Thanks to all of you who sent us tips about the recent insulin pump hacking story. We saw it. It was hard to miss. The mainstream media has lapped it up like fresh cream.
Actually, we’d heard from its instigator, type 1 diabetic and security researcher Jay Radcliffe, a few weeks back, pitching us on covering his presentation at the Black Hat Security Conference (ironically also in Las Vegas, taking place at the same time as AADE!). We chose not to cover it, for two reasons: the timing was bad for us, and frankly, we didn’t heed it much credit. A bunch of programmers obsessed with hacking everything under the sun would love this stuff… but for the rest of us? It seemed awfully implausible and sensational, i.e. more of a publicity stunt than anything else.
But ignoring it didn’t make the story go away (MURDER BY INSULIN PUMP? Eeegads! Nearly 300 articles on the topic to date). So denial was maybe not the best decision on our part. On top of that, we’ve learned that potential hacking of medical devices has been a hot topic for some time, at least insofar as it pertains to pacemakers and defibrillators. Other researchers have already proven that it can be done. So should this be a cause for major concern among PWDs after all? Doubtful.
Last year, Fierce Medical Devices reported that “security experts agree, the risk to patients is extremely low.” They also reported: “The FDA has issued guidance drafts regarding cyber security, spokeswoman Peper Long tells ABC, adding that the agency has not heard reports of malicious attacks on pacemakers, ICDs or insulin pumps.”
Is there an off chance that some real-life Gargamel would try to maliciously tamper with someone’s insulin pump? Hey, there’s always an off-chance of anything, but we’d have to assume that an attack like that would be aimed at some controversial public figure, otherwise what is the motive?
Not only that, but it’s clearly not as easy to do as Jay Radcliffe implies. When he experimented on his own pump, he had the advantage of having the serial numbers of the units he was working with. As type 1 technology blogger Scott Hanselman points out:
“All he requires to perpetrate the hack is the target pump’s serial number. This is like saying ‘I can open your garage door with a 3rd party garage door opener. Just give me the numbers off the side of your unit…’” Right.
In fact, Scott wrote the seminal reply to all of this last week in his post, “Hackers can kill Diabetics with Insulin Pumps from a half mile away – Um, no. Facts vs. Journalistic Fear mongering.”
Members of the DOC have been discussing this via email and Google groups, and generally come to the conclusion that we did: it’s best not to fuel the fire of fear. But they took it seriously enough to ping the leading pump companies: Medtronic, Roche, Animas and LifeScan. In response, Medtronic provided Manny with a brief Q&A posted over at TuDiabetes that not surprisingly downplays the threat from such attacks in the real world. They assure us that they’ve built in “rigorous, complex safeguards” and they also state:
“If someone manipulated your pump to deliver a bolus of insulin that you did not want to receive, your pump would play back a series of tones to confirm the size of the bolus. So, you would be able to detect tones on the insulin pump that weren’t intentionally programmed and could intervene accordingly.”
Good to know!
Other bloggers, including Bennet Dunlap and Kelly Booth, have expressed concern that all the negative media attention will only serve to further deter the FDA from making progress approving new advances in diabetes technology. Ugh!
At the end of the day, what pisses us off is that Jay felt compelled to give his audience of security experts a step-by-step demonstration of how to do it, peaking curiosity and calling national attention to the juicy notion that insulin pumps can be weapons of death — especially perturbing because hacking, among enthusiasts, is contagious:
“Showing that a far-fetched attack is possible is like cracking the 4-minute mile. Once someone does it, others often follow. Free or inexpensive programs eventually pop up online to help malicious hackers automate obscure attacks.” Duly noted by a North Carolina paper.
Also, as Kelly Close noted in a string of DOC discussions: “The fact is, insulin is dangerous and by definition so is any insulin delivery device – no reason to make people more scared if there is no way to address the problem yet.”
This is why, although he claims to have our welfare at heart, we feel this stunt wasn’t really in the best interests of our community.
What say you all? Do you believe that security of medical devices was a pressing issue that needed addressing one way or another, or do you view the whole insulin-pumps-under-attack story as just so much more fodder for sensational headlines?