* Hackers could gain remote control of pumps, expert says
* Medtronic says risk of attack is ‘extremely low’
* Medtronic to boost security in next-generation devices
By Jim Finkle
BOSTON, Aug 25 (Reuters) - Medtronic Inc (MDT.N) acknowledged that security flaws in its line of implanted insulin pumps could allow hackers to remotely take control of the devices that dose insulin to diabetes patients.
But company officials said that the about 200,000 diabetes patients who use those devices need not worry about their safety because the risk of a cyber attack is extremely low.
“This would have to be a premeditated activity by somebody trying to cause harm to an individual,” said John Mastrototaro, a physician who serves as vice president of research and development for Medtronic’s diabetes division. “The likelihood of this accidentally happening is nil.”
The vulnerabilities, which are among the first to be reported in any type of medical device, were originally disclosed at a hacking conference in Las Vegas earlier this month by Jay Radcliffe, a cyber security expert who suffers from diabetes.
Radcliffe claimed that hackers can easily gain control of the devices, saying the devices have wireless communications systems that constantly monitor their surroundings for commands.
He stood on stage in a large conference room and hacked into a pump attached to his body that regularly provides him with carefully measured doses of insulin. The dramatic presentation was one of the talks that generated the most buzz at the annual Black Hat conference.
He originally did not identify Medtronic as the maker of the device, saying he wanted the company to have time to figure out a way to mitigate the vulnerability.
But he disclosed the company’s name on Thursday in a webcast sponsored by the Black Hat security conference, saying that Medtronic had downplayed the risk. He called on the public to pressure Medtronic to take action to make the devices safer, even though he said that the risk to any individual patient was extremely low
“If you are a customer, demand that they take this situation seriously and be truthful,” he said.
Medtronic’s Mastrototaro said that he was taking action and had ordered closer scrutiny of potential security vulnerabilities in the company’s next-generation line of insulin pumps, which are currently in development.
“We have a lot of activities going around on this topic now,” he said.
He said it would be difficult to make changes to pumps already in use because of U.S. FDA regulations that require device makers to get agency approval before changing anything in their products, including issuing software patches.
Medtronic would likely have to recall each pump so that technicians could install the new software and check the equipment to make sure that it was still accurately delivering doses of insulin, he said.
Stuart McClure, a senior vice president with security software maker McAfee, said that the debate over cyber security of medical devices is likely to gain steam as researchers discover vulnerabilities in other types of equipment.
“All devices, including medical devices can be hacked, and companies are foolish if they think their devices are immune,” said McClure.
McAfee this year recruited an elite squad of hackers and charged them with figuring out ways to hack into all types of electronics equipment, including heart pacemakers.
“Generally speaking, we know that there are medical devices with vulnerabilities,” he said. “Companies would be wise to address them, rather than denying they exist.” (Reporting by Jim Finkle; editing by Carol Bishopric)