that implant hacking is possible—a fact that has already been well established. But, as it turns out, the insulin pump security breach could just be the event that initiates change in medical implant security.

During his presentation, Radcliffe refused to reveal the manufacturer of his penetrable insulin pump, citing ethical reasons. That changed, however, a few weeks later. Claiming that repeated attempts to contact the company were ignored, Radcliffe identified Medtronic as the pump’s manufacturer in what he says was an attempt to apply public pressure on the company to address the device’s security vulnerabilities.

A lack of response doesn’t seem too surprising, though; OEMs have generally downplayed such incidents. Based on the admittedly low risk of a real-world implant hacking event being perpetrated, they have adopted a wait-and-see approach toward bolstering implant security. But the headline-grabbing nature of the insulin pump hacking story may force OEMs to revaluate implant security. As a result of the attempted public shaming, for example, Medtronic was pressured to respond—albeit vaguely. “We have to evaluate the sources of the information and figure out what we should do with it,” a Medtronic spokesperson told the Associated Press.

And exerting public pressure on Medtronic wasn’t the only outcome of the insulin pump hacking. In the weeks following the presentation, two senior members of the Energy and Commerce Committee, Representatives Anna G. Eshoo and Edward J. Markey, reached out to the Government Accountability Office. Their letter requested a report on the extent to which FCC is “identifying the challenges and risks posed by the proliferation of medical implants and other devices that make use of broadband and wireless technology; taking steps to improve the efficiency of the regulatory processes applicable to broadband and wireless-enabled medical devices; ensuring wireless-enabled medical devices will not cause harmful interference to other equipment; overseeing such devices to ensure they are safe, reliable, and secure; and coordinating its activities with the FDA.”

Their concerns are certainly valid in terms of ensuring that devices operate in a safe manner and that implants won’t interfere with other medical equipment. But will this request for a probe ultimately be the catalyst for industrywide change? It will be interesting to see what effect, if any, this initial request and pressure on Medtronic have on the future of wireless-enabled medical devices. Despite the low risk of hacking events, mainstream media and the panicked public may just demand a better sense of security from their electronic implants moving forward.