The Medtech Industry Can't Hide from Security Flaws

The medical device industry should more thoroughly consider the security ramifications of wireless technology in next-gen medical devices, according to a prominent security researcher.

Brian Buntz

Are medical device designers so enamored with technology that they are failing to take cybersecurity seriously?

That was the question posed by Jay Radcliffe, a senior security consultant at Rapid7, during a Wednesday talk at BIOMEDevice San Jose.

Technology, for example, holds immense promise for diabetics, Radcliffe said. "The artificial pancreas will be essentially a cure for diabetes. ... And many diabetics are hungry for technology that can help reduce the mental strain that the technology can give patients and caregivers. The stress can be huge," Radcliffe explained. "A mistake for a type-1 diabetic--something as trivial as eating a cupcake--could lead to a trip to a hospital."

Wireless functionality will play an integral role in artificial pancreas devices and other next-gen medical devices. Radcliffe warns that many developers of medical devices may be so enamored with the overall goal of helping improve the lives of diabetics and other patients that they aren't adequately considering the risks--cybersecurity risks in particular. Many of the most promising elements of new medical technologies come via wireless technologies.

"My concern is that we are going too fast. It's like we are driving so fast we can't see around the corners," Radcliffe says. "We now have an electric toothbrush with security vulnerability because of its Bluetooth connection."

Wireless technology is coming to scores of devices, from household locks and thermostats and refrigerators to pacemakers. "We can't secure simple $5 transactions, but we have aspirations of making medical decisions based on wireless devices where people's lives are in the balance," Radcliffe says. "We are entrusting a medical device to do what we can't do anywhere else in the computer industry."

Despite all the progress that has been made with mainstream consumer technology, we still commonly have problems with them: dropped call phone calls, computer crashes, malware, and rampant identity theft. There are also incidences of hackers attacking water and power facilities.

Radcliffe said that the medical device industry needs a modern-day equivalent of Roman centurions, professional soldiers who established order in Roman times.

In the cybersecurity realm, the equivalent of modern-day centurions are white-hat hackers--people who, with permission, breach the security of devices to help make them safer. "You want someone who is going to go to battle with you. The lifecycle of these devices is going to be long," Radcliffe says. "You have to support these devices and update them."

Every device that has code, has flaws and potential security vulnerabilities. "And you are not going to find them all," Radcliffe said. "It is not possible to release a product with software that doesn't have a vulnerability. You have to be prepared to update, patch, and respond to those vulnerabilities."

Radcliffe stated that, all too often, medical device companies ignore or deprioritize security problems. "You can't hide. All too often, you see medical device companies doing that. The FDA and FTC are coming down hard on them," Radcliffe said. "And they are looking bad to their customers because their customers are saying: what do you mean there is a vulnerability with my medical device?"

Although the topic of medical device security is getting significant attention in the popular press, medical devices generally don't fare well in terms of cybersecurity.

In 2011, Radcliffe hacked his insulin pump to determine what kind of security it had. "What I found was shocking," he says. He concluded that insulin pumps are not secured and can be subject to a variety of attacks. To demonstrate how easy they were to breach, Radcliffe hacked his insulin pump on stage at the 2011 Blackhat conference.

Since then, he has has acquired hundreds of medical device to explore for security research. "I buy used medical devices on Ebay and Craigslist. I get medical devices from local coroners' offices," he said.

"The security of Bluetooth is pretty weak--especially when it comes to a technology called 'Just Works.'" Hackers can exploit 'Just Works' by tricking a device into rekeying itself, Ratcliffe says. "You really need to have multiple layers of security and to be vigilant." 

Brian Buntz is the editor-in-chief of MPMN and Qmed. Follow him on Twitter at @brian_buntz.

Like what you're reading? Subscribe to our daily e-newsletter.