When the insulin pump hacking story first broke two weeks ago, we viewed it mostly as a publicity stunt. But it’s had some interesting repercussions. Notably, two congressman have stepped up and requested that the Government Accountability Office (GAO) review the Federal Communications Commission’s approach to medical devices with wireless capabilities to ensure that the devices are “safe, reliable, and secure.” Well, that seems like good news…
The hullabaloo was enough for instigator Jay Radcliffe, computer security expert and type 1 PWD, to hold a follow-up webinar last Thursday. Below is a synopsis of Allison’s notes from that event:
* As of last Thursday, the manufacturer of the pump Jay hacked into has been revealed to be Medtronic Minimed.
* His reasoning and motivation for doing the hack? Jay claims he was inspired by the story of two men hacking into a city parking meter in San Francisco a few years ago. The city was forced to re-evaluate security measures for the meters. Jay apparently “had the same thing in mind” when he hacked into his own insulin pump. He says he wanted to help the companies by showing their “security vulnerabilities.”
* Reactions to Jay’s original presentation have run the gamut, but the most telling to Jay so far was that from Medtronic itself. The company largely dismissed the notion of any potential risks. That’s why Jay decided to go public with the manufacturer’s name, he says. “Blowing me off is not an ethical response.”
The upshot of this is that he seems to be in a bit of a pissing match with the company — or at least a “he says, she says” situation in which the truth probably lies somewhere inbetween:
* Jay explains: “The Electronic Frontier Foundation and I worked a lot on this issue. Quite often in the security community we will raise an issue without contacting a vendor. Companies that are not current with security issues often will try and litigate to prevent research from coming to light. It’s easy to bury legitimate research from an individual in a mountain of legal paperwork. The answer to that is ethical disclosure… Usually the company is appreciative of this gesture, and fixes the problem without having public scrutiny or pressure to rush thing. Some do not.”
* Jay picked apart Medtronic’s reaction, point by point:
Medtronic says: “information security of devices… is an integral part of the very fabric of our product design processes.”
Jay says: “this clearly isn’t the case,” as he found in his hacking there was “no authentication or encryption used” and that he publicly showed in Vegas that there are vulnerabilities.
Medtronic says: “Thanks to (our) information security measures, we strongly believe it would be extremely difficult for a third-party to wirelessly tamper with your insulin pump.”
Jay says: “There are no security measures. Needing to know the serial number of the device is not security.” He claims it would be fairly easy for any hacker to devise what the six-digit serial number is for an insulin pump. (We’re not sure how…?)
Medtronic says: “To our knowledge, there has never been a single reported incident of wireless tampering outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide.”
Jay says: “Until now.” Obviously, that’s just because no one has ever thought to hack into an insulin pump. But just because no one has ever thought of doing it yet doesn’t mean no one ever will. (Guess we’d have agree there: crossing your fingers isn’t much of a security measure.)
Medtronic says: “He … TURNED ON the wireless feature and had access to specialized equipment … you can remove any uncertainty by turning OFF the wireless communication on your device.”
Jay says: “this is flat out not true” and that the wireless ability of an insulin pump cannot be turned off. This is why he was able to change any setting or configuration on his device. In addition, he has qualms with the label “specialized equipment,” saying he used his Carelink USB device. Although he did NOT give step-by-step instructions on how he used this equipment, Jay did perform the entire hack on stage in Las Vegas in what he says was “about a minute.”
Jay also claims that he worked with the Department of Homeland Security to contact Medtronic’s CEO’s office and left messages there on Aug. 10.
Of course, we had to look a little deeper into the other side of the story. Here’s how Medtronic responded to our inquiries:
John Mastrototaro, Medtronic’s VP of Research & Development, told us in a phone call on Aug. 26 that he had just spoken with the Department of Homeland Security in “an informal discussion in order to follow up to the claims that Jay made.” He says this was his first conversation with DHS and he was not aware that they attempted to contact Medtronic on this issue earlier.
Specifically, he says: “There is some security and authentication in the product. But there is not encryption. Those have two different meanings to these security experts.” He reiterated that their “primary method of security” is in the secrecy of the six-digit serial number, located on the back of an insulin pump. Another reaction post on the company’s blog that went up Friday stated: “We recommend that you protect the serial number of your pump as you would your social security number, passwords and other important personal information.” Hmmm.
John also stated: “One challenge for us as an organization is that we have to make trade-offs as to where we’re going to put our research dollars and what problems we’re going to solve. We’ve been very focused in the Artificial Pancreas Project… Our new platforms will have the latest encryption technology into those devices. Trying to stay way ahead of the ball is very difficult. It can take 5-7 years for new technology to get out. There is always going to be a potential risk that there’s an evolution of the technology that gets further ahead of the products. Our approach has definitely been proactive and serious, even though it is a remote risk as Jay has said. We want to incorporate solutions to our future iterations of product so that we make it harder still for this sort of thing to occur.”
One interesting factoid is that the security in the Paradigm insulin pump is 12-14 years old. “This was created before 9/11, before malicious intent really came about — when you used to be able to take a water bottle onto the plane,” John says. Twelve to 14 years? Haven’t enough new insulin pumps come out since then that they could have done just a little upgrading on security? We’ll admit, probability of hacking seems pretty low. But still, more than a decade and no security upgrades?
The two congressmen entering the fray are Reps. Anna Eshoo of California and Edward Markey of Massachusetts, both Democrats. In their letter to the Government Accountability Office (GAO), they ask for a report on the extent to which FCC is:
- Identifying the challenges and risks posed by the proliferation of medical implants and other devices that make use of broadband and wireless technology.
- Taking steps to improve the efficiency of the regulatory processes applicable to broadband and wireless enabled medical devices.
- Ensuring wireless enabled medical devices will not cause harmful interference to other equipment.
- Overseeing such devices to ensure they are safe, reliable, and secure.
- Coordinating its activities with the Food and Drug Administration.”
They also write: “In bringing forward innovative wireless technologies and devices for healthcare, it’s critical that these devices are able to operate together and with other hospital equipment, and not interfere with each other’s activities and data transmissions.”
Jay Radcliffe is, obviously, very excited about this development. To him, the behavior of the company in response to this revelation is more worrisome than the actual hacking itself.
On that note, Jay has announced that he is no longer a Medtronic user but has switched to Animas. He plans to hack their insulin pump in a similar manner. If successful, he says, “I will take the same actions I did previously. Hopefully Animas/J&J will behave better than Medtronic has.” Look out, Animas!
So what does all this mean for the rest of us pumpers? Of course we can only cross our fingers that this won’t further bog down the already-painfully-slow FDA process for approving new diabetes devices, like the Medtronic Veo system with low-glucose suspend function (hopefully hacker-safe!).
Should we also be worried about real and immediate risks to our personal safety? I think SecurityWatch said it best when they recently stated: “Radcliffe’s hack is interesting and helpful for pressuring device manufacturers to improve their security, but not especially scary.”
* * *
Cabin Pressure Safety:
As if our worries as pumpers weren’t numerous enough, now an endocrinologist in Australia has discovered that cabin pressure changes in flight might occasionally mess with dosing.
After hearing that a 10-year-old girl went low one hour after take-off (and we;re assuming they ruled out every other possible cause of a low blood sugar?!), Bruce King of John Hunter Children’s Hospital in Newcastle, Australia, and his colleagues discovered other cases of insulin pumpers who also went low after take-off. Apparently that was enough to spark a mini-study in which they sent 10 insulin pumps up in the air and discovered that they gave, on average, 1-1.4 extra units of insulin during take-off. During descent, when cabin pressure was increasing, some insulin was sucked back into the pumps, by about 1 unit.
Of course, 10 insulin pumps is hardly a statistically significant number, and one unit of insulin is probably not going to be deal-breaker for most adult patients (but it made a big difference to the 10-year-old!). We’d say that parents of small children who tend to go low during air travel might want to take note, and adjust accordingly.