What Medical Device Makers Should Know about Hacking: Insights from Jay Radcliffe

In a recent talk at Black Hat, cybersecurity specialist Jay Radcliffe demonstrated how the Animas Ping insulin pump could potentially injure or kill patients. Specifically, he showed how the device forgets its insulin dosing history when its battery is exchanged, and can potentially miscalculate blood sugar levels and insulin doses as a result. Radcliffe submitted the issue directly to the FDA. Johnson & Johnson maintains that the issue in question was a deliberate pump design decision. Conversely, Radcliffe contends that, while the issue is mentioned in the instructions for the device, it is potentially dangerous and should be addressed in the near term to protect patients.

At a previous Black Hat event, Radcliffe hacked a Medtronic insulin pump on stage, helping to bring mainstream media attention to the problem and, ultimately, more regulatory oversight to the broader issue of medical device hacking.

Now a senior security analyst at inGuardians, Radcliffe shares his thoughts in this interview on everything from the FDA decision to increase its scrutiny of medical device cybersecurity to the untimely passing of fellow medical device hacker Barnaby Jack.

MPMN: What is the main point that you'd like to get across to the medical device industry?

Radcliffe: The message is that we need to be fully aware how medical devices are connected to us as patients, and how they impact our lives. Security experts are going to continue looking at these devices, trying to find vulnerabilities to make the medical device world a safer place. The only way we can do that is by talking to FDA, vendors, patients--all of the responsible parties and getting us on the same page. That means, when you see a medical device problem, the manufacturer will say, 'oh, we can fix that. We can put an update out and make that device safer.' And not say: "Thank you for finding the problem but will fix it in the next-generation product that will be coming out in four to five years."
 

MPMN: How was your recent Black Hat talk on security issues with an Animas Ping insulin pump received?

Radcliffe: It was actually received very well. There were a lot of medical device vendors there interested in what I had to say, and they were encouraged by the fact that I am working with the FDA--within the structure that they are familiar with.
 

MPMN: How receptive have the FDA and the medical device makers been to your work?

Radcliffe: It really is kind of an odd relationship. FDA doesn't have a lot of power; they have the ability to look at devices and approve them, but, after that, they are really restricted in what they can do. They were never discouraging of the research that I was doing but they couldn't do much with it. And they have started to react to that by doing some more things in their review process to make devices safer from a computer perspective, whereas before they weren't doing those things. The research I do highlights that, and shows that five to seven years ago, FDA wasn't really looking at [cybersecurity].

The vendors take it from a different perspective. They need to know exactly what is important and what they should focus their resources on. They are also receptive to research on medical device hacking; they are not receptive to what comes after the research is published. For example, in this case, Animas was very grateful that I found a security problem in one of their device. But they came out and said they have no plans to make changes to that device.
 

MPMN: I've heard from a couple of security experts that hospitals are generally much more interested in the topic of security than medical device makers are. What are your thoughts on that?

Radcliffe: That is definitely the case. As a hospital buys these medical devices, they need to get their IT people hook them up to computers and make sure they are safe to be able to use on their networks. Whereas before, you had doctors making decisions on which medical devices to buy with no input from the IT person.

MPMN: How risky are modern medical devices from a security standpoint?

Radcliffe: There is clearly a risk in software and these can lead to health risks. That talk that I gave yesterday clearly highlights that. A software problem caused me to have very dangerous low blood sugar.

These devices have barely been looked at [in terms of cybersecurity] for a variety of reasons. I am pretty certain that if you look at any medical device you could find a problem. You could find things in the computer field that would be considered as vulnerabilities.

MPMN: When you first raised the issue that insulin pumps could be hacked, some diabetics were critical, saying that your work could slow down the approval FDA process for new devices.How do you think most patients using diabetic devices view the issue of cybersecurity?

Radcliffe: The diabetic community is very focused on handling their care as individuals. They are voicing their concerns, and rightfully so over things like the accuracy of glucose meters and when they can have access to new technology.

Quite often, I find that a lot of diabetic patients don't see the bigger picture, which involves making these devices safer over the long term. That goal doesn't really translate to their direct needs as diabetics.

MPMN: How can the medical device industry look at other industries to benchmark best practices in security? There was an article on the Huffington Post on that subject that mentioned the energy industry in particular.  

Radcliffe: The smart meter industry has gone through the same thing five years ago, where researchers discovered vulnerabilities to smart meters and the way that the industry reacted to it. As time has gone on, [hackers] have become less confrontational about it and cooperative in trying to make these things safer.  

The security issue goes through every vertical. At first, it involved Microsoft, Google, companies like that. Later, it was with smart meters. Now, it is happening with medical devices. These issues are all similar but these industries don't tend to look at one another.
 

MPMN: Fellow medical device hacker Barnaby Jack, who passed away suddenly, was scheduled to speak today at Black Hat. Any words on his untimely passing. 

Radcliffe: It's a big loss to the community. Barnaby and I played on the same playground. We disagreed quite often; we had very diverse opinions. But I have tremendous amount of respect for his technical abilities and the work he was doing. Losing him has made the world less safe.

Brian Buntz  is the editor-in-chief of MPMN and Qmed. Follow him on Twitter at @brian_buntz.