From The Editor | August 10, 2011

The Medical Device Hacking Threat

Ken Congdon, Editor In Chief of Health IT Outcomes

By Ken Congdon, editor in chief, Health IT Outcomes

Wireless medical devices have the potential to revolutionize the delivery of care, particularly for the real-time and remote management of chronic diseases such as diabetes. Evidently, these devices are also susceptible to attacks by hackers, which can ultimately result in the death of the patient.

This troubling revelation hit the wire last week after a presentation by security expert and Type 1 diabetic Jerome Radcliffe at the Black Hat Security Conference in Las Vegas. Radcliffe wears a wireless insulin pump around the clock to keep his blood sugar level in check. With his security background, he wondered how easily these wireless devices could be compromised by outside influences. He attempted to hack into his own insulin pump … and succeeded. Once he hacked into the device, Radcliffe realized he could reconfigure the device settings and change the amount of insulin it injected into his body without leaving a trace of what he'd done. During his presentation, he outlined how these types of untraceable attacks could be launched against not only wireless insulin pumps, but also wireless pacemakers and defibrillators from distances of up to a half mile. Compromising these devices in such a fashion could result in insulin overdose/underdose, heart attack, or heart failure — a grave potential risk of embracing technology to aid in your treatment.

How Probable Are Medical Device Attacks?
Now that we know that wireless medical devices are susceptible to hacking, how probable is it that these types of attacks will occur. According to numerous sources, the threat seems small. For example, IT expert Scott Hanselman recently referenced Radcliffe's hack in his blog. He said that while Radcliffe did intercept signals from the pump, which indicates a risk, he wasn't able to hack into the device itself and reprogram it without the serial numbers from the device itself. "This is like saying I can open your garage door with a third-party garage door opener. Just give me the numbers off the side of your unit," says Hanselman.

Other industry experts point out that the potential for medical device hacks is nothing new. In 2008, University of Washington researcher Yoshi Kohno demonstrated that he could take control of a patient's pacemaker and/or defibrillator and deliver deadly shocks to its user.

While they may not be imminent, the threat of wireless medical device attacks can put patients' lives at risk. Radcliffe's research reinforces the urgency for addressing these security issues at the government and manufacturer level. However, landing on a solution could be a lengthy process as it will likely involve several parties, particularly if it involves a national policy on spectrum allocation.

Have a comment or feedback for Ken on this article? He can be reached directly at