EXECUTIVE SUMMARY:

Smart medical devices make a big impact on patients’ daily quality of life and on their treatment outcomes. However, like all devices that connect to the outside world, these pieces of technology are susceptible to manipulation. Vulnerabilities in smart medical devices leave users’ lives hanging in the balance, as they are prone to manipulation by malicious hackers.

Two researchers at security firm QED Security Solutions saw the threat posed to smart medical device users and decided to use their powers for good. Billy Rios and Jonathan Butts the vulnerabilities in Medtronic insulin pumps in August of 2018. Left unaddressed, this weakness in the pumps could give an attacker access control over patient insulin dosages, which could prove fatal.

However after months of repeated attempts by Rios and Butts, Medtronic had failed to address the flaws in their devices. So, the two decided to demonstrate that the severity of the problem demanded an immediate solution. To that effect, they built an Android app that would get the company’s attention; one that hacked the company’s device. By exploiting the unencrypted radio frequency communications of the devices, Rios and Butts were able to remotely take control of the pumps, essentially mimicking the remotes used by caregivers or medical professionals to program the devices’ dosages.

The FDA and Medtronic openly acknowledge the flaws in the pumps and the lack of a current web security. This case points to the general trend of security gaps in the smart medical device industry. Unsecured smart medical devices leave patients at risk, should someone with the right tools and bad intentions decide to alter the functions of the device. Manufacturers in the smart medical device industry will have to address this safety risk for users as smart device hacks continue to evolve.

To learn more about the vulnerabilities in medical devices and efforts to remedy them, please see this article.