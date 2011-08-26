* Hackers could gain remote control of pumps, expert says
* Medtronic says risk of attack is 'extremely low'
* Medtronic to boost security in next-generation devices
By Jim Finkle
BOSTON, Aug 25 Medtronic Inc (MDT.N)
acknowledged that security flaws in its line of implanted
insulin pumps could allow hackers to remotely take control of
the devices that dose insulin to diabetes patients.
But company officials said that the about 200,000 diabetes
patients who use those devices need not worry about their
safety because the risk of a cyber attack is extremely low.
"This would have to be a premeditated activity by somebody
trying to cause harm to an individual," said John Mastrototaro,
a physician who serves as vice president of research and
development for Medtronic's diabetes division. "The likelihood
of this accidentally happening is nil."
The vulnerabilities, which are among the first to be
reported in any type of medical device, were originally
disclosed at a hacking conference in Las Vegas earlier this
month by Jay Radcliffe, a cyber security expert who suffers
from diabetes.
Radcliffe claimed that hackers can easily gain control of
the devices, saying the devices have wireless communications
systems that constantly monitor their surroundings for
commands.
He stood on stage in a large conference room and hacked
into a pump attached to his body that regularly provides him
with carefully measured doses of insulin. The dramatic
presentation was one of the talks that generated the most buzz
at the annual Black Hat conference.
He originally did not identify Medtronic as the maker of
the device, saying he wanted the company to have time to figure
out a way to mitigate the vulnerability.
But he disclosed the company's name on Thursday in a
webcast sponsored by the Black Hat security conference, saying
that Medtronic had downplayed the risk. He called on the public
to pressure Medtronic to take action to make the devices safer,
even though he said that the risk to any individual patient was
extremely low
"If you are a customer, demand that they take this
situation seriously and be truthful," he said.
Medtronic's Mastrototaro said that he was taking action and
had ordered closer scrutiny of potential security
vulnerabilities in the company's next-generation line of
insulin pumps, which are currently in development.
"We have a lot of activities going around on this topic
now," he said.
He said it would be difficult to make changes to pumps
already in use because of U.S. FDA regulations that require
device makers to get agency approval before changing anything
in their products, including issuing software patches.
Medtronic would likely have to recall each pump so that
technicians could install the new software and check the
equipment to make sure that it was still accurately delivering
doses of insulin, he said.
Stuart McClure, a senior vice president with security
software maker McAfee, said that the debate over cyber security
of medical devices is likely to gain steam as researchers
discover vulnerabilities in other types of equipment.
"All devices, including medical devices can be hacked, and
companies are foolish if they think their devices are immune,"
said McClure.
McAfee this year recruited an elite squad of hackers and
charged them with figuring out ways to hack into all types of
electronics equipment, including heart pacemakers.
"Generally speaking, we know that there are medical devices
with vulnerabilities," he said. "Companies would be wise to
address them, rather than denying they exist."
(Reporting by Jim Finkle; editing by Carol Bishopric)