Addressing Medical Device Security FlawsSecurity Expert Describes Insulin Pump Incidents
The increasing connectivity of medical devices brings growing risk to patients, says security expert Jay Radcliffe.
Radcliffe, a diabetic patient who has uncovered and reported to the Food and Drug Administration security flaws in two different insulin pumps, says security issues in medical devices are becoming more common.
"The thing that makes medical devices different [from other systems] is that they're actually connected to a person," says Radcliffe, a senior security analyst at the consulting firm InGuardians, in an interview with Information Security Media Group [transcript below].
Radcliffe would like to see manufacturers to provide frequent software updates to medical devices, just like the updates offered for smart phones or tablets. "[The update] comes up on the screen and it says there's an update available," he says. "I'd like to see this type of functionality by the ... manufacturers of these devices. It should be a very easy process to upgrade devices, so that way they can have the latest and safest software available to them at all times."
In the interview, Radcliffe discusses:
- How encryption and authentication can improve the security of medical devices;
- Steps that healthcare providers and vendors should consider to mitigate security risks of medical devices;
- Why current password practices related to medical device firmware present security risks.
Radcliffe, who has been working in the computer security field for more than 12 years, is a senior security analyst at InGuardians, a Washington-based security consulting firm.
Insulin Pump Security Flaw
MARIANNE KOLBASUK MCGEE: You've recently uncovered a new, potentially dangerous, security flaw in an insulin pump. Can you briefly describe the flaw, and was it the same kind of flaw you had previously found in another model of insulin pump?
JAY RADCLIFFE: The insulin pump that I wear now is made by a company called Animas, and it's called an Animas Ping. What ended up happening with this particular situation is earlier this year ... I had a significant low blood sugar event, called hypoglycemia. That's when your sugar goes very low. When this occurred, I corrected for it. I didn't have to go to the hospital, but I did have to do some things to make sure that I maintained my level of health and maintained functioning. But the next day, I followed up to try and figure out exactly what the cause of that low blood sugar event was. What I discovered kind of disturbed me. I had changed the battery that evening on that device because it runs on an AA battery. When I changed the battery, it did not remember how much medicine was in my body. So an hour or so later, when I went to give myself medicine, it calculated the incorrect amount of medicine to give me. It ended up giving me way too much insulin instead of the proper amount that I needed, and that ended up leading to me having a hypoglycemic event.
I brought this up to the FDA. I went out to their site in Silver Spring, Md., visiting with them, talking about cybersecurity issues, and I brought this up. We had a discussion about if this is in the realm of cybersecurity. They felt that it was because it's directly related to a computer - it's a computer bug essentially - and that it had a significant impact on my health. It was a very, very dangerous condition. Because of that, I went through the process of submitting that to the FDA for them to review and for them to notify the vendor of the problem.
MCGEE: Now, how does that compare with the previous problem that you found with another insulin pump that made the device vulnerable to hacking?
RADCLIFFE: The previous issue that I found with the other pump had to do with the way it communicated wirelessly when it was being configured, and how it communicated with a computer. That's a very theoretical thing. It's something that I could do in a lab, but it's not something that you would ever see in the wild, as we term it. No patients would have to worry about that. This [recent event] is much more significant in that it actually has occurred to me, and actually has occurred to me twice in the last year, where this software bug has caused me to have low blood sugar because of its inability to calculate the proper amount of medicine to give me.
Commonality of Medical Device Risks
MCGEE: How common do you think these and other kinds of security flaws are in medical devices? You being a patient discovered this the hard way, but you have background in technology to figure out what was going on. What sort of risks do you think this poses to other patients? What are the security risks that these pose to the healthcare organizations that use these devices?
RADCLIFFE: These types of security issues, especially with everything becoming more computerized and more connected, are going to become more common. Just like as we use computers more for our financial systems, for the economy and for everything really, we see problems coming up more and more that relate to them. It's the nature of [using] computer systems. The thing that makes medical devices different from financial is that they're actually connected to a person, and those systems are responsible for keeping that person in good health and, in some cases, alive. The risks to the patient are very, very high. Any time you deal with human health and human life, obviously that takes precedent and that's a very, very big risk to have. Even the slightest amount of vulnerability or the slightest mistake could cause significant problems.
Now, as we get more computers into the medical environment, ... there are going to be more people looking at them. In the past two years, there's been a significant amount of research done on these types of medical devices. Researchers have done a very good job at working with the FDA, like I have, to try and make a very good relationship between the FDA, the device manufacturers and the research community. Together, I think that we're doing the best job we can at trying to make these devices safer, getting a lot of cooperation from other organizations because they see us making the world safer and making the medical healthcare environment safer.
Steps Organizations Can Take
MCGEE: How should these kinds of medical device security risks be mitigated by healthcare organizations?
RADCLIFFE: First and foremost, you have to look at how healthcare organizations and medical device vendors respond. There's a belief, or a very commonly held standard, that you won't be judged as much on the mistakes you make but how you react to them, because there are going to be bugs. There are going to be vulnerabilities that are found. The important part is that you can react to them and address them quickly.
One of the comparisons that I make is when you look at your home computer running Windows now. Microsoft every month puts out patches fixing things that they found last month, and that makes their computer environment safer. When we look at these healthcare organizations, we want to see them react. We want to see them react responsibly and we want to see them react quickly to these types of issues so that way they can put people in the safest place possible. We encourage healthcare organizations to practice this, to prepare ahead of time for it so that way there aren't any surprises, so that way your entire executive staff understands, "Okay, somebody found a problem. That's not that big of a deal. We can get the engineering team ... and we can address this situation quickly."
In the past two years, we've seen organizations struggle with this, where we've seen them not be prepared and say "we're not going to address the issue." That puts a lot more risk and doesn't really mitigate the risks that are discovered and found.
Addressing Medical Device Risks
MCGEE: How should these risks be addressed by the medical device makers?
RADCLIFFE: Medical device makers need to be prepared to apply updates to their devices in a reasonable fashion. For example, when you do have a cell phone or an iPad, when Apple comes out and they say, "We fixed a problem," it's very easy. It comes up on the screen and it says there's an update available for your phone. You click "yes," and five minutes later your phone has the latest software on it, it's safe and running again efficiently. I'd like to see this type of functionality produced by the healthcare vendors or the manufacturers of these devices. It should be a very easy process to upgrade devices, so that way they can have the latest and safest software available to them at all times.
Security by Design
MCGEE: The FDA recently issued guidance to device makers saying that cybersecurity should be a consideration in the design phase of their products. What do you think medical device makers should be doing better in their design phases to address these cybersecurity risks? What are the biggest mistakes that you think they're making?
RADCLIFFE: For the most part, we see a lot of medical device vendors that believe their product isn't going to be connectable to other things, that they live in kind of a bubble and other systems won't interact with it. They assume that if you have an insulin pump and a remote, that the range is only 100 feet so they figure those are the only two devices that are going to communicate with each other. The reality is that with the explosion of medical devices and the explosion of wireless communication, there are a lot more risks out there, there's a lot more interference that can occur, but also there could be a lot more of unintentional malicious activity as well. We see this in computers all the time, where you accidentally click on an e-mail and then your computer is infected with something that causes your computer to slow down and causes your computer to not act correctly. These types of things can occur with medical devices if not handled properly.
Medical device vendors, when they're designing these devices, need to think about that and need to put in some protection and assume that there are going to be other devices, and there are going to be other people looking at what's going on with those communications. Encryption can be used; that way, other devices can't see very personal information being transmitted to and from a computer system. But also [they] need to put in additional protection to make sure that it validates who it's talking to so that way it knows if it's getting communication from the patient or if it's getting communication from somebody that's not the patient that could be harmful.
MCGEE: In June, the Department of Homeland Security issued a cybersecurity alert about vulnerabilities in the firmware passwords of approximately 300 medical devices. How big of a problem do you think this is, and what do you think the risks are to healthcare organizations and patients?
RADCLIFFE: I think the risk is very significant. With these 300 medical devices, there are thousands of them out in hospitals all over the world. If you know the password, you can get into that system and you can not only access patient data that's very private and very identifying, but also you might be able to do malicious activity from that. It would be like you knowing the password to your boss's e-mail system. Not only could you read his or her e-mail and know what's going on, but you could also send e-mail as that person and then cause a lot of trouble.
I think the same thing could happen here. These types of things, where you're hard-coding a password, that's exactly what the FDA is talking about. When you hard-code a password, you cannot change it. And as we all know from our own e-mail systems and our own personal lives, you have to be able to change your password on a regular basis because that's just part of the nature now. Your password isn't going to be secure forever, and nobody else should know your password. Having that type of functionality in there is super important to making sure these devices stay secure.