Two federal lawmakers have asked the General Accountability Office to look into the security of medical devices after a researcher showed how he was able to hack his insulin pump and alter settings due to security flaws in the system.
Representatives Anna Eshoo (D-CA) and Ed Markey (D-MA), members of the House Energy and Commerce Committee, asked the GAO this week to investigate the safety of medical devices that have built-in wireless communication capabilities and could be susceptible to such attacks.
“In bringing forward innovative wireless technologies and devices for healthcare, it’s critical that these devices are able to operate together and with other hospital equipment, and not interfere with each other’s activities and data transmissions,” the lawmakers wrote in their letter to the GAO. “It’s also important that such devices operate in a safe, reliable, and secure manner.”
Earlier this month, Jay Radcliffe, a computer security professional who is also diabetic, showed how an attacker could remotely control insulin pumps to deliver too much or too little insulin to the individual wearing the device.
Radcliffe, who conducted the research on his own pump and delivered his findings at the Black Hat security conference in Las Vegas, said that because his insulin pump doesn’t encrypt communication or require authentication from the systems that communicate with it, an attacker can sniff the traffic to study how the devices communicate, then devise commands to inject into the communication traffic to alter the insulin dosage. He also found that he could control what information is fed to a diabetic’s blood sugar monitoring device so the individual would think he’s receiving the right amount of insulin when he’s not.
“My initial reaction was that this was really cool from a technical perspective,” Radcliffe told the Associated Press. “The second reaction was one of maybe sheer terror, to know that there’s no security around the devices which are a very active part of keeping me alive.”
He noted that many other medical devices that use wireless communication and allow for remote-control access could have the same vulnerabilities.
Image courtesy of the National Institutes of Health