Medical Device Hack: A Turning Point?McAfee Hack Demonstration Could Create a Sense of Urgency
Security software company McAfee has exposed a vulnerability in one model of the Medtronic Paradigm insulin pump and believes there could be similar risks in other models, according to a report from the Reuters news service.
McAfee's demonstration raises concern about the potential for a hacker to lethally increase an insulin dose. And it points to the need to protect many other medical devices, including cardiac pacemakers, which have wireless connections.
A research team at McAfee developed code that allowed it to gain complete control of the functions of a pump from as far away as 300 feet, the report noted. The team used a PC and an antenna that communicated with the medical device over the same radio spectrum used for some cordless phones, according to the report. The insulin pump contains a wireless transmitter that allows patients and physicians to adjust their functions.
Although there are no known examples of a cyberattack on one of the pumps, Medtronic told Reuters it's working with McAfee to address the security flaws.
The Medtronic pump vulnerability was discovered by Barnaby Jack, an "ethical hacker" who joined McAfee last year after gaining notoriety by finding ways to hack into ATMs used at convenience stores and then force them to produce cash, Reuters reported. The manufacturers have since fixed the flaw by updating the software that runs ATMs.
Vulnerability to Attack
"Digitally enabled networked medical devices have essentially the same security risk profile as other computing devices, and we are all aware that, as hard as we try, most of our computing devices, be they medical devices or general-use computers, remain vulnerable to malware and malicious attacks," says Dale Nordenberg, M.D., a co-founder of the Medical Device Innovation, Safety and Security Consortium. The new group is striving to develop best practices for protecting medical devices.
"Unfortunately, in the healthcare delivery setting, medical devices often don't receive critical operating system and security updates," Nordenberg says.
The McAfee demonstration of an insulin pump hack, and previous medical device ethical hacking successes, are evidence of a "lack of consistency around secure design, build, testing and ongoing support of medical devices," says Jing Wang, M.D., a consultant with Booz Allen Hamilton and a co-founder of the consortium. "This is a systematic problem, and no panacea will cure it."
Wang calls on vendors to work with users, regulators and industry experts to create and implement a set of "security/safety baseline requirements throughout the medical device life cycle. Additionally, the manufacturers and user community should work together to proactively and regularly conduct penetration tests to identify and address hidden vulnerabilities."
In a statement provided to HealthcareInfoSecurity, Medtronic said: "Medtronic takes patient safety and device security very seriously, and we appreciate the security community bringing new information on the possibility of manipulating or 'hacking' our insulin pumps. We have been increasing our focus on the prevention of tampering with our products and look forward to partnering with the security, healthcare and diabetes communities to develop ways to better protect patients from the risk of tampering, which is necessary to keep pace with a new and rapidly evolving technology landscape.
See Also: Rethinking Endpoint Security
"We have taken a number of steps to address this matter, including conducting an in-depth risk/benefit analysis to clearly assess the potential risk, evaluating the best encryption and security technologies for incorporation into our products and design process, and finally, committing to establish an industry working group that engages relevant stakeholders from the diabetes, healthcare and security community to develop new approaches and best practices to device security.
"Because insulin pumps are widely used by patients with diabetes for tight blood sugar control and lifestyle flexibility, we are also working to assure both patients and doctors that at this time we believe that the risk is low and the benefits of the therapy outweigh the risk of an individual criminal attack."
At a conference this May, Bakul Patel, policy adviser for The Food and Drug Administration's Center for Devices and Radiological Health, noted: "The risk is growing exponentially with the convergence of medical devices and wireless technologies." But the FDA had no information directly tying any patient safety cases to security issues for medical devices, such as heart monitors and infusion pumps, he said.
Meanwhile, researchers at Massachusetts Institute of Technology and the University of Massachusetts, Amherst are attempting to develop a transmitter called a "shield" to protect wireless communication to and from implantable medical devices (see: Could Your Pacemaker Be Hacked?).
And in yet another medical device security effort, the Department of Veterans Affairs has rolled out a Medical Device Isolation Architecture, Randy Ledsome, the VA's acting director of field security operations, said in a June interview. The architecture relies on virtual local area networks to help isolate the devices from the rest of the VA network. And it uses access control lists to prevent, for example, linking a device to the Internet, where it could become infected. Since January 2009, the VA has detected that 181 medical devices have been infected with a virus, but "none has resulted in any major harm to our patients, to our knowledge," Ledsome said.