Hacking Healthcare: Are insulin pumps more susceptible to attack?

insulin pump hacking

Insulin pumps are designed to be convenient and easy to use, but those features may make them more vulnerable to a hacker, a new report says.

That’s because some of these life-saving medical devices may contain a dangerous combination: Wireless access, security vulnerabilities and features that may prevent a patient from knowing when a device has been compromised, researchers warned at a health security and privacy forum this week. Malicious hackers, known as "crackers," could exploit those vulnerabilities and cause serious harm to or even kill unsuspecting patients.

Medical device companies downplay the risks, pointing out that there are no cases on record of malicious hacks on medical devices, let alone evidence that any patient has been harmed via cyber-attack.

However, there are enough examples of benign hacks into medical devices, either by researchers or by patients themselves, to raise concerns about wireless security in security circles.

Using an OmniPod automated insulin pump made by Insulet (NSDQ:PODD) as an example, a team of computer security experts highlighted the software vulnerabilities of medical devices, warning that "without requiring technical sophistication, an unauthorized party can significantly harm patients." The case was presented at the HealthSec 2012 USENIX Workshop on Health Security & Privacy in Bellevue, Wa., this week.

"The article is not a report on a scientific study," Insulet responded in an email statement sent to MassDevice.com today. "The authors are simply speculating on security risks. The authors do not report on any actual testing or violation of security systems in our patch pump or on any real-world incidence of a [personal diabetes manager’s] setting being compromised."

The OmniPod, like many wireless medical devices, has limited security built into its software, researchers said. Like other wireless insulin pump systems, its remote controller must be relatively close to the pump to effect insulin dosage and delivery, preventing long-distance access.

The amount of insulin delivered depends on pre-programmed, patient-specific settings. The controller tells the insulin reservoir when, how often and how much insulin to deliver, displaying some metrics and usage data to the patient – but not enough, the researchers warned.

With limited access to information and settings, the device is easier to understand and use, but patients may not be able to detect changes to underlying settings, according to researchers Nathanael Paul of the University of Tennessee’s Oak Ridge National Laboratory and Tadayoshi Kohno of the University of Washington’s Dept. of Computer Science & Engineering.

A malicious hacker (often distinguished from hackers who tinker for research or other non-harmful purposes with the label "cracker") could alter a pump’s settings from a distance, delivering dangerous amounts of insulin or preventing needed doses without the patient’s knowledge.

Insulet acknowledged the potential cybersecurity vulnerabilities in all devices, but insisted that its OmniPod is well-protected.

"While no electronic device is hack-proof, the OmniPod System is extremely safe," the company told MassDevice.com. "OmniPod utilizes a number of communications security, authentication, and integrity techniques to ensure secure communications for each user. Insulin pumps in general and OmniPod in particular, have been shown to be extremely safe devices."

A diabetic and computer security expert, Jay Radcliffe, demonstrated a remote hack into his own Medtronic insulin pump live on stage during last year’s Def-Con hacker confab in Las Vegas. Radcliffe was able to manipulate his pumps settings without setting off alarms and without leaving a trace, he said.

A team at software security giant McAfee later demonstrated an insulin pump hack from as far as 300 feet, altering a device’s programming and even triggering potentially lethal doses of insulin.

"Opportunities exist to undetectably change device settings, since devices are often left unattended during sleep, bathing, or exercise," according to the new report. "After identifying these issues, we recognize that work is needed both to prevent and detect these events."

Medical device companies that manufacture insulin pumps or other devices that require controllers and patient-specific programming, such as pacemakers and neuromodulation systems, should take steps to improve wireless device security, they added.

"In prevention, better authentication is needed to stop unwanted changes from occurring," the authors wrote. "For detection, better user interfaces and improvements in system event recording (i.e., forensics) are needed."

Device alerts may not sufficiently protect patients if a critical setting is altered, they noted, advising device makers to carefully navigate the line between user interfaces that provide necessary information and data overload that might confuse patients or lead to user errors.

"Portable implantable medical device systems are playing a larger role in modern healthcare," the researchers explained. "We consider this area of work an open research problem that needs greater attention."

The trade-off between convenience and security plagues many a software security expert.

"There’s a great amount of balance needed between devices that are built for convenience and speed and agility and time to market," Juniper Networks chief security architect Chris Hoff told MassDevice.com in an exclusive interview during the 4-day Def Con hacker conference in Vegas late last month.

"You’re talking about devices that put people’s lives at risk," he added. "There’s really no excuse for designing crappy and insecure systems."

"In the years since the OmniPod Insulin Management System has been on the market, including millions and millions of Pod uses, here and overseas, there have been no reported security breaches or unauthorized third-party use of a [personal diabetes manager]," Insulet told us. "We remain committed to continuously enhancing the safety and ease of use the OmniPod System over time."

RSS From Medical Design & Outsourcing

  • 3-phase current transducer from PEM delivers all-in-one convenience
    The new RCTrms 3-ph current transducer from Power Electronic Measurements (PEM) delivers a convenient, safe and accurate solution for measuring current in three phases. It features a thin, clip-around, flexible sensor coil and provides accurate true rms measurement with 4-20 mA or 0-5 V output, enabling simple installation with PLC’s, SCADA systems or automation equipment. […]
  • Safety alert: Recall on two IV solutions from Baxter
    Baxter International announced it is voluntarily recalling two lots of intravenous (IV) solutions to the hospital and user level due to the potential presence of particulate matter. The particulate matter in each case was determined to be an insect and was identified as a result of a customer complaint. The matter was identified prior to […]
  • TSO3 begins shipment of STERIZONE VP4 Sterilizers to U.S.
    TSO3, a developer in sterilization technology for medical devices in healthcare settings, announced that the company has received purchase orders for multiple devices from the U.S. The orders are the result of the collaborative relationship between Getinge Infection Control, its sales and service provider, and TSO3. “Finally,” said R.M. Rumble, president and CEO of TSO3. “Our Vision is […]
  • Turkish medical company is seeking reseller and OEM partners in the U.S.
    UZUMCU Medical Equipment, one of Turkey’s first and largest manufacturers of medical devices, is seeking reseller and OEM partners in the U.S. The company has an array of FDA-certified OR tables, surgical lights, surgical suction units, electro devices and other medical equipment. “We want to bring our experience with distributors throughout Europe and the Middle […]
  • QImaging introduces new CCD cameras for microscopy with modern software to streamline image capture
    QImaging, a manufacturer of scientific cameras for life science and OEM applications, introduces a new series of Retiga CCD cameras, accompanied by QImaging’s new acquisition software to deliver high-performance tools for microscopy and imaging to researchers at an affordable price. The new QImaging Retiga R1, Retiga R3 and Retiga R6 cameras offer valuable technical features […]
  • Sigma-Aldrich announces a new certification to aid IVD customers
    Sigma-Aldrich, a life science and high technology company, announced the company has received ISO 13485 certification for expanded quality assurance capabilities at its Dekalb and Barton facilities located in St. Louis. The certification extends Sigma-Aldrich’s ability to manufacture and offer critical raw materials, such as enzymes, proteins and antibodies used in diagnostic assays, and supplies in vitro […]
  • Prescribing the right power supply: Important considerations for using batteries to power medical devices
    Sol Jacobs, VP and General Manager, Tadiran Batteries Medical technology is advancing rapidly, requiring increasingly sophisticated power management solutions, especially when then the device needs to be self-powered. Battery-powered medical devices encompass a wide range of applications, including surgical drills, power tools, automatic external defibrillators (AEDs), infusion pumps, bone growth stimulators and other wearable devices, […]
  • Qosina announces the launch of its e-commerce website
    Qosina is pleased to announce the launch of its e-commerce website, making it easier to purchase thousands of medical device components from stock inventory. Visitors coming to the new Qosina.com will discover a new look and feel and improvements with every click including: · Easy navigation: A new category structure that mirrors the print catalog […]
  • Athermal laser machining for medical implants is the topic of Norman Noble’s latest whitepaper
    Thermal lasers have achieved extraordinary results in microprecision manufacturing of medical implants and devices the past 20 years. Devices we take for granted today, such as vascular stents, could not be produced without the technology; however, there are still significant limitations on what medical implant and device manufactures can produce using thermal lasers. One major issue […]
  • Sealevel announces the SeaISO family of USB isolators
    Sealevel announces the SeaISO family of USB isolators with 4 kV of medical-grade optical isolation between the host computer and connected USB equipment. SeaISO USB isolators are UL Recognized, in accordance with EN60601-1 3rd Edition, and protect both the power and data lines of connected USB devices from harmful ground loops, damaging transients and surges […]
  • The 21st Century Cures Discussion document recently released to the public
    It has been reported that among the 10,000 known diseases, 7,000 of which are considered rare, there are treatments for only 500. According to Dr. Francis Collins, Director of the National Institutes of Health (NIH), it now takes “around 14 years and $2 billion or more” to develop a new drug and “more than 95% […]

Leave a Reply