Increased Connectivity of Medical Devices Poses New Security Threats

In 2011 a security researcher named Jay Radcliffe took to the stage at the Black Hat security conference in Las Vegas and hacked into his own insulin pump, demonstrating how a remote user could potentially deliver a fatal dose of insulin to an unsuspecting diabetic.

It was a dramatic way to show the medical device industry how the insecurity of devices could lead to life-threatening situations. Little did Radcliffe know it would be the hack heard around the world as it was one of the first times security of medical devices was called so publicly into question.

"I just thought I would give a nice little talk, but it turned out to be quite bigger than that," Radcliffe recently told Design News. "It turned out to be quite a large story because people didn't realize these medical devices were so exposed. Since then it's thrust me involuntarily into an advocacy role on medical device security and the Internet of Things (IoT)."

It's four years later and Radcliffe is now a senior security consultant and researcher at security startup Rapid7, which provides technology that collects data and performs security analytics. But as he mentioned, he also speaks openly and makes consultations about medical device and IoT security, two things that are beginning to merge as medical devices become more connected, digitized, and even wearable. This union also is making medical devices more vulnerable to security risks, which means designers of these devices must begin to develop them with security in mind.

Radcliffe will be discussing these topics in December at the UBM Canon Designers of Things and BIOMEDevice events that focus on technology innovation in the medical industry, wearable technology, 3D printing and the IoT. The events will take place December 2-3, 2015 at the San Jose Convention Center in San Jose, Calif.

While Radcliffe's insulin pump caused quite a stir, the risk of someone actually wanting to or being able to successfully hack into a medical device like that would be very small, he told us. "These type of attacks usually have to be from within 15 to 20 feet and require an immense amount of technical ability," Radcliffe said. "You can't do it from remote locations.

However, as next-generation devices roll out with more network connectivity to communicate with mobile devices and other things on the IoT, the security risk becomes greater.

"Next-generation devices are becoming more tied in," he said. "They will hook up to your iPhone and send data to your cloud, so doctors can make adjustments from the golf course or another location. When we open that door and have these devices communicate through your cell phone or over the Internet network, now we're talking about a much larger threat."

What to do about securing these devices is what the medical industry is grappling with at the moment. While the Food and Drug Administration (FDA) oversees the approval and viability of medical devices, they aren't taking responsibility for the technology and its growing sophistication, Radcliffe said. The agency has offered guidelines for security but so far has been hesitant to lay down any clear ground rules since it's not their typical area of expertise, he said.

This leaves the job of securing medical devices up to those building them, which also has its challenges because medical device manufacturers don't tend to be security experts, Radcliffe said. To help them, they're reaching out to researchers like Radcliffe and others to help them design security into devices that go beyond mere encryption to meet the potential sophistication of future threats, he said.

READ MORE ARTICLES ON MEDICAL TECHNOLOGY:

"With the complexity of things now, you can't just read a book and add a couple of passwords and be secure," Radcliffe said. "You need to seek out specialization to hire people or seek out specialization and really invent that security throughout the development and design process."

This type of need will grow as the IoT and its effect on medical devices makes them more vulnerable and thus more in need of security, Radcliffe said. And while risks include data leaks that could lead to issues of privacy or financial loss, there also in the future could be risks associated with patient health and welfare if these devices are hacked, he said.

Radcliffe cited an example of a birth control implant device for women that's being funded by the Bill and Melinda Gates Foundation. The device -- which can provide birth control for up to 10 years -- will be wirelessly enabled or disabled, which could lead to potentially life-threatening security scenarios.

"If it's all remote controlled and someone wanted to turn it on when a woman is already pregnant, or turn it off when she would like to have it on, those would be very bad things," Radcliffe said. "To have that kind of connectivity and remote control of a device of this kind is a concept we need to be very cognizant of."

Still, while there are security risks that surround existing and future medical devices, that doesn't mean people should be wary of using them, as the health benefit of devices still outweigh the risk, Radcliffe said. He said people often ask him if they should use or let their children use devices like insulin pumps due to their inherent insecurity. "I always tell people that ask, 'Do what's best for your health,'" Radcliffe said.

Elizabeth Montalbano is a freelance writer who has written about technology and culture for more than 15 years. She has lived and worked as a professional journalist in Phoenix, San Francisco, and NYC. In her free time she enjoys surfing, traveling, music, yoga, and cooking. She currently resides in a village on the southwest coast of Portugal.

Like reading Design News? Then have our content delivered to your inbox every day by registering with DesignNews.com and signing up for Design News Daily plus our other e-newsletters. Register here!

Design News will be in Orlando in November! Design & Manufacturing South will be in Orlando Nov. 18-19. Get up close with the latest design and manufacturing technologies, meet qualified suppliers for your applications, and expand your network. Learn from experts at educational conferences and specialty events. Register today for our premier industry showcase in Orlando.