- Tools & Templates
- Security Jobs
- Data Protection
- Identity & Access
- Business Continuity
- Physical Security
- Security Leadership
The sober lesson of an Insulin pump hack
I don't say this to be an alarmist. In my opinion, there's no reason for FUD over this. It's just a simple acknowledgement that this is something the security community is going to have to deal with, just as we have to deal with the constant threat of storms, earthquakes, power grid failures and terrorist attacks.
It's another fact of life we calmly need to factor into our security plans.
In the case of this hack, revealed this week by McAfee and based on weaknesses in the Medtronic pump discovered by researcher Barnaby Jack, Medtronic and other makers of medical technology have to be on guard for weaknesses that can be exploited to risk lives. Eventually, in my opinion, someone will probably die from this kind of hack. It may take several years, but the risk is real. Here's the deal with the pump hack, as outlined in this Reuters report:
Medtronic Inc has asked software security experts to investigate the safety of its insulin pumps, as a new claim surfaced that at least one of its devices could be hacked to dose diabetes patients with potentially lethal amounts of insulin. While there are no known examples of such a cyber attack on a medical device, Medtronic told Reuters that it was doing "everything it can" to address the security flaws.
Security software maker McAfee, which has a health industry business, exposed the new vulnerability in one model of the Medtronic Paradigm insulin pump on Friday and believes there could be similar risks in others. Medtronic and McAfee declined to say which model is involved or how many such pumps are currently used by patients. It has two models of insulin pumps on the market and supports six older versions, with about 200,000 currently in use by patients.
The finding points to a broader issue -- the potential for cyber attacks on medical devices ranging from diagnostic equipment to pumps and heart defibrillators, which rely on software and wireless technology to work.
"This is an evolution from having to think about security and safety as a healthcare company, and really about keeping people safe on our therapy, to this different question about keeping people safe around criminal or malicious intent," Catherine Szyman, president of Medtronic's diabetes division, said in an interview.
It's good to see Medtronic isn't taking this lightly, though other researchers have accused them of doing just that in recent months.
Meanwhile, if you make cars, you now have to account for the possibility that someone someday will try to exploit weaknesses in automobile computing in a way that could leave someone dead on the road.
This is the world we live in now. Don't freak out about it. Just see it for what it is and plan accordingly.
CSO's Daily Dashboard gives you a one-stop view of latest business threats. We created it for you! Bookmark it! Use it!
Get your morning news fix with the daily Salted Hash e-newsletter!
Thanks to cloud computing, your business data is everywhere and being accessed by everyone. Making the wrong decision to protect your data can result in high costs, increased risk and executive exposure. View this live webinar on cloud security and the evolving data center, and learn why a data-centric approach to security is the best bet for today's virtual environment.
- Continuous Monitoring and Mitigation -- the New InfoSec Frontier
- RSA Security Analytics Case Study
- Prevent Mobile Devices from Loading Dangerous Code
- Expanding Your Security Perimeter: Common Sense for Navigating Today's Threat Landscape
- VMware Cloud Credits Program
- Insights from the 2013 IBM Chief Information Security Officer Assessment