Whether you have a pacemaker, a defibrillator, an insulin monitor, or some other medical device that transmits information, there is the risk that it could be hacked.
At last week’s Black Hat security conference in Las Vegas security researcher Jay Radcliff showed how, by experimenting with this own diabetic equipment, he identified flaws that a hacker could use to remotely take over the control of his insulin flow. This follows on the 2008 demonstrations of how to hack pacemakers and how to hack defibrillators.
In Radcliff’s insulin pump example he found that the pump can be reprogrammed to respond to a stranger’s remote. According to a news article by CBS San Francisco, all Radcliffe “needed was a USB device that can be easily obtained from eBay or medical supply companies. Radcliffe also applied his skill for eavesdropping on computer traffic. By looking at the data being transmitted from the computer with the USB device to the insulin pump, he could instruct the USB device to tell the pump what to do.”
To remotely manipulate the insulin pump the hacker would have to be located within a narrow (200 feet) radius of the victim which is certainly doable. The article also said Radcliffe was able to tamper with his blood-sugar monitor, overriding the actual signal with a stronger signal so that the device would fail to deliver the proper insulin dose. Assuming a powerful enough antenna, Radcliffe claims the attacker could be up to a half a mile away.
The problem with these small devices is the difficulty in fitting security tools into them. Responding to questions, the FDA said that any medical device with wireless communication components can fall victim to eavesdropping and say the warn device makers that they are responsible for ensuring their equipment can be updated after it’s sold (to patch security holes if needed).
To date there is no evidence that any hacker has leveraged medical device flaws to harm a user, and the industry downplays any potential threat noting that the risk to patients of being hacked is very small whereas the risks associated with failing to use the devices are severe. However, the CBS article quotes Yoshi Kohno, a University of Washington professor of computer science who said “The threat hasn’t manifested yet, so what they and we are trying to do is see what the risk could be in the future,” and that Radcliffe’s new research reinforces the urgency of addressing security issues in medical devices before attacks move out of research labs.
While it sounds like a new twist in a Robin Cook medical thriller, the ramifications to real patients could be just as deadly and highlight again the risks associated with the intersection of technology and medicine.
For more information on med-tech risks, see my blogs:
- HHS Strengthens Health Information Privacy & Security, is it Enough?
- Risks of Placing Medical Records Online
- Online Medical Fraud: New Tools for Old Scams
- HHS Issue Notification Rules for Personal Health Record Breaches – But What Prevents Breaches?