Insulin Pumps May Be Hacked From Hundreds of Feet Away: Report

Insulin pumps may be more susceptible to hacking attempts than first suspected, according to a recent demonstration by a cybersecurity researcher. 

Barnaby Jack, a research architect for McAfee, Inc., demonstrated last week at the RSA security conference in San Francisco how hackers may be able to remotely access the pumps from up to 300 feet away, expanding concerns about Medtronic insulin pump security problems first raised last August at the Black Hat security conference in Las Vegas.

Security flaws in certain insulin pumps may allow individuals to scan an area for the devices, hack them and then cause the pump to deliver a fatal dose of insulin.

The problems were first highlighted by Jerome Radcliffe, another McAfee employee, who is now working with the Department of Homeland Security and the Computer Emergency Response Team (CERT) to push insulin pump vendors to address the problem seriously.

When the problems first came to light last August, Radcliffe demonstrated before an audience how easy it was to hack into an insulin pump and change the dosage from a distance.

While the manufacturer of the pump was not initially disclosed, Radcliffe later acknowledged that it was a Medtronic insulin pump because he felt that the manufacturer downplayed the problem by issuing a press release in late August saying that the security threat was not a concern.

Since August, Radcliffe has worked with the Department of Homeland Security and the Computer Emergency Response Team (CERT) to push insulin pump vendors to address the problem seriously. After Medtronic was revealed to be the manufacturer, the company announced it would work with cybersecurity experts to address the problem.

The issue initially focused on Medtronic Paradigm insulin pumps, but Jack has noted that the security problems occur throughout a number of medical devices that rely on wireless communication. However, he said that the chance of a real-world attack, which would require a high amount of technical skill, is unlikely.

The Paradigm insulin pump and a number of other infusion sets by other manufacturers have had numerous problems in recent years. In April 2010 the FDA launched an infusion pump safety initiative that requires manufacturers to undergo more risk assessments before gaining approval for new or modified devices.

In 2009, a recall was issued for Medtronic Paradigm insulin pump Quick Sets after the company determined that about 60,000 infusion sets used with the pumps were defective and could give too much insulin to users due to an air pressure problem.

A number of Medtronic insulin pump lawsuits have been filed over diabetic-related injuries resulting from the defective infusion sets. The FDA issued a warning letter to the company over its manufacturing processes, noting that it had quality assurance problems and that the on-site medical professional hired to determine if there was a medical problem with the devices had only a high school diploma.