The Security Scrutinizer with Howard Anderson

Medical Devices: Improving Safeguards

'Ethical Hack' of Medtronic Device Points to Need for Risk Mitigation

Medtronic's announcement that it's launching an "in-depth risk/benefit analysis" following an "ethical hack" of one of its insulin pumps is good news. We hope that Medtronic and all other medical device manufacturers launch long-overdue, aggressive efforts to improve medical device safeguards.

The news that security software company McAfee exposed a vulnerability in one model of the Medtronic Paradigm insulin pump wasn't the first time that security issues have been raised about wireless medical devices.

For example, just a few months back, security expert Jerome Radcliffe, a diabetic, said he was able to transmit wireless commands to remotely disable his Medtronic insulin pump, citing a lack of encryption, according to several news media reports.

But this latest demonstration of an ethical hack could prove to be a powerful catalyst because of who was involved and what his team accomplished.

The Medtronic pump vulnerability was discovered by a McAfee team headed by Barnaby Jack, a well-known "ethical hacker" who joined McAfee after gaining notoriety by finding ways to hack into ATMs used at convenience stores and then forcing them to produce cash.

Jack's team developed code that allowed it to gain complete control of the functions of a pump from as far away as 300 feet, according to a report from the Reuters news service. The team used a PC and an antenna that communicated with the medical device over the same radio spectrum used for some wireless phones, according to the report.

The hack, of course, raises fears that a devious hacker - perhaps even a terrorist - could "adjust" a pump to provide a lethal insulin dose.

Developing Best Practices

Earlier this year, we reported on the launch of the Medical Device Innovation, Safety and Security Consortium. The new group is striving to develop best practices for protecting medical devices. And we're hoping the McAfee hack demonstration will draw attention to the importance of the consortium's efforts.

The latest demonstration of an insulin pump hack, and previous medical device ethical hacking successes, are evidence of a "lack of consistency around secure design, build, testing and ongoing support of medical devices," says Jing Wang, M.D., a consultant with Booz Allen Hamilton and a co-founder of the consortium. "This is a systematic problem, and no panacea will cure it."

Wang calls on vendors to work with users, regulators and industry experts to create and implement a set of "security/safety baseline requirements throughout the medical device life cycle. Additionally, the manufacturers and user community should work together to proactively and regularly conduct penetration tests to identify and address hidden vulnerabilities."

Medtronic, for its part, committed to "establishing an industry working group that engages relevant stakeholders from the diabetes, healthcare and security community to develop new approaches and best practices to device security." Perhaps the company can leverage the ongoing efforts of the consortium.

Dale Nordenberg, M.D., co-founder of the consortium, provided us with an update on its efforts. Its current activities include:

  • Working with Trend Micro, a security software company, and several healthcare organizations to assess the risk of malware infections;
  • Collaborating with Intel on development of a simulated medical device network that can be used to test network design, ultimately leading to new ways to mitigate security risks;
  • Assessing emerging medical device standards, such as ISO 80001, and developing recommendations to improve the standards;
  • Developing medical device purchasing guidelines for healthcare organizations.

It's time for all device manufacturers to work shoulder-to-shoulder with security experts and the healthcare provider community to devise practical, effective ways to protect all medical devices from malware as well as hacker attacks. We cannot afford to wait until someone gets hurt ... or killed.



About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.