Medical Device Hackers Find Government Ally to Pressure Industry
Two years ago, Jay Radcliffe discovered a software bug in his insulin pump that could allow hackers to take remote control of the device. The diabetic and computer security researcher went public with his findings at a hacker conference after the manufacturer, Medtronic Inc., didn't respond to him.
His actions led some diabetics to accuse him of endangering their lives by providing a blueprint for an attack. He said all he wanted to do was put pressure on the company and help fix an important safety issue.
Now, Radcliffe has a new pump, a potentially new safety issue to disclose, and what he said is a powerful new ally in forcing medical device makers to address his concerns: the U.S. Food and Drug Administration, which is encouraging hackers to submit security bugs to the agency.
"We've come a long way in two years," said Radcliffe, who will be speaking at the Black Hat security conference in Las Vegas next week. "Everything that's occurred in the last two years, as painful as it's been at times, has really gotten us to a position where we can make these devices safer."
Radcliffe claims his new pump, made by Animas Corp., has a flaw that can cause incorrect dosage levels of insulin. The company, which is a division of Johnson & Johnson, disagrees strongly with the severity of the issue he uncovered and doesn't think the device needs to be fixed. Nevertheless, Radcliffe said going through the FDA forced a high-level discussion with the company that may not have been possible before.
Although there are no known incidents of patients being harmed from hacking attacks against their medical devices, the potential for that is growing as more medical products feature wireless connections, according to Bill Maisel, deputy director for science at the FDA's Center for Devices and Radiological Health.
"It's not hard to see where the technology is going," he said. "It's not just about the vulnerability in the one implantable device the researcher was able to get into. We're headed to interconnectedness, to connected health care."
The agency doesn't force device makers to respond directly to complainants, but it does require that companies reply to the FDA within 45 days of being notified of a complaint, Maisel said. That often means the companies will contact the complainants first to gather information.
To mitigate security threats, medical device makers such as Medtronic and Animas have hired hackers to probe their products. Medtronic did not immediately respond to a request for comment.
Few hackers have worked with the FDA because until recently, few were looking at the security of medical devices.
Last year, Barnaby Jack, a security researcher with IOActive, showed he could force some Medtronic pumps to dispense fatal insulin doses from up to 300 feet away. He also has a Black Hat talk planned this year on a new vulnerability in wireless pacemakers and defibrillators. Jack said he notified the FDA in both cases.
"It's been primarily positive," he said. "They don't have the expertise on board to be able to make a thorough check, but they're certainly open to hearing about vulnerabilities. They certainly open the right doors for us."
Radcliffe, a senior security analyst with InGuardians, said he did not know in 2011 how to alert the FDA about his findings. A meeting earlier this year with agency officials convinced him to try disclosing his latest finding to the government.
In his complaint to the FDA, Radcliffe claims his Animas pump inaccurately calculates the amount of insulin to dispense after the battery is changed. The pump does not automatically factor in the amount of insulin it dispensed immediately before the battery was removed, he said.
That issue led to dosing errors that caused him to experience two low-blood-sugar episodes, which can be fatal, Radcliffe said.
The pump is designed to reset insulin levels following a battery change, said Brian Levy, medical director at Animas. The patient's insulin history is still stored on the device, and instructions for recalibrating the machine are in the owner's manual, he said. The company does not plan to make any changes.
Radcliffe said he's unsatisfied with the response and intends to push the company in public and private to fix the issue.
Regardless of the outcome, Radcliffe said having the FDA complaint strengthens his case and creates a paper trail of his attempts to get the issue addressed. He said he wants other hackers to learn from his experience.
"The FDA is very well-equipped for this now," he said. "I think two years ago, researchers would have had the same difficulties that I ran into. It was just not on anybody's radar."