In 2011, Jay Radcliffe, famously hacked into his own insulin pump to demonstrate the gaping vulnerabilities of medical devices. Radcliffe, senior security consultant and researcher with cybersecurity firm Rapid7, will deliver a keynote presentation at MD&M West, Feb. 12 in Anaheim, California and provide a progress report on medical device security over the last four years.
In a phone interview Tuesday, Radcliffe outlined five actions medical device manufacturers can take to improve the security profile of their devices.
Take A Page Out of Tech Playbook
Radcliffe believes that from a technology standpoint, the medical field is 15 to 20 years behind what you can find on your own smartphone.
"Insulin pumps are not like your cell phone that you can update," Radcliffe explains. "So it’s not like your cell phone where Apple comes out with a firmware update to address a problem and you can download it and apply it and it works. These devices can’t do that. They were never meant to be updated."
However, given that personal medical devices such as insulin pumps, glucose meters and other devices are increasingly getting connected to the Internet, it follows that the medtech industry should adopt some tools from the tech world and apply it to these devices.
And some companies are doing that. Radcliffe pointed out that in November, Dexcom, which makes continuous glucose monitors, released a software update for its G4 device that would make the unit more accurate.
"Users were able to update their device just like you would do your phone," Radcliffe said.
Earlier, Abbott Labs also provided a software update to remove an error on their glucose meter, he explained.
"They had a big error with one of their devices where any blood sugar over 1024 was recorded into its database incorrectly," he said.
Users had the option to return the device as part of a voluntary recall or connect their meter to the computer using a USB cable and apply the software patch.
"These are all very new things, and very new to medical device manufacturers, he said. "They are used to protecting their intellectual property and locking that code into place because that was the safest way to do it in the last 20 years. But now we need this ability to change."
Do Independent Testing
Device manufacturers should do some third-party testing of medical devices from a security perspective.
In the utility world, large companies hired independent firms to run tests on smart meters before they decided to make a 10-year investment commitment to buy smart meters, Radcliffe said. Such testing would give the power companies some confidence about the functioning of these devices.
The medtech world should do the same.
In fact, hospitals who purchase things like infusion pumps, are asking these types of questions and looking for products that can be updated, for instance, he said.
"We encourage the device manufacturers to get those tests done and to include those reports as part of the FDA approvals process," Radcliffe noted.
Allow Users to Set Security Parameters
Anyone with an iPhone is aware that older versions of the phone allow users to type in a 4-digit passcode to access their phones. Newer versions have this feature, although users can now save their fingerprint to use their phones without having to type in the four-digit pin.
Radcliffe says that most medical devices do not have such pins, and when they do, they can never be changed.
"It’s very important for access to some of these devices to have a parameter like a pin or a pass code that is for the user, so that way they can have some security on that device. So that there is a hoop to jump through," he believes.
Use Encryption While Transmitting Data
A lot of medical data is being transmitted without any sort of encryption.
"They are transmitting the commands to do medical procedures with an insulin pump or they are transmitting the treatments, so very private, very personal information about the individual is being transmitted without any protection whatsoever," Radcliffe said.
He noted that anyone can buy a dongle off of Ebay and find out how much insulin a person is taking or what their treatment plan is.
"That's dangerous but it's also something that is very private," Radcliffe says. "We have taken the regulatory steps [through HIPAA] to make sure that hospitals are taking care of that [data] but now we need to make sure we are doing this on these very personal devices."
Have More Disclosure In Device Manuals
Device manuals typically don't have information about privacy issues and concerns related to their use. Such issues are also not brought up in training, he pointed out.
"Sometimes when I talk to patients, they don't have any idea that their personal health information is being transmitted or that a computer can talk to that device," Radcliffe said.
That lack of awareness has to change, just in the manner people are now very careful of their credit card number because "it's under attack all the time," he noted.
In the same way, device makers need to do a better job of helping patients understand "what's going on with their device, the privacy concerns, how things are being encrypted."
