Q&A from Medtronic about "pump hack", links to diabetes blogs, more...

Aug. 4, the Washington Post and several other media published this story:
http://www.washingtonpost.com/business/technology/hackers-in-the-bl...

 

Several diabetes bloggers have shared their comments about it, including the following:
http://www.hanselman.com/blog/HackersCanKillDiabeticsWithInsulinPum...
http://sixuntilme.com/blog2/2011/08/hacked_jay_radcliffe_insulin_p....
http://www.ydmv.net/2011/08/pump-hacking-and-what-really-matters.html

 

This morning, I reached out to pump and glucose meter manufacturers, asking them for more information on this. Following I am pasting the Q&A I received from Medtronic Minimed's Director of PR:


Medtronic takes very seriously the issue of information security of devices. It is an integral part of the very fabric of our product design processes. To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide.

Technology is constantly evolving and Medtronic is continually incorporating measures to maintain information security, while ensuring our devices meet their intended purpose of saving and extending lives.

We understand that there are no absolute certainties in information security. However, we also know that being vigilant in reviewing the external security landscape, designing our products with information security in mind and creating rigorous, complex safeguards will help ensure product security.

Key Questions and Answers
Q1. I’ve read a report that says a device can be manipulated and subsequently disrupted. Is this true?
A. Yes, we are aware of this report. This is the first and only such report we have seen and we do not see a reason to believe that this is a reason for concern as your device went through extensive testing to make sure it would be safe and protected from external harm.

In the reported instance, the researcher had in-depth knowledge about the product he tampered with, such as the serial number of both the insulin pump and remote device, and he TURNED ON the wireless feature. Additionally, he had access to specialized equipment which he used to rebroadcast the RF signal in a controlled environment.

Q2. Has a Medtronic device ever been manipulated?
A. To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide.

Q3. How would I know if someone had manipulated my insulin pump?
A. If someone manipulated your pump to deliver a bolus of insulin that you did not want to receive, your pump would play back a series of tones to confirm the size of the bolus. So, you would be able to detect tones on the insulin pump that weren’t intentionally programmed and could intervene accordingly.

Q4. What could happen if someone tampered with a CGM monitor?
A. To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use -- including the transfer of viruses and malicious code, which includes millions of devices worldwide.

We have and will continue to be vigilant in reviewing the external security landscape, designing our products with information security in mind and creating rigorous, complex safeguards which will help ensure product security.

In the very remote chance a patient encountered wireless tampering, a CGM monitor could potentially receive an erroneous sensor value or meter value. However, our CGM labeling requires patients to confirm the sensor glucose reading with a fingerstick measurement prior to making any type of therapy decisions. So, they would have the opportunity to investigate any type of discrepancy caused by wireless tampering.

Q5. Is there really anything Medtronic can do to “prevent” manipulation of devices?
A. We recognize there are people who focus on manipulation of devices – medical and otherwise. Most do so as part of an academic pursuit or to improve existing technology. We also recognize there may be some who have malicious intent. Our job is to incorporate information security measures into our designs, vigilantly monitor potential threats and to always be proactively finding ways to make our devices more secure for you. That is what we have done and what we will continue to do.

Views: 2708

Reply to This

Replies to This Discussion

Typical Medtronic doublespeak..
I'm not a mathematician, or a security specialist, but I'd like to ask if you're talking about the same RSA that got hacked a little while back through social engineering?
Yes, same RSA. So no matter what the technological safe-guards, if the PAYBACK is high enough, technological hacks can be achieved. The question becomes is the payback worth the effort? What benifit would anyone get hacking into an insulin pump or stealing CGMS readings?
100% spot on. Insulin pumps are the wrong target for a hacker. Ridiculous concern. Sleep well my diabetic friends.
+1

Hackers are not attempting to kill people, at least not directly (this can be challenged with Lulz and Anon's recent release of so much personal police information). Still, for a hacker to literally want to kill someone, this would be a long shot. Additionally, according to the presentation given at BlackHat, the pump hasn't been fully hacked yet. However, I have read it can (and has) been done with the USB dongle.

Plus, I think most PWDs monitor their BGs enough that a 20u bolus or a reset of their pump would not go unnoticed.

Beyond that, almost anything is hackable with social engineering.
Astronomically minute concern. I can't believe anyone is even fretting over this. Worry about cellphones, credit cards, bank accounts, etc. Not this... at all.
You have to keep in mind, also, that this takes more CPU cycles which consumes battery power . Our pump batteries are supposed to last a few weeks right?

Or they could just use bluetooth with encryption, which would give more than enough security given that the CIA, Mossad, MI5, OSS, or whoever, only have a few days to crack it.  I'm assuming that pairing is inherently secure; once the devices are paired and the communication is encrypted it's as good as a hard wire.

Thanks for posting this story. I was unaware of this until now. I enjoyed following the links you provided to other diabetes online bloggers.

It seems to me that the media play that this well-intentioned hacker started may very well have unintended consequences. If it slows down or stops FDA action on medical device approvals currently in the pipeline for diabetics, then it will harm me and the entire diabetic community.

I get that hackers can have a beneficial effect on the security efforts of profit driven companies. I only wish that the hacker's efforts would not threaten to slow down the speed of an already slow FDA.
Thanks Manny for posting MM's response and I will continue to follow the discussion...maybe you get more responses from pump and meter companies .
I read some of this last night on TuD and I did as kerri from sixuntilme posted : went to sleep fine until I see the " sensationalist headlines of tomorrow." .
Maybe one of the reasons pumps are expensive gadgets , compared to other electronic gadgets , such as an iPad ?

RSS

Advertisement



REsources

From the Diabetes Hands Foundation blog...

#OpposeAB1893: California Bill that Burdens People with Diabetes on Insulin

A couple of days ago I learned that the California State Assembly is considering AB-1893 Sharps waste, which in (if approved) will mandate that: “Sharps sold to the general public in California shall be sold with a sharps waste container Read on! →

FDA Docket Extended! We Need You.

If you are new to diabetes advocacy in the traditional sense of the word, you may be thinking, “What the heck is a docket!?” I certainly was the first twenty times I heard it (yes it took that long). For Read on! →

Diabetes Hands Foundation Team

DHF TEAM

Manny Hernandez
(Co-Founder, Editor, has LADA)

Emily Coles
(Head of Communities, has type 1)

Mila Ferrer
(EsTuDiabetes Community Manager, mother of a child with type 1)

Mike Lawson
(Head of Experience, has type 1)

Corinna Cornejo
(Development Manager, has type 2)

Heather Gabel
(Administrative and Programs Assistant, has type 1)

DHF VOLUNTEERS


Lead Administrator
Bradford (has type 1)

Administrators
Lorraine (mother of type 1)
Marie B (has type 1)

Brian (bsc) (has type 2)

Gary (has type 2)

David (dns) (type 2)

 

LIKE us on Facebook

Spread the word

Loading…

This website is certified by Health On the Net Foundation. Click to verify. This site complies with the HONcode standard for trustworthy health information: verify here.

© 2014   A community of people touched by diabetes, run by the Diabetes Hands Foundation.

Badges  |  Contact Us  |  Terms of Service