The sober lesson of an Insulin pump hack

Much is being made of the insulin pump hack McAfee researchers recently revealed. It highlights a reality we have to accept, which is that in the online battle between good and evil, people are probably going to die.

I don’t say this to be an alarmist. In my opinion, there’s no reason for FUD over this. It’s just a simple acknowledgement that this is something the security community is going to have to deal with, just as we have to deal with the constant threat of storms, earthquakes, power grid failures and terrorist attacks.

It’s another fact of life we calmly need to factor into our security plans.

In the case of this hack, revealed this week by McAfee and based on weaknesses in the Medtronic pump discovered by researcher Barnaby Jack, Medtronic and other makers of medical technology have to be on guard for weaknesses that can be exploited to risk lives. Eventually, in my opinion, someone will probably die from this kind of hack. It may take several years, but the risk is real. Here’s the deal with the pump hack, as outlined in this Reuters report:

Medtronic Inc has asked software security experts to investigate the safety of its insulin pumps, as a new claim surfaced that at least one of its devices could be hacked to dose diabetes patients with potentially lethal amounts of insulin. While there are no known examples of such a cyber attack on a medical device, Medtronic told Reuters that it was doing “everything it can” to address the security flaws.

Security software maker McAfee, which has a health industry business, exposed the new vulnerability in one model of the Medtronic Paradigm insulin pump on Friday and believes there could be similar risks in others. Medtronic and McAfee declined to say which model is involved or how many such pumps are currently used by patients. It has two models of insulin pumps on the market and supports six older versions, with about 200,000 currently in use by patients.

The finding points to a broader issue — the potential for cyber attacks on medical devices ranging from diagnostic equipment to pumps and heart defibrillators, which rely on software and wireless technology to work.

“This is an evolution from having to think about security and safety as a healthcare company, and really about keeping people safe on our therapy, to this different question about keeping people safe around criminal or malicious intent,” Catherine Szyman, president of Medtronic’s diabetes division, said in an interview.

It’s good to see Medtronic isn’t taking this lightly, though other researchers have accused them of doing just that in recent months.

Meanwhile, if you make cars, you now have to account for the possibility that someone someday will try to exploit weaknesses in automobile computing in a way that could leave someone dead on the road.

This is the world we live in now. Don’t freak out about it. Just see it for what it is and plan accordingly.

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a

Get your morning news fix with the daily Salted Hash e-newsletter!