Hacking Healthcare: Are insulin pumps more susceptible to attack?

insulin pump hacking

Insulin pumps are designed to be convenient and easy to use, but those features may make them more vulnerable to a hacker, a new report says.

That’s because some of these life-saving medical devices may contain a dangerous combination: Wireless access, security vulnerabilities and features that may prevent a patient from knowing when a device has been compromised, researchers warned at a health security and privacy forum this week. Malicious hackers, known as "crackers," could exploit those vulnerabilities and cause serious harm to or even kill unsuspecting patients.

Medical device companies downplay the risks, pointing out that there are no cases on record of malicious hacks on medical devices, let alone evidence that any patient has been harmed via cyber-attack.

However, there are enough examples of benign hacks into medical devices, either by researchers or by patients themselves, to raise concerns about wireless security in security circles.

Using an OmniPod automated insulin pump made by Insulet (NSDQ:PODD) as an example, a team of computer security experts highlighted the software vulnerabilities of medical devices, warning that "without requiring technical sophistication, an unauthorized party can significantly harm patients." The case was presented at the HealthSec 2012 USENIX Workshop on Health Security & Privacy in Bellevue, Wa., this week.

"The article is not a report on a scientific study," Insulet responded in an email statement sent to MassDevice.com today. "The authors are simply speculating on security risks. The authors do not report on any actual testing or violation of security systems in our patch pump or on any real-world incidence of a [personal diabetes manager’s] setting being compromised."

The OmniPod, like many wireless medical devices, has limited security built into its software, researchers said. Like other wireless insulin pump systems, its remote controller must be relatively close to the pump to effect insulin dosage and delivery, preventing long-distance access.

The amount of insulin delivered depends on pre-programmed, patient-specific settings. The controller tells the insulin reservoir when, how often and how much insulin to deliver, displaying some metrics and usage data to the patient – but not enough, the researchers warned.

With limited access to information and settings, the device is easier to understand and use, but patients may not be able to detect changes to underlying settings, according to researchers Nathanael Paul of the University of Tennessee’s Oak Ridge National Laboratory and Tadayoshi Kohno of the University of Washington’s Dept. of Computer Science & Engineering.

A malicious hacker (often distinguished from hackers who tinker for research or other non-harmful purposes with the label "cracker") could alter a pump’s settings from a distance, delivering dangerous amounts of insulin or preventing needed doses without the patient’s knowledge.

Insulet acknowledged the potential cybersecurity vulnerabilities in all devices, but insisted that its OmniPod is well-protected.

"While no electronic device is hack-proof, the OmniPod System is extremely safe," the company told MassDevice.com. "OmniPod utilizes a number of communications security, authentication, and integrity techniques to ensure secure communications for each user. Insulin pumps in general and OmniPod in particular, have been shown to be extremely safe devices."

A diabetic and computer security expert, Jay Radcliffe, demonstrated a remote hack into his own Medtronic insulin pump live on stage during last year’s Def-Con hacker confab in Las Vegas. Radcliffe was able to manipulate his pumps settings without setting off alarms and without leaving a trace, he said.

A team at software security giant McAfee later demonstrated an insulin pump hack from as far as 300 feet, altering a device’s programming and even triggering potentially lethal doses of insulin.

"Opportunities exist to undetectably change device settings, since devices are often left unattended during sleep, bathing, or exercise," according to the new report. "After identifying these issues, we recognize that work is needed both to prevent and detect these events."

Medical device companies that manufacture insulin pumps or other devices that require controllers and patient-specific programming, such as pacemakers and neuromodulation systems, should take steps to improve wireless device security, they added.

"In prevention, better authentication is needed to stop unwanted changes from occurring," the authors wrote. "For detection, better user interfaces and improvements in system event recording (i.e., forensics) are needed."

Device alerts may not sufficiently protect patients if a critical setting is altered, they noted, advising device makers to carefully navigate the line between user interfaces that provide necessary information and data overload that might confuse patients or lead to user errors.

"Portable implantable medical device systems are playing a larger role in modern healthcare," the researchers explained. "We consider this area of work an open research problem that needs greater attention."

The trade-off between convenience and security plagues many a software security expert.

"There’s a great amount of balance needed between devices that are built for convenience and speed and agility and time to market," Juniper Networks chief security architect Chris Hoff told MassDevice.com in an exclusive interview during the 4-day Def Con hacker conference in Vegas late last month.

"You’re talking about devices that put people’s lives at risk," he added. "There’s really no excuse for designing crappy and insecure systems."

"In the years since the OmniPod Insulin Management System has been on the market, including millions and millions of Pod uses, here and overseas, there have been no reported security breaches or unauthorized third-party use of a [personal diabetes manager]," Insulet told us. "We remain committed to continuously enhancing the safety and ease of use the OmniPod System over time."

RSS From Medical Design & Outsourcing

  • Athermal laser machining cuts bioabsorbable polymers and more
    A the recent MD&M East trade show in New York, Norman Noble, discussed the capability of athermal laser manufacturer. The company has developed the Noble S.T.E.A.L.T.H. (System To Enable Ablation Laser Technology Haz-free). The athermal laser machining process was developed to create precise features in any material, including bioabsorbable polymers, shape memory metals and other […]
  • Exciting possibilities for metallic glass in the medical device world
    Researchers are exploring the potential of metallic glass as a versatile, pliable material that is stronger than steel, with a bevy of possible medical device applications. Yale University engineers have discovered a unique method for designing metallic glass nanostructures across a wide range of chemicals, a technique that could have applications for everything from watch […]
  • Strong Precision Technologies’ medical divisions to unify under MedTorque brand
    Strong Precision Technologies announced on July 2, 2015, that its two medical divisions will now go to market under a single brand, MedTorque. The move reflects the increasing integration of the division formerly known as Inland Midwest with MedTorque, its sister division in Kenosha, WI. “We will continue providing our customers with the personalized level of service […]
  • Olympus offers next-day product replacement guarantee for medical devices
    Olympus, a medical and surgical procedures solutions company, announced that it is guaranteeing next-day replacements for surgical equipment at no additional charge. Olympus is the first surgical product manufacturer to offer this type of guarantee. The service became available to customers with an Olympus Full Service Agreement earlier this year. “Canceled procedures can be costly for healthcare facilities […]
  • More accurate prediction on prognosis in multiple myeloma from SkylineDx
    SkylineDx, a biotechnology company specializing in the development and commercialization of genetic tests, is launching its MMprofiler assay. This test enables clinicians to more accurately predict the prognosis of patients with multiple myeloma (bone marrow cancer) than traditional methods. The MMprofiler measures the activity of 92 genes which are directly or indirectly related to the […]
  • Flint Mobile swaps card reader for camera, accept mobile payments anywhere
    Flint Mobile, the swipe-free mobile payments app, has significantly expanded its payment management and loyalty capabilities for small, service-centric businesses, like the ones run by on-the-go medical equipment professionals. The toggle-free mobile technology makes the process quite simple for both parties, as all transactions are conducted through the mobile device’s camera without the need of any external […]
  • Should scientists be allowed to genetically alter human embryos?
    Scientists have at their disposal, a way to explore the possible prevention of genetic diseases before birth. But should they? Currently, the most promising path forward involves editing the genes of human embryos, a procedure threaded with controversy. An article in “Chemical & Engineering News” (C&EN), the weekly newsmagazine of the American Chemical Society (ACS), parses […]
  • Tackling chronic sinusitis by addressing underlying factors
    The stuffy noses and sinus pressure of head colds are uncomfortable, but for most people, they go away within days. For those with chronic sinusitis, however, those symptoms and others drag on for weeks. Now scientists are onto a potential new therapy that could address one of the underlying factors associated with the condition. They […]
  • Implantable “artificial pancreas” could help diabetes patients control their blood sugar
    Living with Type 1 diabetes requires constant monitoring of blood sugar levels and injecting insulin daily. Now scientists are reporting in the American Chemical Society (ACS) journal, “Industrial & Engineering Chemistry Research,” the development of an implantable “artificial pancreas” that continuously measures a person’s blood sugar or glucose level and can automatically release insulin as […]
  • Drug Deactivation program roll out to all facilities for safe disposal of unused prescription medications
    Verde Technologies announced that New Brighton-based Meridian Behavioral Health, the largest for-profit substance abuse and addiction treatment group in Minnesota, has become its most recent partner in the deactivation and safe disposal of prescription medications including methadone. Meridian is the first behavioral health group to roll out the Deterra Drug Deactivation System to all 17 […]
  • Lophius Biosciences introduces T-activated ImmunoScan Cocktail
    Lophius Biosciences announced the commercial launch of T-Track ImmunoScan and T-activated ImmunoScan Cocktail. Based on a proprietary and very specific cocktail of stimulants in combination with the Company’s T-activation technology, T-Track ImmunoScan and T-activated ImmunoScan Cocktail specifically target different cell types involved in both the adaptive and innate immune system. T-Track ImmunoScan and the T-activated […]

Leave a Reply