Lawmakers call for probe of medical devices after researcher hacks insulin pump

Illustration for article titled Lawmakers call for probe of medical devices after researcher hacks insulin pump

Two federal lawmakers have asked the General Accountability Office to look into the security of medical devices after a researcher showed how he was able to hack his insulin pump and alter settings due to security flaws in the system.


Representatives Anna Eshoo (D-CA) and Ed Markey (D-MA), members of the House Energy and Commerce Committee, asked the GAO last week to investigate the safety of medical devices that have built-in wireless communication capabilities and could be susceptible to such attacks.

"In bringing forward innovative wireless technologies and devices for healthcare, it's critical that these devices are able to operate together and with other hospital equipment, and not interfere with each other's activities and data transmissions," the lawmakers wrote in their letter to the GAO. "It's also important that such devices operate in a safe, reliable, and secure manner."

Earlier this month, Jay Radcliffe, a computer security professional who is also diabetic, showed how an attacker could remotely control insulin pumps to deliver too much or too little insulin to the individual wearing the device.

Radcliffe, who conducted the research on his own pump and delivered his findings at the Black Hat security conference in Las Vegas, said that because his insulin pump doesn't encrypt communication or require authentication from the systems that communicate with it, an attacker can sniff the traffic to study how the devices communicate, then devise commands to inject into the communication traffic to alter the insulin dosage. He also found that he could control what information is fed to a diabetic's blood sugar monitoring device so the individual would think he's receiving the right amount of insulin when he's not.

"My initial reaction was that this was really cool from a technical perspective," Radcliffe told the Associated Press. "The second reaction was one of maybe sheer terror, to know that there's no security around the devices which are a very active part of keeping me alive."

He noted that many other medical devices that use wireless communication and allow for remote-control access could have the same vulnerabilities.


Image courtesy of the National Institutes of Health

Illustration for article titled Lawmakers call for probe of medical devices after researcher hacks insulin pump

This post originally appeared on Wired's Threat Level. has been expanding the hive mind with technology, science and geek culture news since 1995.


Dr Emilio Lizardo

Everybody take a deep breath here.

This method of murder is best suited to fiction as a novelty. In real life there would be many easier ways to kill somebody, especially a diabetic. You could do a von Beulow and shoot him up with extra insulin, you could unplug the pump and tie him up for a few days. You could cut his break line. You could be more traditional and hit him in the head with a heavy object or shoot him with an easily obtained hand gun.

Putting security on these devices is only likely to prevent casual mischief. Anybody who wants to do you harm will be able to hack whatever security they add if he is patient. Or if that's to difficult, see above. As Homer Simpson once said "It's fiendish in it's simplicity. Oh wait, it's needlessly complex."