Device Hacking Continues: Medtronic, Others 'Lacked Foresight'

Medtronic and other medical device manufacturers may have been lulled into a false sense of security as the headline-grabbing insulin pump hacking controversy began to die down in recent months. But hacker Barnaby Jack plans to push the issue of medical device security vulnerabilities right back into the spotlight at the RSA security conference this week where he will demonstrate the ability to remotely launch a lethal attack against an insulin pump user. This mounting pressure from high-profile, hard-working hackers, coupled with the increasing prevalence of connected devices, is quickly catapulting the issue of medical device security to the top of the industry's priority list.

A consortium of university researchers initially called attention to device security flaws when it hacked into a Medtronic ICD and demonstrated the ability to maliciously control the implant back in 2008. However, the issue of wireless medical device hacking gained national media attention and launched a federal probe--in addition to eliciting mixed feedback from patients and the industry alike--when Jay Radcliffe hacked into his own Medtronic insulin pump at the Black Hat security conference last summer.

Launching his own investigation into insulin pump hacking, Jack, a McAfee research architect, engineered a means of remotely inducing a lethal attack on a diabetic. Although he revealed early results at the Hacker Halted conference in Florida last October, Jack claims to have strengthened his attack program, details of which he will share at the RSA conference.

Unlike Radcliffe's hacking attempts, Jack's program is capable of scanning a public space from up to 300 ft away, identifying Medtronic insulin pumps, and then directing them to dispense fatal doses of insulin, according to Bloomberg. His program does not require extra surveillance to obtain a serial number nor does the hacker have to be positioned particularly close to the victim. It also can disable security alerts on the insulin pumps.

These high-profile hacks of medical devices by Jack and Radcliffe, for example, certainly make for gripping presentations and stories. But they've also proven to be extremely polarizing. On the positive side, they help to initiate change, applying ample pressure on manufacturers to examine potential security vulnerabilities and address them for next-generation devices. They also help the companies in identifying some of these vulnerabilities.

On the other side of the coin, however, they are causing unnecessary public panic among some insulin pump users despite a low likelihood of a hacking event actually occurring. Furthermore, this glamorization of medical device hacking could potentially have the effect of actually inspiring a real-world medical device hacking attempt. Critics even go so far as to admonish the professional hackers for providing a blueprint of sorts and ideas for maliciously breaching device security.

Both sides have valid points. Bringing security vulnerabilities to the attention of medical device manufacturers could ultimately result in better devices and enhanced patient safety. But the continued public demonstrations of medical device hacking may be doing more harm than good. Security features of many current devices cannot be fixed or improved without issuing a recall, and a recall doesn't make sense if the threat is not immediate or great--not to mention largely theoretical.

And it's not like manufacturers were really acting irresponsibly at the time by not accounting for such threats in earlier designs. "[Jack] says the problems stem from a lack of foresight by device makers. Security, he says, wasn't a priority when the devices were designed," according to Bloomberg. So what, exactly, are these public demonstrations accomplishing, should they continue? If hackers are exploring medical device security for the welfare of patients, and not just for the headlines, they perhaps should proceed by working directly with manufacturers and perhaps FDA moving forward, unless a discovery unveils an immediate, concrete threat to patient safety.

Read more about medical device hacking and security in MPMN's archived articles, "Mitigating Risk in Software-Controlled Devices," "Preventing Medical Device Hacking, a Nightmare in the Making," and "Securing Change for Implants." Plus, check out a recent interview, below, with Jack by Bloomberg.--Shana Leonard

500 characters remaining