Insulin pumps are designed to be convenient and easy to use, but those features may make them more vulnerable to a hacker, a new report says.
That’s because some of these life-saving medical devices may contain a dangerous combination: Wireless access, security vulnerabilities and features that may prevent a patient from knowing when a device has been compromised, researchers warned at a health security and privacy forum this week. Malicious hackers, known as "crackers," could exploit those vulnerabilities and cause serious harm to or even kill unsuspecting patients.
Medical device companies downplay the risks, pointing out that there are no cases on record of malicious hacks on medical devices, let alone evidence that any patient has been harmed via cyber-attack.
However, there are enough examples of benign hacks into medical devices, either by researchers or by patients themselves, to raise concerns about wireless security in security circles.
Using an OmniPod automated insulin pump made by Insulet (NSDQ:PODD) as an example, a team of computer security experts highlighted the software vulnerabilities of medical devices, warning that "without requiring technical sophistication, an unauthorized party can significantly harm patients." The case was presented at the HealthSec 2012 USENIX Workshop on Health Security & Privacy in Bellevue, Wa., this week.
"The article is not a report on a scientific study," Insulet responded in an email statement sent to MassDevice.com today. "The authors are simply speculating on security risks. The authors do not report on any actual testing or violation of security systems in our patch pump or on any real-world incidence of a [personal diabetes manager’s] setting being compromised."
The OmniPod, like many wireless medical devices, has limited security built into its software, researchers said. Like other wireless insulin pump systems, its remote controller must be relatively close to the pump to effect insulin dosage and delivery, preventing long-distance access.
The amount of insulin delivered depends on pre-programmed, patient-specific settings. The controller tells the insulin reservoir when, how often and how much insulin to deliver, displaying some metrics and usage data to the patient – but not enough, the researchers warned.
With limited access to information and settings, the device is easier to understand and use, but patients may not be able to detect changes to underlying settings, according to researchers Nathanael Paul of the University of Tennessee’s Oak Ridge National Laboratory and Tadayoshi Kohno of the University of Washington’s Dept. of Computer Science & Engineering.
A malicious hacker (often distinguished from hackers who tinker for research or other non-harmful purposes with the label "cracker") could alter a pump’s settings from a distance, delivering dangerous amounts of insulin or preventing needed doses without the patient’s knowledge.
Insulet acknowledged the potential cybersecurity vulnerabilities in all devices, but insisted that its OmniPod is well-protected.
"While no electronic device is hack-proof, the OmniPod System is extremely safe," the company told MassDevice.com. "OmniPod utilizes a number of communications security, authentication, and integrity techniques to ensure secure communications for each user. Insulin pumps in general and OmniPod in particular, have been shown to be extremely safe devices."
A diabetic and computer security expert, Jay Radcliffe, demonstrated a remote hack into his own Medtronic insulin pump live on stage during last year’s Def-Con hacker confab in Las Vegas. Radcliffe was able to manipulate his pumps settings without setting off alarms and without leaving a trace, he said.
A team at software security giant McAfee later demonstrated an insulin pump hack from as far as 300 feet, altering a device’s programming and even triggering potentially lethal doses of insulin.
"Opportunities exist to undetectably change device settings, since devices are often left unattended during sleep, bathing, or exercise," according to the new report. "After identifying these issues, we recognize that work is needed both to prevent and detect these events."
Medical device companies that manufacture insulin pumps or other devices that require controllers and patient-specific programming, such as pacemakers and neuromodulation systems, should take steps to improve wireless device security, they added.
"In prevention, better authentication is needed to stop unwanted changes from occurring," the authors wrote. "For detection, better user interfaces and improvements in system event recording (i.e., forensics) are needed."
Device alerts may not sufficiently protect patients if a critical setting is altered, they noted, advising device makers to carefully navigate the line between user interfaces that provide necessary information and data overload that might confuse patients or lead to user errors.
"Portable implantable medical device systems are playing a larger role in modern healthcare," the researchers explained. "We consider this area of work an open research problem that needs greater attention."
The trade-off between convenience and security plagues many a software security expert.
"There’s a great amount of balance needed between devices that are built for convenience and speed and agility and time to market," Juniper Networks chief security architect Chris Hoff told MassDevice.com in an exclusive interview during the 4-day Def Con hacker conference in Vegas late last month.
"You’re talking about devices that put people’s lives at risk," he added. "There’s really no excuse for designing crappy and insecure systems."
"In the years since the OmniPod Insulin Management System has been on the market, including millions and millions of Pod uses, here and overseas, there have been no reported security breaches or unauthorized third-party use of a [personal diabetes manager]," Insulet told us. "We remain committed to continuously enhancing the safety and ease of use the OmniPod System over time."