Skip to Content

Hacking a medical device: the bad and the good

KIFI

Some might say their cellphone is their most important device, but not if they have a pacemaker or an insulin pump. What if one of those devices suddenly stopped working or started pumping the wrong amount of chemicals into your body? A small team specializes in this exact science.

“That’s what we’re trying to put a stop to, is to find those threats before they get used in the wild,” said Carl Schuett, a security researcher with QED Secure Solutions.

It is a relatively new capability, to pick up radio frequency transmissions out of the air, decode them, and then use that information to hijack a device.

Schuett said this technology is becoming more available. That’s what makes the threat so serious. A simple USB transceiver costs $100. That’s all this small team would need to put someone with an insulin pump into hypoglycemic shock.

“It’s not good. You’re still either stopping the flow of insulin or delivering too much insulin,” said Schuett.

The team is putting themselves in the shoes of would-be bad guys. They reverse-engineered the device to read the radio waves from an insulin pump. When asked if their quest would give people ideas, they said they are actually keeping people protected.

“We would rather it be identified by us and fixed, than wait until somebody else finds it and uses it to target somebody,” said Schuett.

Their research hasn’t been in vain. In June 2019, the company Medtronic recalled dozens of at-risk insulin pumps after QED proved that the Mini-Med 508 insulin pump could be hacked. That particular pump was one of the most widely used models in the world.

Clinics are often ahead of the curve in finding out which models are at risk or out of date. They say people are always welcome to stop by.

“I would also encourage people if they aren’t sure,” said Becky Sulik, a registered dietitian and diabetes educator. “We can often tell by the model number here at the clinic whether that pump is out of warranty or could be in this category as well.”

KIDK Eyewitness News 3 anchor Todd Kunz asked the Rocky Mountain Diabetes Center in Idaho Falls about the possibility of a medical device being hacked. Sulik said she thinks the likelihood is low, and consumers should not be worried. Researchers from QED Secure Solutions agree.

“Largely the benefits of these connected medical devices outweigh the risks,” said Jesse Young, a security researcher.

But risk is exactly what this team looks for. Before insulin pumps, QED found a flaw in pacemakers. There was also a gap in security on these devices. Companies were hesitant to listen.

“I’ll say with the pacemaker, the response mechanism from their manufacturer wasn’t great from our standpoint. We felt like our research was a little bit dismissed,” said Young.

The Food and Drug Administration had to get involved. The FDA oversees the use of many medical devices. It has partnerships with several independent research firms to make sure consumers are being looked after. In fact, this past summer was the first time the FDA joined researchers to openly discuss concerns, during a Las Vegas black-hat convention in August.

FDA deputy director Dr. Suzanne Schwartz, with the office of strategic partnerships and technology innovation, said the FDA will continue to work with cyber-security research teams like QED Secure Solutions. They also plan to return to the black-hat conference again next year.

But not all hacking is done by professionals. A new trend has emerged from insulin pump users.​​​​​​​

“We know that people are purposefully hacking these pumps to create their own artificial pancreas, right? There’s a whole movement on this,” said Sulik.

People with diabetes override their own pumps to automatically provide insulin as a pancreas would. The open artificial pancreas system project has been around for about two years. The goal is to teach safe and simple ways for people to manipulate this technology, including young people who have diabetes.

“As long as it’s safe, they’re not having lots of highs or lots of lows,” said Dr. Joshua Smith, a pediatric endocrinologist with the Rocky Mountain Diabetes Center. “If we want to check in with them periodically, we see them every three months, and as long as they are doing well… if the technology is working for them, I honestly don’t see a big problem with it.”

Click here for more about the open artificial pancreas system project.

The recalled Medtronic insulin pump models can be found here.

World Diabetes Day is Thursday, Nov. 14. The Rocky Mountain Diabetes Center is teaming with Broulim’s in Ammon to offer free screenings that day. Diabetes educators will also be on hand to answer questions and give healthy lunch ideas for kids. Stop by Broulim’s Thursday between 11 a.m. and 3 p.m.

Article Topic Follows: News

Jump to comments ↓

Author Profile Photo

News Team

BE PART OF THE CONVERSATION

KIFI Local News 8 is committed to providing a forum for civil and constructive conversation.

Please keep your comments respectful and relevant. You can review our Community Guidelines by clicking here

If you would like to share a story idea, please submit it here.

Skip to content