Medtronic Inc has asked software security experts to investigate the safety of its insulin pumps, as a new claim surfaced that at least one of its devices could be hacked to dose diabetes patients with potentially lethal amounts of insulin.
While there are no known examples of such a cyber attack on a medical device, Medtronic told Reuters that it was doing "everything it can" to address the security flaws.
Security software maker McAfee, which has a health industry business, exposed the new vulnerability in one model of the Medtronic Paradigm insulin pump on Friday and believes there could be similar risks in others.
Manny, thanks for posting this. I’m a Ping user; they say Medtronic is the only company with a vulnerable pump, but last year none of them were, so this is an issue that I think we should all be aware of.
Honestly I’m not concerned, though I would be if I were a drug lord or politician. I’m more at risk of getting hit by a car.
The article says The company said it is also consulting with McAfee and has informed patients, through its website, to check their insulin pumps if they have a suspicious encounter with another person.. I can’t find this anywhere on their site?
Being a computer geek myself, I would say it’s probably not trivial to hack a pump, and if somebody were to go through the effort to do such, they’d find it easier to just run you over with a car or something else less troublesome. Considering the consequences of hacking something like a medical device, I seriously doubt this will be a issue for 99.99% of people. It’s also just PR mongering for McAfee. Fear sells security products. Also note the weasely use of wording: and has informed patients… They didn’t say ALL patients, or even THEIR patients… I wish I could take everything I read from security companies with a grain of salt and assume they have good intentions, but it’s rarely the case.
(Full disclosure, my wife works for a major software security company.)
I think the first discussion was outlining that a potential security problem had been found. This release is about Medtronic hiring someone to improve the security of their pumps.
I am glad Medtronic is looking into this, but I really can’t say that I’m all that concerned. I cannot think of any reason why someone would go through the trouble to hack my pump. Most people I interact with each day don’t even know that I’m wearing a pump. I agree that if someone wants to off me, there are far easier ways to do it. For now, I’m going to save all my “diabetes worrying” on the things that are more probable, such as going blind or dying in my sleep.
I am glad Medtronic is looking into this. I am horrified that how to hack a pump was demonstrated. Prior to the demonstration, this would occur to almost no one.
Is their a problem with your carelink process? My carbohydrates total are not correct. THe total I put in during the day are not correct. I have had the pump replaced by you and still happening. I am on the Medtronic 722 pump with CGM. Thank you for the posting Manny
Just to explain, I work as a network security engineer and I focus on medical security.
Personally as someone who has a Medtronic pump on his hip every day I am glad to see that this information was released to the public. The researcher brought the information to Medtronic first and they ignored it. This is typical of most companies when you bring issues to them about their products. Only way to get these rather large issues fixed is to bring them out to the public.
I seriously doubt that anyone will actually use this “hack” to injure someone. That doesn’t give companies an excuse to ignore security though. It is normal practice now in IT to encrypt any kind of medical information that you are transmitting. Encryption is cheep and easy to do now.
Another topic this brings up though is the lack of security in almost all medical devices and systems. Every day I am looking at various electronic medical record systems and there are very few out there that are properly secured. You can go into most hospitals and look at all the wireless networks that medical devices are creating to talk back to the nurses and doctors. This is great technology, but all of that medical information is easily captured.
Hackers are no longer interested in just breaking into systems. There is an open market out there for medical records. Your record is worth money to someone. We should all demand proper security around our medical records, and our medical devices.
I am a Medtronic pump user. I check carefully read the results of delivery and generally how the pump is functioning. Being aware is important when we depend on the pump. There will be glitches at times regardless. Human error by the user (unintentional, of course), or lack of enough pump education (this varies depending on the individual). I keep a hand-written Daily Log as well as update my CareLink weekly.
I noticed last Thursday , Oct. 27 while flying from Western Canada to Toronto , ON the article in The Globe and Mail paper .
Manny’s timing of posting on October 25 was very speedy and I got to read about it HERE !!
I always do extra finger poking when flying …high altitude may make a difference to releasing more insulin into the system too ?
Thanks Manny Life is way to short, and I choose not to waste any energy on a FEAR created by such a cyber issue. Why would anyone want to hack my pump? What would they gain? My wife, she loves me, so, as interesting as this may be. I will continue to trust those I can, and not associate with those I can't. Life is way to short.
Two thumbs up on that reply Jed. Cyber-threats are all the rage in news these days. Most REAL attacks are stupid simple (which can be avoided...) and at large targets, or large numbers of small targets with real returns for those who attack.
…( have to keep this short …off to Toronto , ON , Canada at 6 am …sooo much to do , sooo little time