As the largest pure-play medical device maker, industry giant Medtronic (NYSE:MDT) has been in the cybersecurity spotlight a few times now, but that spotlight is growing and has included, in recent months, Johnson & Johnson (NYSE:JNJ) and others.
Few medical device companies have talked openly about their cybersecurity concerns or strategies, but the "hacker" community is less subtle, taking their concerns to the public at conferences, through federal agencies and through contact with the media, forcing a sometimes tenuous partnership.
"We appreciate the security community bringing to us new information on this topic as it relates to our devices," Medtronic said in a statement sent to MassDevice.com. "Medtronic is actively engaged with security research firms and regularly conducts and uses independent assessments to improve the security of the system."
In general parlance, the term hacker most often refers to criminals. But programmers break up their hackers into "black hats," those looking to cause some harm or illegally profit from their tinkering, and "white hats," those who fiddle with systems for research, for systems security evaluations or for other benign purposes.
Thus far the medical device industry has only met the so-called white hats, but they’ve warned that the black-hats are not far behind.
"An unspoken law of IT security is that any vulnerability will eventually be exploited," chief security researcher for anti-virus and internet security provider Bitdefender, Alexandru Balan, said in a company blog. "Patients risk losing their personal data, and systems within the hospitals may slow down and even become unresponsive if infected."
Medtronic was among the 1st targeted by a white hat hacker when in 2008 security researcher Kevin Fu uncovered security vulnerabilities in a Medtronic implantable pacemaker, using unencrypted traffic between the device and its controller to reverse-engineer the code and control its shocking capabilities. The company was in the hot seat again in 2011 when diabetic software security expert Jay Radcliffe hacked his own Medtronic insulin pump live on stage at a hacker conference in Las Vegas.
There have been no reports of criminal hacking of a medical device, but security experts say it’s just a matter of time.
Radcliffe made another media appearance this month, reporting a safety issue with his new pump, which is made by Johnson & Johnson subsidiary Animas Corp. Radcliffe told reporters that his new pump miscalculates insulin doses after the device’s battery has been swapped. Johnson & Johnson maintains that the dosage-reset is a feature of the device, not a glitch, and the company doesn’t plan to change it.
"We have been in direct communication with Jay Radcliffe and thank him for bringing his concern to our attention," Johnson & Johnson said in a statement sent to MassDevice.com. "It’s important to clarify that his concern with our product is not a software flaw but a deliberate pump design decision. The product is operating as intended and as described in our Instructions for Use Manual, and as explained to patients during training."
This type of hacking-and-reporting is a staple of white hat hacking, where part of the ethos requires that any vulnerabilities discovered be reported to the proper authorities so that they can be patched. The white hat community, which gathers every summer in Las Vegas to discuss strategies and play hacking games, has urged corporations to take their concerns seriously and to consider them a resource in the ever-lasting battle against cyber-criminals. Companies like Facebook, Microsoft and Google give out prizes to anyone who finds and reports a security hole.
Technology giants Microsoft, Google and Facebook offer prizes to encourage hackers to find and report security vulnerabilities.
The medical device industry hasn’t gotten quite that cozy with hackers, but they may be heading in that direction. When Radcliffe 1st publicized his hacking in 2011, he said he was largely snubbed and accused Medtronic of ignoring his warnings, which the company flatly denied.
Just a year later Radcliffe sat beside Medtronic officials during a panel discussion in Washington, discussing medical device cybersecurity. Now Radcliffe’s made some friends at Johnson & Johnson, even though the company says the "flaw" he uncovered is anything but.
"We value Mr. Radcliffe’s input and we will consider it, as we do feedback from our other customers, as we continue to develop new products and enhancements to existing products," Johnson & Johnson told us.