1(630)802-8605 Ravi.das@bn-inc.net

Just in the last week or so, along with the hot and humid weather (not complaining here, given that there was a 100 degree just 6 months with the polar vortex), Chicago has been rocked with some powerful thunderstorms. 

For some reason or another where I live it, which is in the western suburbs, the electrical cabling that provides electricity to my apartment building cannot even withstand the slightest of strong winds.  Basically, anything 40 mph on up in terms of wind, we lose power here.

The worst of it came last weekend, when I was doing a podcast.  The power flickered on and off, but fortunately there was no long-term outage.  True, my laptop and iPhone will just revert to their respective batteries, but they last for only a few hours.  After this experience, I started to think again about just what would happen if there is really a long-term power outage.

I am not talking about just a few hours – I am talking about days, or even weeks.  Of course, this could be brought on by a natural disaster such as a tornado, but what if this was the work of a Cyberattack? 

What if it didn’t just impact the water supply, what if the flow of water stopped, and we ran out of gasoline at the pumps?  This would be a nightmare much worse, of course, than what I had just written about.

But this scenario only underscores just how much as an American society we have expected to things to work on demand.  And if it doesn’t, a sense of paralysis will often strike us.  This is especially true when it comes to technology – if anything happens to our smartphone or other type of wireless device, we really feel out of order. 

Keep in mind that Cyberattacks just don’t compromise our IT Infrastructures – they can, and most likely will impact our critical infrastructure, just as I have described. But the buck does not stop here for the Cyberattacker.  They are now going after something even just as even more critical – individual medical devices that are connected electronically to us – whether it is internal or external.

For instance, many Americans are dependent upon their pacemaker that has been implanted near their heart.  The idea here is that it will keep the heartbeat in a normal rhythm in case it goes out of whack. Or a patient may have to be connected to a dialysis machine for certain periods of time. 

All of these have some sort of electrical connection that is associated with them – and when this exists, it is just another attack surface for the Cyberattacker, as reprehensible as it sounds.

Now these fears are being extended yet to another part of the medical realm – the insulin pump.  In a dire warning issued by the United States Food and Drug Administration (FDA), it has notified both patients and their respective healthcare providers of Cybersecurity vulnerabilities that have been found with the Medtronic MiniMed insulin pump. 

Essentially, these devices are being recalled, and in exchange, people who are dependent upon it will receive another comparable device which is deemed to have better layers of protection to it.

So, what are the vulnerabilities that have been discovered?  It all comes down to the wireless communications that take place between the Medtronic’s MiniMed insulin pumps and the other devices that are used in conjunction with it such as:

*The blood glucose meters

*The continuous glucose monitoring systems;

*The remote controller and CareLink USB devices used with the Medtronic pumps.

The primary concern and even fear are that a Cyberattacker could very easily connect to one of these Medtronic insulin pumps, and covertly change the settings, and even putting the patient at great risk for their lives. 

The result is that insulin could be over delivered to patient, which can mean that their blood sugar level will be drastically reduced (this is known as “hypoglycemia”.  Or, the opposite can happen which the flow of insulin can be totally shut off, which can result in a lethal buildup of acids in the patient’s body (this is called “ketoacidosis”).

The specific pumps that have been identified as potential targets for the Cyberattacker are the Medtronic line of MiniMed 508 insulin pumps and the MiniMed Paradigm series insulin pumps.  So far, a little over 4,000+ patients have been identified that are using these products, and are strongly urged to contact Medtronic immediately, and get them replaced ASAP.

My Thoughts on This

I think last year sometime, I wrote another blog posting about this very same issue, but it had to do with pacemakers.  Fortunately, since then, this is only the second or even third story I have come across like this.  But despite this, I find this to be completely reprehensible. 

It’s one thing to take down the servers of a restaurant chain through a DDoS attack and steal credit card information, but it is another thing when you are putting a person’s life in literally in danger, who has done nothing against the individual who is perpetrating these attacks.

I would even think that a Cyberattacker would have some ethics to themselves, and not even stoop to this level, but I guess it is now possible.  But this is just one scenario.  Imagine if this was magnified large, to an entire hospital or hospitals?  I am talking from my own experiences.  I too am a heart patient, even had bypass surgery, and was even connected to a pacemaker 24/7 for a couple of days.

Who is to stop a Cyberattacker from entering an ICU unit, claiming to be a nurse or other medical professional, and covertly tampering with these settings wirelessly?  There is really nothing, because hospitals, while they might be focused heavily upon digital security, still lack heavily upon ensuring strong levels of physical security.  Of course, this is an extreme scenario, but it could very well happen at random.

More than likely, in the case of the Medtronic insulin pumps, it is probably the RFID wireless connection that is being used.  This is one of the de facto standard network protocols that are being used, and unfortunately, they offer no level of encryption, whatsoever.  As much as the healthcare providers need to keep their guard up, so do the vendors that make these products.

Going forward, they need to make sure that their medical device product lines are implemented with the latest layers of security in them, and this includes using encrypted wireless communications.  Also, the patients unfortunately, need to keep their guard up as well.  In this regard, they should be asking their respective healthcare provider if the medical devices they are currently using are updated with the most recent software upgrades and patches.  These are the only bare minimum steps that need to be taken, and of course, much more needs to be done.

But this is only a reflection of the times that we are predicted to live in – where everything is connected to one another, in the world called the “Internet of Things”, or “IoT”.  Love it or hate it, there is nothing we can do much to change this harsh reality.