Medical Devices Vulnerable to Hack Attacks

Security expert and diabetic Jay Radcliffe reveals flaws by hacking into his own insulin pump

Delivering a lethal dose of insulin, remotely stopping a pacemaker or even administering a deadly shock through a defibrillator are all real possibilities in the world of medical cybercrime, NBC 5 Investigates has found.

"Occasionally patients will raise the question, can somebody hack into these devices?" said Brad Knight, a cardiologist and the Director of Electrocardiography at Northwestern Memorial Hospital.

Knight and his team at Northwestern implant about 600 pacemakers and defibrillators each year that can be remotely monitored and programmed.

"We can wirelessly communicate with these devices," Knight said.

But this cutting edge technology is what makes these devices vulnerable, and NBC 5 Investigates has discovered some of these devices are not secure, making it possible for cybercriminals to remotely access and alter the equipment.

"That does give me some concern," said Jerry Hoffman, who was born with a congenital heart condition.

The Evanston resident had open heart surgery at 34 and a pacemaker a year later.

"I don't know what people would do with the actual data, but they certainly could potentially manipulate the device for one reason or another," said Hoffman.

The idea of breaking into medical devices became a reality when security expert and diabetic Jay Radcliffe hacked into his own insulin pump.

"I reverse-engineered the communication between this and the insulin pump so that way I knew what kind of language to speak," said Radcliffe, who works for privately-held Boston-based cybersecurity firm Rapid7. "Once I
was able to do that, I was able to write my own program to modify all the settings in the insulin pump, or to turn the insulin pump off."

Radcliffe's groundbreaking research exposed a security flaw that could allow hackers to remotely control the amount of insulin, potentially administering a deadly dose.

"The only thing you needed to know was the six-digit serial number on the back of this," said Radcliffe, referring to his Medtronic insulin pump.

A spokesperson for Medtronic told us the company does not share specifics about the way they secure their products. But she did say the company has made changes since Radcliffe hacked into his insulin pump.

"Over the last few years, we have made security improvements and design changes to some of our products, including software and firmware updates, expanded encryption and improved authentication and application integrity protocols," said Marie Yarroll, Medtronic public relations. "Many of these steps are also part of our product and technology development process."

Medtronic is considered one of the world leaders in medical device technology.

"We are aware of no instance of a malicious, criminal hack, and strongly believe that the therapy benefits of our products greatly outweigh potential risk," Yarroll said.

Security experts say vulnerabilities in medical devices are an industry-wide problem. Some medical device companies have designed cutting edge devices, but experts says they did not given much thought to the potential security flaws that could exist in the equipment and the software.

The Food and Drug Administration issued guidelines on encryption for wireless medical devices about a year ago. But currently there are no Federal requirements regulating medical devices. The FDA and Department of

Homeland Security are holding a public conference next month in Arlington, Virginia to discuss medical device and healthcare cybersecurity.

"I think everything with a computer has flaws," said Dr. Kevin Fu, who will be speaking next month at the cybersecurity conference.

The University of Michigan professor tests all types of medical devices in his Michigan lab.

"They do have shortfalls in that security wasn't really part of the picture when they were designed," Fu said.

Fu uses a synthetic cadaver to test out the devices.

"We actually look at defensive approaches and technology that might allow us to either detect or stop malicious attacks," he said.

Fu has been called to testify before both the House and the Senate. Ultimately, he hopes his research will force medical device companies to increase security.

"The problem with malicious hacks is what is going to come down the line in the future if the manufacturing community doesn't solve these problems," he added.

And that remains a big concern among security experts.

"People who are building these devices are not security people who are familiar with what it takes to withstand all of the attacks," said Christopher Budd, Global Threat Communications Manager at Trend Micro.

And if these security issues aren't addressed, doctors say technology - and patient care - can't move forward.

"I think there are a lot more things we can do for patients that are not a possibility currently because of these concerns about somebody hacking into a device," said Northwestern Cardiologist, Dr. Brad Knight.

Contact Us