U.S. lawmakers alarmed over risks of insulin pump hacks

Lawmakers ask Government Accountability Office to look into report that researcher could hack his wireless-based lifesaving medical equipment.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Two members of the U.S. Congress are asking government auditors to investigate the security risks of wireless medical devices, after they learned of a security researcher who found he could remotely control his own insulin pump and blood-sugar monitor.

Representatives Anna G. Eshoo, a California Democrat, and Edward Markey, a Democrat from Massachusetts, senior members of the House Energy and Commerce Committee, sent a letter to the Government Accountability Office earlier this week asking the GAO to examine whether the Federal Communications Commission is ensuring that new medical devices and implants that use wireless technology can't be tampered with.

"In bringing forward innovative wireless technologies and devices for health care, it's critical that these devices are able to operate together and with other hospital equipment, and not interfere with each other's activities and data transmissions," their letter says. "It's also important that such devices operate in a safe, reliable, and secure manner."

Their letter was prompted by an Associated Press article that describes how a security researcher who is diabetic found that his insulin pump could be reprogrammed using a device that communicates with the pump remotely. Jay Radcliffe, who discussed his research in a session at the Black Hat conference two weeks ago, also said he found that his blood-sugar monitor could be tampered with.

An attacker would need to be within a few hundred feet to hack the insulin pump, but could be within a half-mile away using a powerful antenna to interfere with the blood-sugar monitor, according to Radcliffe.

"My initial reaction was that this was really cool from a technical perspective," Radcliffe said in the report. "The second reaction was one of maybe sheer terror, to know that there's no security around the devices which are a very active part of keeping me alive."

While this blog post notes that Radcliffe was using a remote control feature that is not always turned on, he had been able to change settings and pause the pump.

This isn't the first warning about the vulnerability of medical devices to hacking. In 2008, a group of researchers discovered that some implantable cardiac defibrillators could be remotely controlled and monitored by specialized wireless devices in the patient's home.