Medtronic says that although it takes very seriously the information security of its devices, it doesn't believe the reported identification of flaws that could allow an attacker to remotely control insulin pumps should be reason for concern.
"We understand that there are no absolute certainties in information security. However, we also know that being vigilant in reviewing the external security landscape, designing our products with information security in mind and creating rigorous, complex safeguards will help ensure product security," Medtronic Minimed's director of PR told a blogger for Tudiabetes.org.
Many became concerned after security researcher Jay Radcliffe, who is ;diabetic, experimented on his own equipment and showed it could be attacked, resulting in diabetics getting too much or too little insulin. "My initial reaction was that this was really cool from a technical perspective," Radcliffe said, as quoted by the Washington Post. "The second reaction was one of maybe sheer terror, to know that there's no security around the devices which are a very active part of keeping me alive."
But the Medtronic rep said that to the company's knowledge, "[T]here has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide."
Furthermore, Radcliffe "had in-depth knowledge about the product he tampered with, such as the serial number of both the insulin pump and remote device, and he TURNED ON the wireless feature. Additionally, he had access to specialized equipment which he used to rebroadcast the RF signal in a controlled environment," the PR director explained.
Medical device security has been in the news quite a bit over the past few years. Even back in 2008, researchers Tadayoshi Kohno and William Maisel published an academic paper showing that a combination pacemaker and defibrillator with wireless capabilities, the Medtronic Maximo DR, can be hacked.
- see the blog post