Recently we discussed the cyber-susceptibilities of electronic health records. While that article focused primarily on the phenomenon of ransomware, the vulnerabilities of many of our medical devices was discussed briefly. To recap our point, many medical devices are essentially small computers. They are very task specific, to be sure, but they operate using software that is very to similar to that in your computer or phone.
Two years ago, cybersecurity expert Barnaby Jack demonstrated a technique for accessing insulin pumps. In a demonstration at a security conference, Jack was able to force an insulin pump to deliver what would be a lethal dose of insulin. He later showed such an act is possible from up to 300 feet.
A year later, scoffing at a plot line from a popular television show, Jack demonstrated the ease with which a pacemaker could be forced to deliver a lethal jolt of electricity. In the demonstration, if you are wondering, he forced the device to deliver 830 volts, and that could easily result in a fatal event.
To be sure, Jack was not the first to hack an insulin pump. Jerome Radcliffe famously demonstrated the vulnerability of his own insulin pump - he is a diabetic - after once joking about his concerns that someday a "hacker was going to break into my pump, [and] give me a dose of insulin that I didn’t need..." Radcliffe sounded the alarm bell for medical device security after this, leading to congressional hearings on the matter.
In 2015, Motherboard magazine sounded the alarm bell loud and clear - Ransomware is coming to medical devices. The Motherboard article proclaimed "This is year zero for the health care industry and cyberattacks." Bloomberg Businessweek had an excellent piece at the time, decrying the ease with which medical devices could be hacked.
The future is now. Today Johnson and Johnson, whose subsidiary Animas produces the One Touch Ping Insulin Pump, announced the pump is vulnerable to hacking. This is months after it was first announced on the Rapid7 blog of Jerome "Jay" Radcliffe. The pump uses a wireless remote that is intended to be discrete and convenient. Rapid7 noted the communication between the remote and the device was not encrypted - the data between the remote and the pump are not encrypted.
Radcliffe posts a detailed chronology of his interaction with the device manufacturer, detailing his earliest communication with Animas about their pump. When was that first notification? April 2016. Six months later, the defect is disclosed. The timeline below is from the Rapid7 website.
This vulnerability advisory was prepared in accordance with Rapid7's disclosure policy.
Thu, Apr 14, 2016: Attempted to contact the vendor at email@example.com, firstname.lastname@example.org, and several other aliases at both domains.
Thu, Apr 21, 2016: Details disclosed to the vendor at email@example.com (PGP KeyID: 0xEC69B12DFF06A1CA)
Mon, Apr 25, 2016: Animas initiated complaint handling process
Fri, May 06, 2016: Further clarified details with vendor
Mon, May 09, 2016: Details disclosed to CERT
Thu, Jun 16, 2016: CVEs assigned by CERT
Jul-Sep, 2016: Worked with Animas on validating the reported vulnerabilities
Wed, Sep 21, 2016: Mitigations provided by the vendor
Tue, Oct 04, 2016: Public disclosure
Reproduced from Rapid7
This episode hammers home yet again the importance of cybersecurity in healthcare. Who knows what the next vulnerability will expose - or how many might be harmed by it.
Cybersecurity is a serious matter. At Spiers Group, we work with industry professionals to help healthcare providers meet these challenges. Contact us today to discuss how we can help you.