At least one Medtronic Inc. (NYSE:MDT) insulin pump has software vulnerabilities that could make it a target for malicious hacks and other models may also be at risk, according to software security giant McAfee.
The McAfee team developed code that allowed it to take over the insulin pump, altering its programming and even administering potentially lethal doses from as much as 300 feet away.
While malicious hacks on medical devices have never occurred outside of research settings, the tactic could be used as a new type of cyber weapon, McAfee researchers found.
Medtronic hired Symantec and other tech security firms to investigate its insulin pumps after security experts began questioning vulnerabilities exposed during a security conference in Las Vegas this summer, Reuters reported.
Medtronic spokesperson Steve Cragle told MassDevice that the company is rolling out a concerted push to confront and solve the issue.
"We’re in the process of spotlighting this update on our Medtronicdiabetes.com website, as well as on our diabetes-specific site and have been in communication with the diabetes community through social media channels since this issue was first raised," Cragle told us in an email. "We have also been directly briefing key diabetes advocacy organizations and influencers."
The world’s largest pure-play device maker told us that it’s taken a number of steps to combat the potential for hackers to hijack wireless devices.
"Medtronic takes patient safety and device security very seriously and we appreciate the security community bringing new information on the possibility of a cyber-attack on our insulin pumps," according to an emailed statement. "We have been increasing our focus on the prevention of tampering with our products and look forward to partnering with the security, healthcare and diabetes communities to develop ways to better protect patients from the risk of tampering, which is necessary to keep pace with a new and rapidly evolving technology landscape."
The steps Medtronic has taken on the issue include an in-depth risk/benefit analysis "to clearly assess the potential risk," assessing encryption and security technologies with an eye toward integrating them into its pipeline and "committing to establish an industry working group that engages relevant stakeholders from the diabetes, healthcare and security community to develop new approaches and best practices to device security," according to the email.
"Because insulin pumps are widely used by patients with diabetes for tight blood sugar control and lifestyle flexibility, we are also working to assure both patients and doctors that at this time we believe that the risk is low and the benefits of the therapy outweigh the risk of an individual criminal attack," the company said.
The issue made headlines over the summer after a diabetic IBM security analyst, Jay Radcliffe, demonstrated a hack on his own insulin pump during a presentation at the 2011 Black Hat computer security conference in August.
"My initial reaction was that this was really cool from a technical perspective," Radcliffe told reporters. "The second reaction was one of maybe sheer terror, to know that there’s no security around the devices which are a very active part of keeping me alive."
