A security researcher who presented at this year’s Black Hat security conference caused quite a stir when he showed audience members that he was able to hack into his own insulin pump. Jay Radcliffe is a cyber threat intelligence analyst at IBM who wanted to test the security of the two medical devices — an insulin pump and a continuous glucose monitor — he wears every day to control his diabetes.
Radcliffe found both devices had significant gaps in security: He was able to reprogram his insulin pump to respond to a stranger’s remote control device and could tamper with the readings of his glucose monitor by intercepting wireless signals. For diabetics who rely on these devices to stay healthy, this security flaw represents a risk that they could be harmed and possibly even killed, he believes.
“If somebody gets hurt through a medical device being tampered with, and potentially dying, it raises the stakes of this. If one person were to be harmed, it would be a very big deal. It would be front page news everywhere,” said Radcliffe in a television interview at the security conference.
Insulin pumps aren’t the only medical devices susceptible to hacking. Researchers in 2008 found that that some pacemakers could be hacked into and reprogrammed as well.
But aside from security experts and researchers, who is really hacking into insulin pumps? A few critics argue that the media is over hyping the story with headlines such as “Black hat hacker can remotely attack insulin pumps and kill people” and “Excuse me while I turn off your insulin pump.” Some are worried this could create an environment of paranoia that will slow down the FDA approval process for new devices.
It doesn’t matter if the risk is small — Radcliffe believes the security holes must be plugged. In a blog conversation with a fellow diabetic, he argues that being in a rush for FDA approval is no excuse for sloppy medical device security. “Aren’t you concerned about the fact that the FDA doesn’t have any guidelines around wireless transmissions?” he asks.
Radcliffe told the Associated Press that after his presentation he planned to notify his device manufacturers of the weaknesses he discovered. A week later he tweeted “Wow. My Pump maker really doesn’t care abt security. Totally blew off my research findings and lied about it in a Press Release.”
Two members of congress do care about his findings, however. Reps. Anna G. Eshoo (D-CA) and Edward J. Markey (D-MA) specifically cited Radcliffe’s research in their request for a review of the Federal Communications Commission’s (FCC) actions in regard to wireless medical devices. The representatives want to ensure that the FCC is “identifying the challenges and risks posted by new medical devices and implants that make use of wireless technology to ensure that such wireless-enabled devices are safe, reliable, and secure, and do not cause harmful interference.”
It’s probably not a bad idea to regulate these wireless medical devices. While the insulin pump hack should not be cause for widespread alarm, it should be cause for action.