BOSTON (Reuters) - Medtronic Inc has asked software security experts to investigate the safety of its insulin pumps, as a new claim surfaced that at least one of its devices could be hacked to dose diabetes patients with potentially lethal amounts of insulin.
While there are no known examples of such a cyber attack on a medical device, Medtronic told Reuters that it was doing “everything it can” to address the security flaws.
Security software maker McAfee, which has a health industry business, exposed the new vulnerability in one model of the Medtronic Paradigm insulin pump on Friday and believes there could be similar risks in others.
Medtronic and McAfee declined to say which model is involved or how many such pumps are currently used by patients. It has two models of insulin pumps on the market and supports six older versions, with about 200,000 currently in use by patients.
The finding points to a broader issue — the potential for cyber attacks on medical devices ranging from diagnostic equipment to pumps and heart defibrillators, which rely on software and wireless technology to work.
“This is an evolution from having to think about security and safety as a healthcare company, and really about keeping people safe on our therapy, to this different question about keeping people safe around criminal or malicious intent,” Catherine Szyman, president of Medtronic’s diabetes division, said in an interview.
Szyman, whose nephew uses a wearable Medtronic insulin pump, said the company turned to McAfee rival Symantec Corp and other security firms after an independent researcher exposed less serious vulnerabilities in the pumps in August.
Since then, a research team at Intel Corp’s McAfee said it has developed code that allows it to gain complete control of the functions of one Medtronic insulin pump model from as far away as 300 feet.
“We found a way around all the restrictions and all the limitations,” said Stuart McClure, a senior vice president with McAfee who heads up the research team.
McClure, formerly a security expert at healthcare giant Kaiser Permanente, says he is exposing such problems to draw them to the attention of manufacturers and regulators.
McClure’s team used a Windows PC and an antennae that communicates with the medical device over the same radio spectrum used for some cordless phones.
The type of vulnerability discovered by McAfee could theoretically be used as a new cyber weapon. A hacker could launch a “drive-by” attack aimed at a high-profile target, such as a politician or corporate executive, who uses this type of insulin pump, McAfee researchers said.
In August, Medtronic acknowledged that security flaws in its implanted insulin pumps could allow hackers to remotely take control of the devices.
The U.S. Food and Drug Administration noted that there is no evidence of widespread problems from medical device security breaches. It says that device manufacturers are responsible for the safety of their software.
“Any system with wireless communication can be subject to interception of data and compromised privacy as well as interference with performance that can compromise the safety and effectiveness of the device,” FDA spokeswoman Erica Jefferson said. “We continue to closely monitor for safety or security problems.”
Medtronic is a leading makers of insulin pumps along with Johnson & Johnson’s Animas Corp and Insulet Corp. McAfee did not report vulnerabilities in models from other manufacturers.
The fresh concerns over the pumps made by Medtronic, the world’s largest medical device maker, follow a high-profile recall of heart defibrillator leads in 2007 and a more recent Senate probe into whether doctors it had paid failed to report problems from a spinal surgery product.
The company said it is also consulting with McAfee and has informed patients, through its website, to check their insulin pumps if they have a suspicious encounter with another person.
Medtronic officials have said it would be difficult to make changes to pumps already in use because of FDA regulations that require device makers to get agency approval before altering their products, including issuing software patches.
The company would likely have to first get FDA approval and then recall each pump, which uses wireless communications technology dating back 12 to 15 years, so that technicians could install the new software and check the equipment to make sure that it still accurately delivers doses of insulin.
Szyman said she could not say how long it would take Medtronic to come up with a fix for the vulnerabilities because its investigation is still ongoing. It is also unclear how long it might take the FDA to approve changes to the pumps.
“There’s different pathways to approval,” she told Reuters, noting that the agency typically takes six to 12 months to approve a new medical device.
Medtronic’s diabetes products, which includes its insulin pumps, accounted for more than $1.3 billion in revenue in its last fiscal year, out of a total of nearly $16 billion.
The Medtronic pump vulnerability was discovered by Barnaby Jack, a well-known security expert who joined McAfee last year after gaining notoriety by finding ways to hack into ATMs used at convenience stores, then force them to literally spit out cash. The manufacturers have since fixed the flaw by updating the software that runs those machines.
The nightmare scenario, according to McAfee, involves a hostile actor launching a potentially fatal attack by taking control of an insulin pump, then ordering it to dump all the insulin in its canister.
That is something that was hard to imagine when the product was first designed - long before the recent rash of hacking attacks: “We are talking about code that was written over ten years ago,” said Jack. “They never expected anybody to pop these devices open and look under the hood. We are trying to spark some change and get a secure initiative under way and get these devices fixed.”
Insulin is a hormone secreted by the pancreas that converts glucose into energy. In patients with diabetes, the body makes no insulin, or insulin levels are too low. This can cause the amount of glucose in the bloodstream to rise, a condition known as hyperglycemia.
When too much insulin is released into the blood stream, a person’s blood sugar can become too low, a condition known as hypoglycemia. Symptoms of hypoglycemia range from nausea and confusion to, in severe cases, seizures, coma and death.
McClure declined to say how many models in Medtronic’s line of insulin pumps were vulnerable. He said there is no evidence anybody else has identified the flaw or tried to exploit it.
“We just tested one model number,” McClure said. “But we believe that more than that are vulnerable.” His team demonstrated the vulnerability at a McAfee users conference in Las Vegas on Friday.
McAfee has consulted with experts at the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT. That agency works with private companies in industries including healthcare to help investigate potential cyber vulnerabilities in their products.
Officials with ICS-CERT and Symantec could not be reached for comment.
Reporting by Jim Finkle in Boston. Additional reporting by Toni Clarke in Boston, Anna Yukhananov in Washington and Susan Kelly in Chicago; Editing by Michele Gershberg, Edward Tobin and Martin Howell