Thanks to all of you who sent us tips about the recent insulin pump hacking story. We saw it. It was hard to miss. The mainstream media has lapped it up like fresh cream.
Actually, we’d heard from its instigator, type 1 diabetic and security researcher Jay Radcliffe, a few weeks back, pitching us on covering his presentation at the Black Hat Security Conference (ironically also in Las Vegas, taking place at the same time as AADE!). We chose not to cover it, for two reasons: the timing was bad for us, and frankly, we didn’t heed it much credit. A bunch of programmers obsessed with hacking everything under the sun would love this stuff… but for the rest of us? It seemed awfully implausible and sensational, i.e. more of a publicity stunt than anything else.
But ignoring it didn’t make the story go away (MURDER BY INSULIN PUMP? Eeegads! Nearly 300 articles on the topic to date). So denial was maybe not the best decision on our part. On top of that, we’ve learned that potential hacking of medical devices has been a hot topic for some time, at least insofar as it pertains to pacemakers and defibrillators. Other researchers have already proven that it can be done. So should this be a cause for major concern among PWDs after all? Doubtful.
Images of Jay Radcliffe have gone global
Last year, Fierce Medical Devices reported that “security experts agree, the risk to patients is extremely low.” They also reported: “The FDA has issued guidance drafts regarding cyber security, spokeswoman Peper Long tells ABC, adding that the agency has not heard reports of malicious attacks on pacemakers, ICDs or insulin pumps.”
Is there an off chance that some real-life Gargamel would try to maliciously tamper with someone’s insulin pump? Hey, there’s always an off-chance of anything, but we’d have to assume that an attack like that would be aimed at some controversial public figure, otherwise what is the motive?
Not only that, but it’s clearly not as easy to do as Jay Radcliffe implies. When he experimented on his own pump, he had the advantage of having the serial numbers of the units he was working with. As type 1 technology blogger Scott Hanselman points out:
“All he requires to perpetrate the hack is the target pump’s serial number. This is like saying ‘I can open your garage door with a 3rd party garage door opener. Just give me the numbers off the side of your unit…’” Right.
In fact, Scott wrote the seminal reply to all of this last week in his post, “Hackers can kill Diabetics with Insulin Pumps from a half mile away – Um, no. Facts vs. Journalistic Fear mongering.”
Members of the DOC have been discussing this via email and Google groups, and generally come to the conclusion that we did: it’s best not to fuel the fire of fear. But they took it seriously enough to ping the leading pump companies: Medtronic, Roche, Animas and LifeScan. In response, Medtronic provided Manny with a brief Q&A posted over at TuDiabetes that not surprisingly downplays the threat from such attacks in the real world. They assure us that they’ve built in “rigorous, complex safeguards” and they also state:
“If someone manipulated your pump to deliver a bolus of insulin that you did not want to receive, your pump would play back a series of tones to confirm the size of the bolus. So, you would be able to detect tones on the insulin pump that weren’t intentionally programmed and could intervene accordingly.”
Good to know!
Other bloggers, including Bennett Dunlap and Kelly Booth, have expressed concern that all the negative media attention will only serve to further deter the FDA from making progress approving new advances in diabetes technology. Ugh!
At the end of the day, what pisses us off is that Jay felt compelled to give his audience of security experts a step-by-step demonstration of how to do it, peaking curiosity and calling national attention to the juicy notion that insulin pumps can be weapons of death — especially perturbing because hacking, among enthusiasts, is contagious:
“Showing that a far-fetched attack is possible is like cracking the 4-minute mile. Once someone does it, others often follow. Free or inexpensive programs eventually pop up online to help malicious hackers automate obscure attacks.” Duly noted by a North Carolina paper.
Also, as Kelly Close noted in a string of DOC discussions: “The fact is, insulin is dangerous and by definition so is any insulin delivery device – no reason to make people more scared if there is no way to address the problem yet.”
This is why, although he claims to have our welfare at heart, we feel this stunt wasn’t really in the best interests of our community.
What say you all? Do you believe that security of medical devices was a pressing issue that needed addressing one way or another, or do you view the whole insulin-pumps-under-attack story as just so much more fodder for sensational headlines?
I commented when this story first came out.
In a sarcastic tone of voice, I said “thank you for showing hackers how to do this”.
It is fear-mongering, not that we need more of that
[...] Amy Tenderich, Diabetes Mine, http://www.diabetesmine.com/2011/08/that-insulin-pump-hacking-story.html [...]
Great story, Amy. Really appreciate your level-headed take.
I too have never understood people warning against certain acts by providing a step-by-step instruction on how to do said acts.
Thank you,
Rob
most of this is just stupid. the media loves something to chew. tell them to spit it out.
my only concern is like the one mentioned above: now that this idea is so popular, some idiot is going to try to do this. and motive? what if you’re living with diabetes in 11th grade and some hacker geek hates you? what about athletes and musicians who deal with this. . . what if someone decides to play it unfair. even if you can’t hack the pump, someone will come up with a sinister idea, just to “copycat” all the junk that’s been put out there. I wish the media were a little more responsible.
just a big eye roll from me on this one
I’m with Sandi on the big eye roll….lol
Thank you for the thorough sweep on this issue! There was so much discussion around it in so many arenas that it was hard to know what was really going on!
-Ginger
Totally agreed – an issue blown out of proportion by the presenter himself. Not even by the media sensationalizing something, but someone using the media for a “publicity stunt” about an issue that appears to already be adequately addressed already by those who need to be thinking of this stuff. Hopefully the unnecessary coverage on all this doesn’t hinder the regulatory process. Now, I’m going back to my real concerns about insulin pumping.
“If someone manipulated your pump to deliver a bolus of insulin that you did not want to receive, your pump would play back a series of tones to confirm the size of the bolus. So, you would be able to detect tones on the insulin pump that weren’t intentionally programmed and could intervene accordingly.”
Now that’s a ridiculous response by Medtronic! On so many levels…
Thanks Amy, I hope this post gets as much traction as the fear-mongering Murder by Insulin, etc., newspaper ‘articles’.
Not worried about it. Radcliffe DID manage to get the signals, but could not decode them. He thought he was doing it to further knowledge of electronic security, but the media blew it way out of proportion. I don’t really blame him; I blame the insensitive media, who don’t know when to keep their mouths shut.
I spoke with Jay Radcliffe over the weekend and after our discussion, I wasn’t nervous about wearing my insulin pump. Besides, like he said, he told a roomful of hackers how to hack his pump, yet he still kept wearing it. If the hacker isn’t scared, neither am I.
Here’s a link to the blog post: http://sixuntilme.com/blog2/2011/08/hacked_jay_radcliffe_insulin_p.html
OK, so this was a self serving publicity stunt that got caught up in some reporters search for interesting press. However, I believe that overall security is a (future) big, big issue that needs to be addressed. I’m thinking of how all of the new, mobile devices that you’re introducing to us in your article today are going to be connected to the medical networks that docs and hospitals are also connected to. Networks are the nirvana of hackers. Specially when they lead to billing subsystems (read dollars). Money motivations might be just around the corner and overshadow the “eye rolling” and general pooh-poohing of this topic noted by others comments.
Thanks for joining in the conversation. I think it has been important for the DOC to be in this conversation as a counter point to the tone of the media. Kelly is so right to point out that insulin is not trivial and regular use has risks. Day to day those using insulin face significant rise from well managed insulin use, inventing new things to be scared of is non sense. Yes the wireless communication should due secure but far more important is stopping delivery of insulin into someone who is already low.
That is available over seas. We as ca community need to encourage more proactive guideline writing by the FDA so that similar advances get to market here in a more timely fashion. See:
http://www.ydmv.net/2011/08/repeat-after-me-dear-fda.html
Thanks again for joining in the effort to balance the hype.
Bennet
(Oh and for the recored I use 1 t in Bennet)
[...] Diabetes Care Devices Market Outlook …SBWire (press release)all 8 news articles »J&J Sold Insulin Pumps After Learning of Defects, FDA Says – BusinessWeek01/10/2012J&J Sold …n changes, the Food and Drug Administration said. The agency faulted the J&J unit for …and [...]