June 15, 2011 at 7:46 AM ET
Wireless electric medical devices are getting sleeker and smarter, but their security and privacy features are lagging behind.
Security experts showed on Tuesday that an insulin system, consisting of a wireless insulin pump in combination with a glucose monitor — worn by hundreds of thousands of diabetics in the US — is vulnerable to hack attacks. Using off-the-shelf hardware, the user manual and publicly available information, the scientists tapped into information on the system — like insulin dosage and glucose readings. With the PIN access code of the device, they showed that they could also wirelessly control the dosage of insulin.
Though wireless security is a well trodden path when it comes to cellphones and home routers, tackling the issue for a medical device is a whole different ball game.
"Not all [security] solutions will carry over to medical devices," Anand Raghunathan, one of the lead researchers, told me. "That’s where the innovative thinking needs to be."
Medical devices are getting smaller and lighter, so that they are easily worn and carried around, and additional security features would put an additional strain on the battery power and size. It's also possible that they'd cost more. Those are issues device manufacturers will have to grapple with.
In the new paper, the researchers propose two possible "concept stage" suggestions for security fixes. One way would be to use rolling codes — a cryptography feature already used by garage doors and automotive keyless entry systems.
Another way to make the communication system secure, they say, is to use a technology called body-coupled communication that uses the human skin as a wave guide for wireless communication. This keeps the range of detection very close to the body, decreasing the likelihood of interception. That's just a start.
"We’d like to dig deeper into this area and provide more solutions," said Niraj Jha, another lead researchers on the study.
The FDA and device manufacturers are aware of such security issues. "The paper highlights some of the issues we’ve been talking about with the FDA," says Nathanael Paul, a researcher at the University of Tennessee and the Oak Ridge National Labs, who's also been working on security of medical devices like insulin pumps. Paul, a diabetes patient himself, says he has been on panels with the FDA and device manufacturers as early as March 2010, talking about the issue of insulin pumps.
The insulin pump/glucose monitor hack isn't the first time a medical device has been compromised. Three years ago, another group of security researchers hacked into and took over a combination heart defibrillator and pacemaker, made by Medtronic, a manufacturer specializing in heart implants. At a research conference, the researchers showed that they could shut it down and reprogram it to deliver potentially lethal shocks — if the device had been in a person.
"Today we’re starting to see medical devices become more communicative and sophisticated, and as technology changes, new security issues tend to arise" said Tadayoshi Kohno, a University of Washington security researcher and a lead researcher on the pacemaker hack. "So our goal back then in 2008, and similar research today, is to understand what the risk is, before it becomes a threat."
The pacemaker escapade is what got Niraj Jha and Anand Raghunathan thinking about security on other medical devices, and the two authors share Kohno's view. With their new study, they say they hope to raise awareness of security risks that arise as medical devices get smarter.
The new study was carried out by Chunxiao Li and Niraj Jha of Princeton University, and Anand Raghunathan from Purdue University. Though the researchers would like to get device manufacturers and researchers working on this problem, they are clear that the devices are by no means unsafe to use. "If I was in a situation tomorrow where I needed to get such a device, then I would go ahead and get it," said Raghunathan. "In my evaluation the benefits outweigh the risks."
The authors won't reveal the name of the manufacturer of the insulin pump system, but Nate Paul says he uses the same one. "I have used that same manufacturer for ten years, and I intend to continue using that pump until the warranty expires," he said.
The next generation of insulin pumps is looking pretty sharp. The Artificial Pancreas Project, for example, is working on a device that will automatically adjust the wearer's insulin dosage based on real-time changes in blood glucose levels. When the device does make it into the market, security is something its manufacturers will want to take note of.
This website, maintained by Nathanael Paul and Tadayoshi Kohno, has more information on diabetes management technologies and security.
More on security from msnbc.com: