Hacking insulin pumps? There’s no excuse anymore

Cybersecurity breaches CSC Blogs

Despite warning after warning – the bad news regarding the security of medical devices keeps rolling in. Late last week, news broke that a researcher from Rapid7 had identified ways to remotely exploit an insulin pump through Radio Frequency (RF) communication.

While the risk is low that such attacks would be widespread, the risk is not insignificant. According to the researcher, the at-risk insulin pump system doesn’t encrypt the wireless communications in its wireless management protocol. “

Due to these insulin vulnerabilities, an adversary within sufficient proximity (which can depend on the radio transmission equipment being used in an attack) can remotely harm users of the system and potentially cause them to have hypoglycemic reaction, if he or she does not cancel the insulin delivery on the pump,” the blog post detailing the research stated.

Prior to publication of the findings on the insulin pump vulnerabilities, the vendor, the U.S. CERT/CC, the FDA and DHS were all notified. According to Rapid7, the pump maker actively notified its customers about the risks and provided recommended mitigations.

What’s bugged me about this story, and most of the coverage around it (and I think it should concern you too or at least you should be aware) is that this isn’t the first time something like this has happened.

Way back in 2011, at the conference of an anti-virus vendor, a security researcher Barnaby Jack (Barnaby, or “Barnes” as he was known among friends, tragically passed away three years ago), revealed how it was possible to wirelessly compromise an insulin pump.

In his demonstrated attack, he gained total control of the pumps and could have delivered sequential maximum insulin doses until the unit was emptied. This attack would be lethal to most people. In later research, Barnes showed a crowd at the RSA Security Conference that it was possible to perform this attack up to just under 100 yards away if a special antenna was used.

Surely such attacks are not a substantial concern for most people, but they should be for politicians, business leaders, activists and others in the public eye.

These types of risks aren’t unique to insulin pumps. At the DerbyCon security conference last year, researchers demonstrated how thousands of medical devices, such as X-Ray machines, other types of drug infusers, MRI scanners and more, were all at-risk to attack. Some devices were not secure because of bad design, others were managed poorly by hospitals or medical providers.

Such defective designs shouldn’t be tolerated by consumers of these devices – nor should it be tolerated by insurers or the medical community. Medical devices that are open to wireless access need to be properly designed and built so as not to add new risks to patients.

RELATED LINKS

Security lags as IoT moves from prototype to deployment

Mobile devices and apps are driving a revolution in healthcare

Should our devices know when we’re stressed?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: