Kaiser Health News — Jay Radcliffe breaks into medical devices for a living, testing for vulnerabilities as a security researcher.
He’s also a diabetic, and gives himself insulin injections instead of relying on an automated insulin pump, which he says could be hacked.
"I’d rather stab myself 6 times a day with a needle and syringe," Radcliffe recently told security experts meeting near Washington, D.C. "At this point, those devices are not up to standard."
Concern about the vulnerability of medical devices like insulin pumps, defibrillators, fetal monitors and scanners is growing as health care facilities increasingly rely on devices that connect with each other, with hospital medical record systems and – directly or not – with the Internet.
Radcliffe made headlines in 2011 by showing a hackers’ convention how he could exploit a vulnerability in his insulin pump that might enable an attacker to manipulate the amount of insulin pumped to produce a potentially fatal reaction. Now he talks about going without a pump to raise awareness about the potential for security lapses and the need for better engineering.
While there have been no confirmed reports of cyber criminals gaining access to a medical device and harming patients, the Homeland Security Dept. is investigating potential vulnerabilities in about 2 dozen devices. Hollywood has already spun worst-case scenarios, including a 2012 episode in the Homeland series portraying a plot to kill the vice president by manipulating his pacemaker.
"The good news is, we haven’t seen actual active threats or deliberate attempts against medical devices yet," said Kevin Fu, a University of Michigan researcher who has made his career testing the vulnerability of medical systems.
The bad news is that hospital medical devices may be vulnerable to hackers simply because they can be the weak link that gives a criminal access to a hospital’s data system – especially if the devices haven’t been updated with the latest security patches, said Ken Hoyme, a scientist at Adventium Labs, a cybersecurity firm in Minneapolis.
In the real world, he said, a hacker is more likely interested in stealing records he can sell than in harming a patient.
"There are not that many bad guys whose goal in life is to go and randomly mess with patients in hospitals," Hoyme said. "They want money, not to shut off the ventilator of a particular patient."
Hospitals are targets because they collect so much data, from patients’ Social Security numbers and financial information, to diagnosis codes and health insurance policy numbers.
Radcliffe estimates that medical identity information is worth 10 times more than credit card information – about $5 to $10 per record on the black market, compared to 50¢ per account for credit card information.
Crooks can use it to apply for credit, file fake claims with insurers or buy drugs and medical equipment that can be resold.
And unlike the victims of credit card theft, those with stolen medical identities might not know for months or even years, giving the thieves more time to use their information.