Hackable Medtronic Insulin Pump Leads to Company Probe

Posted in Information technology by Bob Michaels on October 27, 2011

When IBM security analyst Jay Radcliffe hacked into his own insulin pump at a conference over the summer, no one could deny that networked medical devices—like all networked electronic devices—can fall victim to cyber attacks. Now, the lid has been removed even further with last week's report from software security firm McAfee that at least one of Medtronic Inc.'s Paradigm insulin pumps exhibits software vulnerabilities that could render the device susceptible to hacks.

McAfee exposed the Medtronic device's vulnerabilities by using a Windows-based PC and an antenna to communicate with the device over the same radio spectrum that is used for some cordless phones. Finding a way around all the restrictions and limitations, according to McAfee senior vice president Stuart McClure, the company developed code that enabled it to gain complete control over the insulin pump from up to 300 feet away. Recently, Medtronic acknowledged that security flaws in its insulin pumps could allow hackers to take control of the devices remotely, a Reuters article notes. According to one scenario, a hacker could gain control of the pump and instruct it to dump all the insulin in its cannister.

The dangers are real, but it is clearly exaggerated to include medical equipment among the types of networked devices that are "being hacked in ever-increasing numbers," a claim that appeared in a recent blog by Tim Fulkerson, senior director, marketing, for McAfee Embedded Security. In fact, malicious hack attacks against medical devices have never occurred outside of research settings. And according to FDA, there is no evidence to date of widespread problems associated with medical device security breaches.

The best way to protect embedded devices is to implement whitelisting and change control technologies, according to Fulkerson. Enabling manufacturers to create a dynamic set of applications authorized for a given device, a whitelist can be built into the embedded system’s gold image and applied automatically to all devices being provisioned. And change control is a trust-model approach that restricts who can change what, how they can change it, and when a change can be made. This measure prevents and logs unexpected changes, while alerting administrators to breaches. It also blocks unauthorized programs or code snippets and prevents unauthorized changes, including Microsoft patches.

While Medtronic markets two insulin pump models and supports six older models, 200,000 of which are currently used by patients, it has not disclosed which model McAfee has identified as being vulnerable to hackers, nor has it indicated how many patients could be affected. Nevertheless, the medtech company vows that it is determined to confront and remedy this problem, according to MassDevice. Measures include conducting a risk/benefit analysis to assess the potential risk, evaluating encryption and security technologies, and establishing an industry working group to develop new approaches and best practices in the area of medical device security.

Although Medtronic is concerned that its insulin pumps are susceptible to the machinations of hackers, correcting the problem is not so straightforward. For one thing, the company's pumps use wireless communications technology that is 12 to 15 years old. And recalling already existing devices for the purpose of retrofitting them with new software patches would require FDA approval. In the end, the company may be forced to start from scratch, rolling out a completely new insulin pump that can withstand the challenges facing networked electronic devices in an age of hacking.

The news that Medtronic's insulin pumps confront digital security challenges coincides with the hacking summit that will take place around MD&M Minneapolis on Thursday, November 3. Titled “Vulnerable Medical Devices Face Today’s More Virulent Networks: Scary Stories, Real Risks, and Mitigation Strategies,” the Amphion Forum 2011 Medical will feature panelists from a range of companies and institutions. For an in-depth discussion with Mocana security expert Kurt Stammberger on the risks facing patients with implantable networked medical devices, go to the interview "Preventing Medical Device Hacking, a Nightmare in the Making." —Bob Michaels