Are Insulin Pumps Subject To Hacking?

The short answer is that if you own a Medtronic insulin pump that is able to transmit data to a computer, then it is not a secure device. What does that mean? According to numerous news reports dating back to as early as 2008, a hacker has showed a proof of concept device and software hack that can take control of most Medtronic insulin pumps.

In 2011, in Miami, Barnaby Jack of McAfee, demonstrated a tool to take control of a Medtronic pump, deliver a massive dose of insulin, retrieve the data stored on the device or change the settings. Further the demonstrated device could scan a large crowd of people acquire a pump up to 300 ft. away perform its dastardly intent. (http://www.theregister.co.uk/2011/10/27/fatal_insulin_pump_attack/)

Barnaby reported that the hack worked on almost all Medtronic pumps because most have wireless capability. So, is this limited to Medtronic devices? Probably not, Medtronic was chosen because they are one of the largest pump manufacturers. It is likely devices with similar wireless capability are able to be hacked, though I could not find articles dealing with other manufacturers.

Insulin pumps are just the latest medical device shown to be insecure. Jack and a separate researcher showed a proof of concept for hacking a pace maker (http://deadlinelive.info/2013/08/18/remember-hastings-and-they-can-...). In fact the FDA issued a letter of guidance to hospitals warning of the manipulation of computer aided machines in hospitals. Their advice suggested that older windows controlled devices were likely not being updated and thus were easily available for hacking (http://www.forbes.com/sites/ericbasu/2013/08/03/hacking-insulin-pum...).

Oh just for fun one hack involved producing a battery warning on an insulin pump, causing the user to change the battery and then during the startup instantly exposing the device to external control (http://healthbizdecoded.com/2013/07/decoded-hack-able-implanted-med...). In this story there is proof of concept that some 300 medical devices, mostly in hospitals, have a terrible tendency to be hacked. It is scary concept but the biggest issue is likely pacemakers and insulin pumps.

Should we be worried? Probably not at this time, let’s face it there is little upside to remotely hacking an insulin pump. Hackers are primarily interested in two things, money and mischief. The money motivation is difficult to imagine. In the proof of concept the hacker needs to be within 300 feet of the target. If you are being blackmailed, moving outside that range solves the issue.

The bigger issue is likely mischief, and frankly most mischief is carried out by youth. Sure there may be some fun in messing with pumps, but the down side is you could get life in prison so is it really something to attack? Frankly the bigger issue is likely hospital equipment. Say someone hates a hospital it is likely they could wreak havoc just for fun or I suppose blackmail. But in order to do that, they would need near access and likely the ability to keep the machines updated, since these devices are often turned off and reset.

Still this is a problem. Why? Because it is doable one knows once it is shown it can be done, someone else will try it. It is just too tempting a target. Will it be aimed at Medtronic insulin pumps alone? Probably not. Let’s say I can remotely deliver 300 units to you. What fun do I get out of that? Maybe if I am a hacker, I might hate someone so much I try to mess them up by messing with their insulin pump, but again you have the big down side.

One writer speculated that an angry spouse could someday commit the perfect crime by hacking their partners pump, but surely there are better ways to check people out of the world. Personally, I would be more concerned about schools. There is no evidence that any of these hacks have escaped into the wild. But if a pump hack did escape, I would be concerned about kids at school, who might for the heck of it try one of these things. In the meantime, we shall hope the hacks are not released and that Medtronic and other pump manufacturers make a more secure interface. Bluetooth which is often used is an incredibly insecure wireless connection. It may be possible to develop proprietary connections and wired access for uploading information.

Finally, the argument is that these standards are lose so users and emergency room personnel need to access the pump without a security setting, both for convenience and immediate access in case of an emergency. Ahh hackers, can’t live with them and you can’t live with them. (yes I meant to say that)

-30-

Rick

Views: 186

Tags: blog, hacking, insulin, pumps

Comment by shoshana27 on November 14, 2013 at 6:56am

WOW SCARY :(

Comment by David Eddy on November 14, 2013 at 11:38am

Rick,

Have them hack my Omnipod so it will work with the Dexcom now that Insulet has given up on Dex and is going to come up with their own CGM! Just let me know where to stand. :)

Comment by rick the "Blogabetic" on November 15, 2013 at 4:14am

David, you stand 30 feet to the left and at the exact moment of the hack you need to clap your hands to the tune, Santa Claus is coming to town. Sorry it is a requirement.

Comment

You need to be a member of Diabetes community by Diabetes Hands Foundation: TuDiabetes to add comments!

Join Diabetes community by Diabetes Hands Foundation: TuDiabetes

Advertisement



REsources

From the Diabetes Hands Foundation blog...

DHF Partners with HelpAround in an Effort to Connect People Touched by Diabetes

  Leer en español Technology has the amazing ability to ease the stress associated with diabetes; It simply makes our lives a little more bearable. That’s why we are excited to announce DHFs partnership with HelpAround. This new application will help Read on! →

La Diabetes Hands Foundation y HelpAround uniendo las personas tocadas por la diabetes

  Para nuestra comunidad de diabetes la tecnología ha venido a llenar muchos vacíos y a hacer de nuestras vidas un poco mas llevaderas. Eso mismo nos proporciona una nueva aplicación de geo-localización llamada HelpAround (Ayuda a tu alrededor). HA Read on! →

Diabetes Hands Foundation Team

DHF TEAM

Manny Hernandez
(Co-Founder, Editor, has LADA)

Emily Coles
(Head of Communities, has type 1)

Mila Ferrer
(EsTuDiabetes Community Manager, mother of a child with type 1)

Mike Lawson
(Head of Experience, has type 1)

Corinna Cornejo
(Development Manager, has type 2)

Desiree Johnson  (Administrative and Programs Assistant, has type 1)


DHF VOLUNTEERS


Lead Administrator

Bradford (has type 1)


Administrators

Lorraine (mother of type 1)
Marie B (has type 1)

Brian (bsc) (has type 2)

Gary (has type 2)

David (dns) (type 2)

 

LIKE us on Facebook

Spread the word

Loading…

This website is certified by Health On the Net Foundation. Click to verify. This site complies with the HONcode standard for trustworthy health information: verify here.

© 2014   A community of people touched by diabetes, run by the Diabetes Hands Foundation.

Badges  |  Contact Us  |  Terms of Service