Medtronic Inc. has asked software-security experts to investigate the safety of its insulin pumps, as a new claim surfaced that at least one of its devices could be hacked to dose diabetes patients with potentially lethal amounts of insulin.
While there are no known examples of such a cyberattack on a medical device, Medtronic told Reuters that it was doing “everything it can” to address the security flaws.
Security-software maker McAfee, which has a health-industry business, exposed the new vulnerability in one model of the Medtronic Paradigm insulin pump and believes there could be similar risks in others.
Medtronic and McAfee declined to say which model is involved or how many such pumps are currently used by patients. It has two models of insulin pumps on the market and supports six older versions, with about 200,000 currently in use by patients.
The finding points to a broader issue – the potential for cyberattacks on medical devices ranging from diagnostic equipment to pumps and heart defibrillators, which rely on software and wireless technology to work.
“This is an evolution from having to think about security and safety as a health-care company, and really about keeping people safe on our therapy, to this different question about keeping people safe around criminal or malicious intent,” Catherine Szyman, president of Medtronic’s diabetes division, said in an interview.
Ms. Szyman, whose nephew uses a wearable Medtronic insulin pump, said the company turned to McAfee rival Symantec Corp and other security firms after an independent researcher exposed less serious vulnerabilities in the pumps in August.
Since then, a research team at Intel Corp.’s McAfee said it has developed code that allows it to gain complete control of the functions of one Medtronic insulin pump model from as far away as 300 feet. “We found a way around all the restrictions and all the limitations,” said Stuart McClure, a senior vice-president with McAfee who heads up the research team.
Mr. McClure, formerly a security expert at U.S. health-care giant Kaiser Permanente, says he is exposing such problems to draw them to the attention of manufacturers and regulators.
His team used a Windows PC and an antennae that communicates with the medical device over the same radio spectrum used for some cordless phones.
The type of vulnerability discovered by McAfee could theoretically be used as a new cyberweapon. A hacker could launch a “drive-by” attack aimed at a high-profile target, such as a politician or corporate executive, who uses this type of insulin pump, McAfee researchers said.
In August, Medtronic acknowledged that security flaws in its implanted insulin pumps could allow hackers to remotely take control of the devices.
The Medtronic pump vulnerability was discovered by Barnaby Jack, a well-known security expert who joined McAfee last year after gaining fame by finding ways to hack into ATMs used at convenience stores, then force them to literally spit out cash. The manufacturers have since fixed the flaw by updating the software that runs those machines.
The nightmare scenario, according to McAfee, involves a hostile actor launching a potentially fatal attack by taking control of an insulin pump, then ordering it to dump all the insulin in its canister.
That is something that was hard to imagine when the product was first designed – long before the recent rash of hacking attacks: “We are talking about code that was written over 10 years ago,” Mr. Jack said. “They never expected anybody to pop these devices open and look under the hood. We are trying to spark some change and get a secure initiative under way and get these devices fixed.”