The following answers several frequently asked questions about insulin pump system security and privacy research.
What is an insulin pump system?
An insulin pump system is an implantable medical device that is used for diabetic therapy. Diabetes is a disease that affects millions of Americans. The most common form of diabetes is type 2, although most patients with type 2 diabetes do not use or require an insulin pump system. People with type 2 diabetes are typically treated through diet and exercise. People with type 1 diabetes are dependent on the insulin hormone to help regulate their glycemic (blood sugar) levels. Today, people with type 1 diabetes use insulin injections or insulin pump systems to help control the effects of diabetes. In the United States, approximately 400,000 people use these life-saving devices.
Why this FAQ?
There is growing media and public interest in the computer security properties of insulin pump systems. This growing interest is in part a result of a recent paper published by Li, Raghunathan, and Jha at IEEE HealthCom 2011 [Li11], though there has been earlier public discussions about insulin device security (e.g., an article on CNN.com http://www.cnn.com/2010/TECH/04/16/medical.device.security/) and we expect additional media coverage in the future. We hope that this FAQ provides a balanced perspective for patients and the general public. Most importantly, we stress that although it is important for manufacturers to consider the computer security properties of their devices, patients today should not be concerned. The benefits of insulin pump systems far outweigh the risks.
What scientific studies are reflected in this FAQ?
This FAQ was prepared by Medical Device Security Center Co-Directors Nathanael Paul and Tadayoshi Kohno, along with Dr. David Klonoff.
This FAQ reflects upon both the recent results by Li, Raghunathan, and Jha [Li11] as well as our own study of the computer security properties of insulin pump systems. Some of our results will appear in upcoming issues of the Journal of Diabetes Science and Technology [Paul11a]. We disclosed other results to the FDA in February and March 2010 but, to date, have not disclosed those results publicly.
Why is it important to study the security and privacy properties of existing implantable medical devices?
Current safety provisions on these devices do not specifically address intentional failures. With the rapid change of insulin pump systems, we need to more fully understand the security and privacy issues in their system design. While the actual risk to current patients is low, it is important to address these issues in future devices.
Where are you coming from?
One of us has been using insulin pump systems for over 10 years. One of us is a practicing endocrinologist. Two of us have been active computer security researchers for over 10 years, with special interests in the security of medical devices for over 5 years.
We founded the Medical Device Security Center in 2008 in order to provide a technical foundation for protecting the computer security and privacy of future implantable medical devices. Our 2008 FAQ discussing the computer security properties of an implantable cardiac defibrillator is available online here http://www.secure-medicine.org/icd-study/icd-faq.php.
Where do you see the diabetes technologies heading in the future?
Diabetic therapy is rapidly changing. Newer systems allow a patient to have constant and continuous blood glucose samples that are transmitted by a small sensor to the pump throughout the day. In the future, closed-loop insulin pump systems (i.e., an artificial pancreas) will be able to automatically receive this sensor data and change the insulin dosage appropriately.
Why is it important to study the security and privacy properties of existing implantable medical devices?
Current safety provisions on these devices do not specifically address intentional failures. With the rapid change of insulin pump systems, we need to more fully understand the computer security and privacy issues in their system design. While the actual risk to current patients is low, it is important to address these issues in future devices. As highlighted in our previous work, these issues are important in other medical device systems [Halperin08].
What is the current status of insulin pump system security?
Since our discussions with The FDA in Feb. 2010 and our public presentation in March [Paul10a], both the FDA and manufacturers have known about multiple security and privacy issues [Paul10a]. Industry and the FDA have been taking medical device security seriously. In the past, other system security issues including peripheral components in insulin pump systems have been discussed [Paul10b]. More recently, two of us publicly presented our concerns before diabetes technology manufacturers [Paul10c, Kohno10]. This week an academic paper was published that details security issues with a particular insulin pump system [Li11].
We are encouraged to see more work being done in this area. Scientific investigation into the observable characteristics of a real, common commercial insulin pump system is necessary in order to provide a foundation for understanding and addressing the security, privacy, safety, and efficacy goals of future implantable devices.
Can you summarize your assessment of the security properties of today's insulin pump systems?
We reflect upon the recently published Li, Raghunathan, and Jha paper [Li11], the results that we previously disclosed to the FDA, and our upcoming article in the Journal of Diabetes Science and Technology. Our goal is not to compare these different works, and indeed we stress that [Li11] does contribute in ways that our own results do not. Rather, our goal is to step back and reflect upon what this collection of results might mean to patients, caregivers, and the general public.
There are two main different types of insulin pump systems. In a more traditional insulin pump system, the insulin pump device is connected to a patient through a long tube, and the tube is inserted into the patient via an insertion site (plastic attachment with insulin flowing through a smaller tube of plastic). Typically, the patient will use the actual buttons on the pump to control the device. More recent insulin pump models have added more features to the wireless remote control interface.
In 1999, wireless control was first deployed in insulin pump systems. The remote control looked like a car remote that is used to lock and unlock car doors. When this remote is used, the insulin pump may beep or vibrate as a response. This same interface exists on current insulin pump systems today. However, this particular interface is limited compared to other modern insulin pump systems, and many newer systems now use color PDA-like displays that are capable of completely managing one's diabetes through the remote control device.
Reflecting upon known results, our assessment is that the risk for wireless security incidents is low. There are many mitigating issues already in place for these types of systems. Within those systems that do provide wireless functionality and a physical control interface (existing works have not examined all insulin pump system models), the wireless interfaces are all initially disabled. We do suspect that wireless usage within these systems is growing, but having all wireless connectivity initially disabled indicates that wireless security issues are not initially present in a deployed system. Patients can simply use the buttons on their insulin pump to perform system control. An additional issue is that the security and privacy issues require technical sophistication to implement. The bottom line is that these devices are extremely useful for patients, and their benefits far outweigh their risks. We suggest that current insulin pump users of these and other systems continue using them to their fullest potential. At least one of us is a current user of this type of insulin pump system, and we are very happy as we continue to use it.
How safe are other insulin pump systems?
Another type of insulin pump system is a patch pump — this system changes the insertion site to a small device that contains the insulin. The main difference is that the patch pump system has the pump attached on the body, and the insulin does not have to flow through a long tube to the insertion site (the insulin is directly dispensed at the insertion site). The patient will use a remote to control the insulin pump.
More manufacturers are moving towards these systems as they provide added convenience to pump patients. In this different insulin pump architecture, the system may only provide a wireless control interface to the infusion pump. The insertion site is actually a pump device that is directly attached to the body. The interface to this system is a wireless control (and may be the sole interface). We have studied at least one patch pump system. While similar issues exist, we again assert that the benefits of these systems still far outweigh the risks. While security and privacy within these systems are important, we currently deem these risks to be low [Paul11a].
This is an exciting time in diabetes technology. These devices have significantly helped patients to maintain good glycemic control, and the continual innovations in these systems have proven useful.
As a patient, what should I do?
All three of us are researchers, and one of us is a patient with diabetes who wears an insulin pump. We strongly believe that nothing in current research literature should deter patients from receiving these devices if recommended by their physician. The implantable insulin pump system is a proven, life-saving technology. We believe that the risk to patients is low and that patients should not be alarmed. To our knowledge, there has not been a single case where an insulin pump patient has ever been harmed by a security breach. To carry out the work discussed in current research literature requires willful intent and technical sophistication. The goal of the security research community is to improve the security, privacy, safety, usability, and effectiveness of future IMDs.
What have you done to ensure that these findings will not be misused?
While there are now multiple research groups conducting work in this space, we are only in a position to comment on our own work. However, we feel that other groups share similar concerns and perspectives. Our upmost concern is to protect the safety of patients. We have been working with the FDA and other manufacturers without publicly discussing many details on security and privacy issues within the insulin pump and artificial pancreas. We have recently begun publishing about these security issues. Our initial public disclosure in Mar. 2010 lacked many of the details that we began to elucidate privately to the FDA in this same time period. We met with manufacturers who were interested in hearing about these same issues, and we started an ongoing dialogue with some soon after. We know that all the relevant stakeholders are working to solve more of these issues and improve the security and privacy design of these systems.
How can I learn more?
The following references may be helpful.
Public Presentations
[Kohno10] Tadayoshi Kohno. Security and Privacy for Wireless Personal Medical Devices: Experimental Results, Challenges, and New Directions. Presentation at the Tenth Annual Diabetes Technology Meeting. Nov. 11, 2010. Bethesda, MD.
[Paul10a] Nathanael Paul. Insulin Pump Safety and Security. Presentation at the General Hospital and Personal Use Devices Panel Meeting. March 5, 2010. Gaithersburg, MD.
[Paul10c] Nathanael Paul. Mitigating Security Solutions for Attacks on Insulin Pump Systems. Presentation at the Tenth Annual Diabetes Technology Meeting. Nov. 11, 2010. Bethesda, MD.
Video of talks regarding these issues:
Papers
[Halperin08] Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, PhD, Tadayoshi Kohno, PhD, and William H. Maisel, MD, MPH. Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses. In the IEEE Symposium on Security and Privacy, May 2008.
[Li11] Chunxiao Li, Anand Raghunathan, and Niraj K. Jha. Hijacking and Insulin Pump: Security Attacks and Defenses for a Diabetes Therapy System. In the 13th IEEE International Conference on e-Health Networking, Application & Services (HealthCom). June 2011.
[Paul10b] Nathanael Paul and David Klonoff. Insulin Pump System Security and Privacy. In the First USENIX Workshop on Health Security and Privacy (HealthSec). Aug. 2010.
[Paul11a] Nathanael Paul, Ph.D., Tadayoshi Kohno, Ph.D., and David C. Klonoff, M.D., FACP. A Review of the Security of Insulin Pump Infusion Systems. Journal of Diabetes Science and Technology (to appear).