July 5, 2019

US medical equipment giant Medtronic has initiated a massive recall of its industry standard insulin pumps after researchers found serious and un-patchable security flaws in the devices.

The company sent recall letters to American users of its MiniMed 508 and Paradigm series insulin pumps, a warning that was followed up by the US Food and Drug Administration (FDA), which issued its own alert.

According to the FDA, Medtronic has identified 4,000 US patients and an unknown number of patients in other countries. Medtronic insulin pumps are available in the UK though it isn’t clear yet if the affected devices are being used here.

The recalled pumps are older 2012 models that Medtronic stopped selling in October 2018.

Wireless medicine

Insulin pumps deliver insulin through a catheter implanted under the patient’s skin. They remove the need for people with diabetes to undertake painful, regular injections of insulin needed to stabilise blood glucose levels.

In order to work, the pumps have to connect via Bluetooth to the sensor in a glucose monitor.

The devices communicate using a Bluetooth USB dongle which plugs into a computer and lets patients send their dosing commands wirelessly to the pump, while also sharing data with their health provider.

Neither Medtronic or the FDA are saying specifically what the exploit is, only that the vulnerability lies in the wireless transfer of data.

Someone besides the patient could potentially connect wirelessly to their insulin pump and change its settings.

More to the point: a hacker could tamper with the system to over- or under-dose the patient, with serious health consequences.

Earlier this year, Medtronic issued a separate alert when researchers uncovered vulnerabilities in the wireless protocol used by the company’s implantable heart monitors.

Hacking healthcare

Cyber-attacks on healthcare organisations are on the rise.

  • Just this week the St John Ambulance service was hit by a ransomware attack – an attempt at blackmail which they have bravely decided to resist.
  • A survey of healthcare CSOs and CISOs by security analysts Carbon Black found that sixty six percent thought cyberattacks had become more sophisticated over the past year.
  • According to data collected Information Commissioner’s Office (ICO), UK 43 percent of data breaches target healthcare organisations.
  • report by Ponemon and IBM found that breaches in healthcare cost twice as much as that of other industries, ca. £325 per stolen record.

Why target healthcare over, say, banking? Often criminals are looking for information that can be used to manufacture a fake medical background.

Fraudsters use information like insurance documents, medical diplomas, doctor licenses, and DEA licenses to steal doctors’ identities. They then submit bogus claims to the NHS or a private medical provider/private insurer for high-end surgeries.

In other cases the motivations aren’t so clear. It’s not a huge stretch to imagine someone using unauthorized access to a medical device to threaten a victim as part of a robbery, or as a weapon to extract revenge.

Privacy is another serious concern. Information drawn from medical devices could be used for blackmail, or by nation state actors as leverage to obtain sensitive information from the targeted individual.

When breaches go from digital to physical

The potential for life-supporting medical devices to be breached is a stark reminder that the vulnerabilities in computing systems can extend beyond data loss and financial fraud.

Hacks can and do make the leap from the virtual to the offline world. Today’s automobiles, for example, contain more than 100 million lines of code. The electrical control units in passenger cars are part of a network contained within each vehicle. If a hacker were to gain access to it through a vehicle’s wireless communication system, vehicle functions could potentially be manipulated:

  • In 2015, researchers proved that they could take control of a Jeep Cherokee remotely and send it off the road.
  • That same year, hackers found a weakness in BMW’s ConnectedDrive technology and exploited it to take control of vehicle functions.
  • In 2016, hackers proved they could break into Volkswagen electronic keys and security systems to unlock vehicles remotely.

Experts have also been warning about vulnerabilities in air traffic control systems since at least 2015.

There hasn’t been a documented case yet of hacked medical devices causing anyone harm, and fanning the flames of fear helps no one. At the moment, breached insulin pumps and pacemakers, compromised air traffic systems, and hacked SUVs are more a potential than imminent threat.

But Medtronic’s recall is another reminder of how closely embedded in our lives the digital world has become. From connected catheters under the skin to internet of things (IoT) technology in everything from manufacturing systems to kitchen appliances.

Connectivity makes healthcare more convenient and business more efficient, but it also adds more vectors of attack for cybercriminals.

There’s no body armour for a breach, so awareness of the potential risks in all the systems and gadgets we utilise at home and at work is essential for protecting privacy, securing systems, and even staying safe.

Looking to raise awareness of cyber-security matters that directly affect your employees?  Help your employees stay safe in the fight against cyber-crime – sign up for a free security awareness training demo, today.  We help employees address the risks both at work but, crucially, in their home life too.

Share this: