Connected Medical Device Makers Are Challenged to Provide Better Security

Back in 2011 in a security researcher named Jay Radcliffe took to the stage at the Black Hat security conference in Las Vegas and hacked into his own insulin pump, demonstrating how a remote user could potentially deliver a fatal dose of insulin to an unsuspecting diabetic.

It was a dramatic way to show the medical device industry how insecurity of devices could lead to life-threatening situations, and one of the first times security of medical devices was called so publicly into question in terms of their security.

It’s four years later and Radcliffe is now a senior security consultant and researcher at security startup Rapid7, which provides technology that collects data and performs security analytics. But the medical device industry is still feeling reverberations from his insulin pump hack as it’s still grappling with the concept of security -- something that typically has not been considered in the design of these devices -- especially in the context of the Internet of Things and the growing connectedness of medical devices to smartphones and other networked systems.

Jay Radcliffe
(Source: Google)

“I just thought I would give a nice little talk, but it turned out to be quite bigger than that,” Radcliffe told Design News of his presentation back in 2011. “It turned out to be quite a large story because people didn’t realize these medical devices were so exposed. Since then it’s thrust me involuntarily into an advocacy role on medical device security and the Internet of Things.” Radcliffe was a keynote speaker at the Designers of Things conference in San Jose, organized by UBM, the parent company of Design News.

To be fair, with devices like Radcliffe’s insulin pump, the risk of someone actually wanting to or being able to successfully hack into it would be very small, he said. However, as next-generation devices roll out with more network connectivity to communicate with mobile devices and other things on the IoT, the risk becomes greater.

“When we open that door and have these devices communicate through your cell phone or over the Internet network … now we’re talking about a much larger threat,” he said.

Indeed, Radcliffe’s hack capably demonstrates a problem that comes with the increased sophistication and networking capability of medical devices, which, paradoxically, is also one of the reasons these devices aren’t better secured, according to another security researcher.

“Very few of these devices are developed with security in mind,” said Andrey Pozhogin, senior product marketing manager at Kaspersky Lab North America. “This is partially because technology used for communication with devices is also viewed as a protective limitation, [since] getting data off the device either requires tethering or at least a physical location of the device on a short distance from a control device, such as a laptop or a mobile device.”

[Learn more about recognizing various security threats to integrated medical devices in a session called "Assessing Medical Device Cyber Risk in Your Connected Device" at Pacific Design & Manufacturing, Feb. 9-11, in Anaheim.]

The relationship between doctor and patient -- which already establishes a basis of trust between the two -- also is contributing to the inherent insecurity of medical devices, since patients tend not to think about it and so don’t hold doctors or medical facilities to any accountability standards, he said.

“There’s also implied trust from a patient to a doctor and thus the enabling technology, or rather specific device implementations, are not questioned by patients,” Pozhogin said.

As the threat Radcliffe illustrated four years ago persists, industry experts are calling on device makers to design security directly into devices as well as take other preventative measures to ensure devices are secure.

The Current State of Security

Scott Erven is another prominent researcher who’s taken a deep dive into medical device security, also with some troubling results for the industry.

Erven, now associate director at business consulting firm Protiviti, previously worked as head of information security for Essentia Health, which operates about 100 facilities that include hospitals and pharmacies in the Midwest. In 2012, Erven began a security evaluation of those facilities and found serious vulnerabilities across myriad devices, research that resulted in a call to medical device manufacturers to build cybersecurity directly into devices.