When hacking could turn deadly

  • Article by: JANET MOORE , Star Tribune
  • Updated: August 22, 2011 - 12:15 AM

A cyber-security researcher's report highlights weaknesses in implanted devices, though the risk is small.

hide

Though the risk is small, Jay Radcliffe said the possibility of an attack on medical devices is serious.

Photo: Isaac Brekken, Associated Press

CameraStar Tribune photo galleries

Cameraview larger

Hundreds of cyber-security geeks watched recently as Jay Radcliffe stood on a Las Vegas stage and hacked into his own insulin pump, disabling its life-saving therapy.

The 33-year-old cyber-security researcher said the pump had "pretty much no security on it" -- a vulnerability it shares with pacemakers, implantable heart defibrillators and other medical devices.

His presentation at the annual Black Hat computer security conference this month highlighted a risk the medical-device industry has downplayed, arguing that only someone with advanced skills could hack the devices.

But Radcliffe said even the possibility of an attack should trouble leading medical technology companies, such as Fridley-based Medtronic Inc., as well as the Food and Drug Administration (FDA), which regulates the industry.

"It's not like someone stealing your credit card and you're out a couple hundred dollars," Radcliffe says. "In this case, if there's one failure in the system, we're talking about someone's life."

Two members of Congress last week asked the Government Accountability Office to investigate whether medical devices employing wireless technology are safe.

Many of the devices have grown sophisticated enough that health care professionals can program and control them remotely, via tiny embedded computers that transmit patients' health information. But that could also create risk.

Radcliffe is not the first to raise the issue. Three years ago, a group of academics published a study that showed implantable heart defibrillators could be hacked remotely.

They conducted their research in a lab by placing a device in a slab of bacon and ground beef to simulate the human body. A real attack could cause the device's battery to drain, rendering it useless, or cause it to administer an inappropriate electric shock to a patient's heart.

Device companies, regulators, doctors and others say the prospect of devices being hacked is infinitesimal. So far, they say, devices have only been hacked in controlled settings by highly skilled individuals like Radcliffe.

They argue it's far more dangerous for patients suffering from chronic diseases to eschew device therapy altogether.

While Radcliffe won't reveal the manufacturer of his pump, Medtronic is by far the leader in the field.

John Mastrototaro, vice president of research and development for the company's $1.3 billion diabetes business, said any claim about potential risks to patient safety is "really something we pay strong attention to."

Medtronic experts are now reviewing Radcliffe's research; several were in the audience for his Vegas presentation.

"It's a shame that, in today's world, we have to guard against malicious intent," Mastrototaro said. As the company develops next-generation insulin pumps, "we're always looking into what we can do to stay one step ahead of [hackers]."

University of Minnesota computer science professor Mats Heimdahl said that while the current threat is tiny, "it might be something in the future that could be a real serious problem."

Radcliffe's research caught fire in the blogosphere. Some fellow diabetics, worried about the repercussions of his research, vilified him online.

Radcliffe says his intentions are honorable: "As a researcher, you try to do things to help your community and make things safer and more secure."

What vulnerabilites exist

Radcliffe's curiosity was piqued two years ago, when the Idaho resident attended a presentation at the same convention on how smart-card parking meters in San Francisco could be hacked to provide free parking in the notoriously parking-challenged metropolis.

He found it "inspirational" -- he's no parking scofflaw, just fascinated in what vulnerabilities exist in devices with embedded computers.

Radcliffe needed only to look at the cellphone-sized device affixed externally to his own waist for a test case. He was diagnosed with Type 1 diabetes on his 22nd birthday and has been using an insulin pump to manage the disease pretty much ever since.

These pumps deliver insulin to the bloodstream around the clock, and patients can also start or stop insulin delivery to maintain normal glucose levels. To that end, many diabetics also use a second device called a continuous glucose monitor to more effectively monitor blood sugar levels. If levels are too high or too low the reaction can be dangerous.

Radcliffe said his brand of pump could be reprogrammed remotely by a stranger, with the wearer being none the wiser.

He used a USB device that could be purchased at a medical supply company or bought used on eBay.

The USB device helped him track the data being transmitted from the computer to the insulin pump.

He wrote a software program instructing the USB device. He just needed the serial number of the insulin pump, though a hacker would have to be in relatively close proximity of his mark to successfully hack the device.

Dr. Aaron Kowalski, assistant vice president for Treatment Therapies Research at the Juvenile Diabetes Research Foundation, said he isn't aware of a pump being hacked outside of a test demonstration.

An engaged community

The diabetes patient and caregiver community is wired and highly engaged. Top blogger Kerri Sparling, whose blog www.sixuntilme.com registers about 100,000 hits a month, said news of Radcliffe's research "made it sound like there's this guy lurking out there ready to hack into your pump, that it was a ticking time bomb."

She and others worry that the hacking publicity could slow the FDA from approving innovative new technologies to treat diabetes. "It already takes a very long time to get something new approved here," she said.

FDA spokeswoman Erica Jefferson wouldn't comment on Radcliffe's research, but said the agency has not seen a widespread problem of breaches in device security. The FDA also "expects manufacturers to employ an appropriate level of risk management that address patient safety" that includes security and privacy breaches.

But as the U of M's Heimdahl points out, "You have to ask yourself, 'What's the motivation to hack into a medical device?' If you want to hurt someone there are far easier ways to do it."

Janet Moore • 612-673-7752

  • related content

  • Jay Radcliffe

  • get related content delivered to your inbox

  • manage my email subscriptions

ADVERTISEMENT

Connect with twitterConnect with facebookConnect with Google+Connect with PinterestConnect with PinterestConnect with RssfeedConnect with email newsletters

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

 
Close