Can Your Insulin Pump and CGM be Hacked?

Could Your Medical Device Be Hacked?

| Sep 10, 2011

Here's the scenario: You're a famed prosecutor who happens to be on an insulin pump. One of the criminals you put away years ago has been released from prison, and he's eager for revenge. This is a particularly cunning criminal, so he hatches a subtle plan. He hacks into your insulin pump, giving you a massive dose of insulin without warning. As you drive to work one day, you begin to feel woozy. That's odd, you think, looking down to where the pump attaches to your stomach. I just ate....

Does the story sound impossible? Too crazy to be true? The work of a thriller writer or garden variety fear-monger?

Hardly. According to security researcher Jerome Radcliffe, it's disturbingly possible. Radcliffe, who has diabetes himself and uses both an insulin pump and a continuous glucose monitor, wondered if it would be possible to hack the devices. He gave a presentation on his findings, "Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System," at the annual Black Hat security conference in early August.

"It would only take one person to do this to kill someone, and then you have a catastrophe," he said in a CBS News piece on the presentation.

Jamming the Signal

Radcliffe's methods were a bit technical, especially for those of us to whom insulin pumps seem magical to begin with. The source links at the end of this article offer some technical details.
Suffice it to say, Radcliffe managed to disrupt the wireless communications between his pump and its controller. He did the same with his continuous glucose monitor. In doing so, he figured out how to send fake information to the pump and the glucose monitor. This means that someone with ill intent could change a pumper's insulin dosage. He could also make the CGM show old data so that the person would be none the wiser.

Radcliffe declined to give specific information on his pump's maker, saying that he wanted to work with the manufacturer to enhance its security. He didn't disclose every single detail of his hacking, either. According to the tech website VentureBeat, Radcliffe said, "I won't give out details on how to kill me in the middle of a hacker conference. Lives are at stake here."

The good news? There's no evidence that anyone has actually tried to hack into diabetic medical devices this way. At least not yet.

Other Devices at Risk

But other people with medical devices should be concerned too, because insulin pumps aren't the only such gizmos with security concerns. According to a 2008 presentation, internally implanted pacemakers are also vulnerable to electronic attack. Remember the story at the beginning of this article? Imagine if that federal prosecutor had a pacemaker instead. Everything sounds a bit more plausible, doesn't it?

This earlier study involved medical professionals. Associate professor Kevin Fu of the University of Massachusetts worked with University of Washington researchers to reverse engineer pacemakers. After two years of work, they invented a $1,000 device that could issue instructions to a pacemaker and drain its battery.

"This is something that academics can do now. We have to do something before the ability to mount attacks becomes easier," said University of Washington grad student Daniel Halperin, who worked on the project, in VentureBeat.

What's the solution? If they're not doing it already, medical device manufacturers should take note of these findings. Just because they produce products that are covered by insurance and available through doctors doesn't necessarily mean that they'll be treated any differently by hackers than your average consumer electronics company. One of those companies,Sony, is out nearly $172 million after hackers took down its PlayStation network.

These bands of hackers, sailing under names like Lulz Security and Anonymous, have released names and passwords from thousands of online accounts. They have probed the websites of government agencies. Why? They thought it was funny. They wanted to dramatize the sad state of Internet security.

What's the evidence that hackers will treat medical device companies - and their customers -- any differently?


Sources
http://www.cbsnews.com/8301-501465_162-20088598-501465.html
http://www.blackhat.com/html/bh-us-11/bh-us-11-briefings.html
http://venturebeat.com/2011/08/04/excuse-me-while-i-turn-off-your-insulin-pump/
http://latimesblogs.latimes.com/entertainmentnewsbuzz/2011/05/hacker-attack-cost-sony-172-million.html
http://venturebeat.com/2008/08/08/defcon-excuse-me-while-i-turn-off-your-pacemaker/

Click Here To View Or Post Comments

Categories: CGMs, Continuous Glucose Monitor, Diabetes, Diabetes, Insulin Dosage, Insulin Pumps, Medical Device, Pacemakers


Take the Diabetes Health Pump Survey
See What's Inside
Read this FREE issue now
For healthcare professionals only
  • What's on the Horizon with Diabetes Research and Therapy
See the entire table of contents here!

You can view the current or previous issues of Diabetes Health online, in their entirety, anytime you want.
Click Here To View

See if you qualify for our free healthcare professional magazines. Click here to start your application for Pre-Diabetes Health, Diabetes Health Pharmacist and Diabetes Health Professional.

Learn More About the Professional Subscription

Free Diabetes Health e-Newsletter

Latest
Popular
Top Rated

Latest Pacemakers Articles

Print | Email | Share | Comments (1)

You May Also Be Interested In...


Comments

Posted by Anonymous on 14 September 2011

It goes to show you that no matter what, someone will always take something wonderful and turn it into something else we everyday people have to be aware of. As if having to deal with Diabetes is not enough, If this ever really happens, then the hacker needs his own death sentence. And not a 23 year appeal bs, but an express lane, move to the front of the line version. 9 items or less. Unless we start making the punishment worst than the crime, not equal too, but worst will we get thugs, wake up.


Add your comments about this article below. You can add comments as a registered user or anonymously. If you choose to post anonymously your comments will be sent to our moderator for approval before they appear on this page. If you choose to post as a registered user your comments will appear instantly.

When voicing your views via the comment feature, please respect the Diabetes Health community by refraining from comments that could be considered offensive to other people. Diabetes Health reserves the right to remove comments when necessary to maintain the cordial voice of the diabetes community.

For your privacy and protection, we ask that you do not include personal details such as address or telephone number in any comments posted.

Don't have your Diabetes Health Username? Register now and add your comments to all our content.

Have Your Say...


Username: Password:
Comment:
©1991-2014 Diabetes Health | Home | Privacy | Press | Advertising | Help | Contact Us | Donate | Sitemap

Diabetes Health Medical Disclaimer

The information on this site is not intended or implied to be a substitute for professional medical advice, diagnosis or treatment. All content, including text, graphics, images, and information, contained on or available through this website is for general information purposes only. Opinions expressed here are the opinions of writers, contributors, and commentators, and are not necessarily those of Diabetes Health. Never disregard professional medical advice or delay seeking medical treatment because of something you have read on or accessed through this website.