You may remember the big headlines two years ago when PWD tech expert Jay Radcliffe gave a presentation at a hacker’s conference detailing what he perceived to be a real cybersecurity threat for medical devices. The media gobbled up the juicy story about he was able to tamper with his own Medtronic insulin pump — though most level heads within the Diabetes Community saw this as mostly a publicity stunt and not a practical concern, while others felt betrayed, in that Jay was essentially “giving evildoers a blueprint” to harm or even kill pump wearers.
The media attention nevertheless caught the eye of a couple of Congressional members, who used Jay’s concerns as fodder to help accelerate serious medical device cybersecurity discussions that were already underway within legislative circles.
Fast forward to 2013.
Jay’s work is back in the public eye, as he recently presented at a hacker’s conference and interacted with the media to help spread his story. This time, he’s concerned about how the Animas Ping is designed to keep track of active insulin on board (IOB). Specifically, a battery change resets the number to zero, so the unit stops keeping track of active insulin.
The big difference this time around is that Jay is now working with the FDA to get Animas to respond to this issue and, he hopes, do something about it. This is part of a bigger push the FDA is making to encourage consumers to go through official agency channels to bring these product concerns to light, and “pressure” manufacturers to pay attention and respond.
Wow… the government agency teaming up with consumer advocates to force industry’s hand? That’s a sign of a new “patient empowerment era” if we ever heard of one!
After his 2011 presentation and all the media attention, Congress took notice and pushed the Government Accountability Office (GAO) to review cybersecurity for medical devices. They issued a report last year, and that all led to legislation weaving these issues into law. The GAO and Department of Homeland Security pressured the FDA to adopt standards, especially with the growing popularity of cloud-based data sharing in devices. In June, the FDA issued draft guidance that would require device companies to include cybersecurity information along with clinical data when seeking approval.
Jay says regulators have reached out to security experts like him to investigate these potential device security issues within medical devices. The FDA doesn’t have the people internally to analyze these concerns effectively, and so that’s where Jay and other hackers come into the picture.
The Animas Ping Thing
When Jay first reached out a few weeks ago and told us he’d found a new medical device issue, I must admit I rolled my eyes and sighed at the thought of the sensational headlines sure to follow. After hearing his explanation of the details, I could see that the issue had some merit; as someone who’s been pumping for more than a decade but has never used an Animas device, the feature did seem a little strange and even potentially dangerous. But after some additional research and chatting with a few fellow PWDs who use the Ping, I determined this appears to be a case where Jay is — once again — blowing things out of proportion.
The battery change doesn’t make the system “forget” your IOB; it simply resets the number to account for the amount of time you take to replace the battery. Taking a bit longer happens to me often, actually, and so my IOB calculation wouldn’t be the same as if I’d just re-connected right away with a fresh battery.
Not everyone agrees, and that’s fine. Some fellow PWDs do see this as a safety issue, one that Animas should address.
Regardless, I worry about the over-dramatic response of the mainstream media, like these headlines that hit after Jay’s 2011 Black Hat conference presentation:
“Black Hat: Diabetic Researcher Finds Insulin Pump Glitch That Almost Killed Him”
“Hacking: Another Year, Another Insulin Pump Maker Outed on Stage”
“Hacker Demonstrates Just How Vulnerable Johnson & Johnson’s Insulin Pump Really Is”
Those sensationalized headlines just make me mad.
Now, I’ve reviewed the Animas Ping device and actually believe it makes perfect sense to be designed the way it is, even if other manufacturers might do it a little differently. Jay and I hashed out our differing views on this, and we just don’t see eye-to-eye. We discussed how this battery change safety issue may differ from a cybersecurity/hacking concern.
Threat or Simple Design Quirk?
This is how Animas responds:
We value Mr. Radcliffe’s input and we will consider it, as we do feedback from our other customers, as we continue to develop new products and enhancements to existing products.
It’s important to clarify that it is inaccurate to call this a software flaw or cybersecurity issue, as it is a deliberate pump design decision. We investigated the situation and the product is operating as intended, as described in our Instructions for Use Manual, and as explained to patients during training.
The OneTouch Ping pump was designed to reset the “Insulin On Board” (a calculation of how much insulin is left in the body after a bolus of insulin is given) reading to zero following a battery removal and/or replacement. This helps to prevent inaccurate dosing calculations that could result from the pump’s inability to take into account any self-administered insulin injections given during the time the pump is without a battery. The feature also helps to avoid inaccurate dosing calculations due to the steady decline in the calculated amount of insulin remaining in the patient’s system over time from a bolus of insulin administered, depending on how long the pump is detached from the body. Although the Insulin on Board amount is reset to zero, after the battery is replaced the patient can review recent insulin delivery information, including doses and times, in the pump history.
Every Animas patient receives training in order to operate their pump safely and effectively. This includes training regarding the Insulin On Board battery reset function. The function is also explained in our Instructions for Use Manual. It’s even an FAQ page online.
Jay couldn’t disagree more. “I see the battery change issue as a security problem,” he told us in an email. “Safety and security are the same to me. I see it as a huge problem, and Animas is completely wrong in its statement that ‘it’s in the manual so its OK’.”
I tend to agree with Animas that this documented design feature doesn’t pose a real threat. But then again, how many of us remember everything we were told during pump training and how many of us actually read every word in the manuals? So, who knows…?
Maybe this is something Animas should address, just to be as safe as possible.
Teaming Up with the FDA
How did Jay get connected with the FDA? He says he reached out to Animas multiple times after discovering the battery change issue, but didn’t get a response. He says the D-Community’s blowback two years ago didn’t play into his decision to take this to the FDA; it was actually a visit he made to an agency facility earlier in the spring. He mentioned the issue to one of their executive directors, and that person suggested Jay go through the agency’s disclosure process to help generate a response from Animas. Jay agreed.
“As a patient and as a security professional, I want to help make safer medical devices for everyone,” he told us. “These devices have a huge impact on a person, and I think it takes first-hand experience to really evaluate these issues. This has lead many medical device vendors to hire InGuardians (the company I work for) to help them make these devices safer, especially with them being more connected to computers and, Lord help us, the Internet.”
We find the FDA’s latest push to work with PWDs and medical device users pretty fascinating, and something that could open up a lot of doors for those in our community trying to work with the FDA more on broad safety initiatives, like the StripSafely campaign for improved test strip accuracy.
Many had concerns this would cause the FDA to take longer in reviewing devices and add more costs to the manufacturing process, both to the detriment of us PWDs. We recognize that concern, but at the same time we get the urgency of addressing real safety concerns — whether they’re practical day-to-day worries or not.
To me, the real story here is how the patient community has found an ally in the FDA, in that the agency’s working with us to make sure our concerns are at least heard by the device manufacturers. We’ve been pushing for this kind of interaction for a while!
Therefore, the broader impact of Jay’s work is probably a positive one for all of us — despite all the hacking fear and hype.