It couldn’t happen, but suppose it did? It’s straight out of an episode of Homeland; terrorists hack an implanted medical device and use it to administer a lethal shock to the patient carrying it inside them. As it turns out, hacking implants like pacemakers and insulin pumps is definitely possible, and device manufacturers have known about it for years. It’s taken a small cadre of computer hackers to show the public what companies like Medtronic dismissed as very remote possibilities – large scale device tampering leading to thousands of injuries and deaths. Are they playing a dangerous game of chicken by dragging their feet all this time?
Insulin pumps are for those living with Type 1 diabetes, a genetic disorder that results in the body destroying insulin-producing cells in the pancreas. Without the pumps to administer insulin to the body, these patients could not survive for long. Photo Credit: Flickr (Creative Commons license).
Medical Devices are Open Doors
As several professional hackers, including the late Barnaby Jack, pointed out, medical device manufacturers didn’t pay much attention to digital security when constructing their implantable components. Adding additional security features would weigh the devices down, shorten battery life, and make them bulkier. For an insulin pump that’s only about the size of a pager, adding additional weight can make a lot of difference in terms of how much the device costs. Shelling out extra cash won’t make those items popular with insurance companies, and they basically control what devices their policyholders have access to because they make the coverage decisions. In choosing to forego added security options, Medtronic and other manufacturers left their products dangerously vulnerable to ‘interrogation’; a technical term for transmitting a signal to an electronic device to interact with it. Without any encryption, an insulin pump doesn’t even involve the hacker equivalent of opening a door. All they need to do is stroll on in.
The second part of the problem is the increasing dependence on wireless communication for these medical devices to manage patient vital signs and know when to dispense medications. Ever jump onto an open Wi-Fi signal at a coffee shop? No password required. Just log in and surf the web. That’s basically the same principle when a hacker gains control of a device that’s using an unprotected wireless network. Modern pacemakers and insulin pumps – among other implantables – are no different than PCs or Macs when it comes to vulnerabilities. According to Jack, who was working for MacAfee at the time, the lack of security in implanted devices is “really quite shocking.”
Ignoring the Problem won’t Help
Medtronic, maker of the most widely used insulin pump in the United States, had previously refused to look into calls from Jay Radcliffe, a computer security expert and insulin pump wearer, that their devices were vulnerable to attack. Radcliffe reportedly exposed a security hole in Medtronic’s insulin pump after tinkering with his own device. All it took to interrogate a pump and order it to dump all its chemical contents was a radio transmitter about the size of a human index finger and a laptop computer. He presented the findings at the 2011 Black Hat security conference in Las Vegas, which unleashed a tidal wave of hysterics from parents worried that Radcliffe had essentially given criminals the ability to kill their diabetic children.
Medtronic’s Revel insulin pump retails for $6,000 to $7,000 before insurance coverage kicks in. Imagine spending that much on a product that a hack can take over with a finger-sized radio transmitter. Photo Credit: Flickr (Creative Commons license).
Radcliffe’s findings, despite their media coverage, are not the first to reach the surface. Warnings about possible hacks into Medtronic’s devices – namely their pacemakers and defibrillators – came as early as 2008 when The New York Times published an article detailing the findings of research teams that exploited the same security vulnerabilities Radcliffe would use three years later. Medtronic and others knew the day was coming when they wouldn’t be able to dismiss the concerns of security experts as “remote possibilities” or “low risk.” Did they do enough to close the gaping holes in wireless communication? That conversation didn’t begin in earnest until Radcliffe and Barnaby Jack upped the ante. Jack, famous for making ATMs spit cash with a keystroke at Black Hat, created simple transmitter that could scan a 300-foot wide area for common insulin pumps, interrogate those devices, and force them to dump their contents into the bodies of their wearers. The prospect of high casualties without the need to see targets or come in contact with them in any way must’ve been the fire medical device companies needed. How did computer hackers become one of the most prominent groups advocating for public safety?
Hackers to the Rescue?
The public image of a computer hacker is one who uses their digital powers for evil stealing credit card numbers and identities, brings down websites and infects computers with nasty viruses and malware. While that’s true for some, there are many “hackers” who wear the white hat; experts who seek to uncover security issues to warn companies before the wrong people discover them. Jack and Radcliffe have acknowledged that their work can be a double-edged sword for the community. In uncovering exploitable holes in security, and informing the public about them, there is the risk that the bad guys will try to use them to do, well…bad things.
Remaining proactive in discovering possible security threats allows companies and the public to stay steps ahead of those who might seek to use those weak points for illegal financial gain or to harm others. Knowing more about how a device works is never a bad thing.
The work these men and women (hackers) do forces manufacturers to take action. Was there a rush by Medtronic to close the barn door in the security of their devices before Radcliffe and Jack went public with their findings? I don’t recall hearing about any efforts back in 2008 when the issues received less coverage. Had Barnaby Jack not died suddenly just weeks before he was due to give a presentation entitled “Hacking Humans” at Black Hat 2013, we may not have heard that Medtronic was partnering with Jay Radcliffe, private security consultants and the Department of Homeland Security to shore up product encryption.
But What if it Happens?
Knowing about a serious threat to patient safety, and doing nothing to prevent foreseeable harm, is a breach of a very basic requirement every pharmaceutical/medical company shares. It’s no different than a department store leaving a puddle of water in the middle of a walkway for customers to slip. When a business makes their products available for sale, or invites customers inside to shop, they have a legal obligation to make the grounds and their items safe.
Acknowledging a security risk in its insulin pumps and pacemakers is only the first step in a much longer process to update existing models and develop new products that protect consumers. Medtronic manufactures the most popular insulin pump in the United States leaving potentially hundreds of thousands of patients in the crosshairs should a sick individual decide to do the worst. We need faster action here, not more foot dragging. The potential fallout from injuries resulting from tampered devices could mean millions of dollars in claims for damages. I’ll happily hold the manufacturer accountable in open court if it means we can force real action and affect real change.
One death looms large in this growing controversy and that’s Barnaby Jack. Full artillery batteries of conspiracy theories fired across Twitter, Facebook, and other social media sites this week at the charismatic hacker’s sudden, unexplained passing at just 36-years-old. While an autopsy is scheduled, we won’t have public results available for weeks if not months, according to published reports. While the cause of death will be hotly scrutinized, a better question (or concern) comes to mind: does anyone know what happened to the transmitter Jack built that can target insulin pumps from 300-feet away?