Is your insulin pump safe?

I came across a thought-provoking article posted at The Register, regarding an IT security flaw in, of all things, an insulin pump.  Now, this isn’t just any pump, it’s a subcutaneous device manufactured by Medtronic.  The security flaw was discovered by McAfee Research Associate Barnaby Jack.  This flaw isn’t your typical slow down my PC or steal my credit card number variant.  The flaw has the potential, albeit small, to be life threatening!

The insulin pump is designed to communicate wirelessly with an external monitor which allows medical staff to both monitor the device and alter the parameters of the device so that dosages can be increased or decreased as needed.  From a patient perspective this is fantastic.

The major vulnerability lies in the fact that the data stream is unencrypted.  Jack was able to write software that overrode restrictions which would normally prevent wireless commands from increasing dosages.  He was also able turn off the pump’s normal behavior of vibrating or issuing a tone when it dispenses it’s normally life saving insulin.  Under these circumstances it is possible to issue a series of commands which would deliver an undetected fatal dose of insulin and do it from a distance of up to 100 meters away.


Is it likely to occur, of course not.  Does is sound like something from a Dan Brown novel?  Yes, indeed.

There have been similar discoveries in the past surrounding pacemakers.  Again, not very likely to occur but still technically possible.  How many other devices are susceptible to wireless alteration?  According to the article, Medtronic stated they would “incorporate stronger security” in future versions.  Future versions?

Wireless medical devices are not unique to Medtronic nor are unencrypted data streams so I don’t want to appear in any way this is unique to their products.  Other medical device manufacturers have similar potential flaws.  Given the long development and certification times involved in producing this class of medical device, many on the market today were initially developed more than 10 years ago.  I’m fairly certain none were not developed with an eye toward IT security.  It’s time the FDA open that eye and reevaluate these and similar devices.

It’s easy to ignore the potential for harm here and say the chances of anyone hijacking an insulin pump to injure, let alone murder someone, is miniscule.  A decade ago the same could have been said for someone hijacking a plane and using it as a guided missile to topple buildings and kill innocent victims.


~ by Marc Hedish on November 3, 2011.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: