When Jay Radcliffe went public last year with his discovery that some insulin pumps can be hacked, he didn’t expect it would take a year to get a meeting with the company that makes the vulnerable products.
Yet that’s about how long it’s taken to get Radcliffe and Medtronic, one of the world’s biggest medical device makers, together.
Radcliffe is set to appear on a panel today with Michael McNeil, Medtronic’s chief privacy and security officer, at the Amphion Forum in Washington, D.C., a computer-security conference. For Radcliffe, their appearance together is more than a validation of his research — it’s also a sign that the medical equipment industry may be embracing hackers.
“It’s a very big shift,” said Radcliffe, a diabetic and computer security professional from Idaho. “If you would have asked me ten months ago if I’d be on stage with them at a security conference, shaking hands and saying we’re working together to make medical devices safe, I would have laughed. I would have said that’s an impossible thing.”
The Minneapolis, Minnesota-based company had previously refused to look at details of Radcliffe’s findings, according to Radcliffe. Medtronic hired security consultants to examine its products after Radcliffe raised the issue at a security conference, but has said little else about the issue.
“Medtronic has and will continue to engage a variety of researchers and experts on issues related to device security at conferences and other venues,” the company said in a statement. “We appreciate the technical expertise and insight that comes from the security community and recognize that patients will benefit from our collaboration on this industry-wide issue.”
Radcliffe’s experience until now underscores a familiar hackers’ dilemma. Tell a technology company that you’ve found security holes in its products, you may get nothing but radio silence, amid fears of liability or sheer inexperience in dealing with security researchers.
To be the target of attacks — albeit by researchers — is an unfamiliar position for medical device makers. But now that more of these devices have wireless connections to help with things like diagnostics, the attention on them is increasing.
Another hacker, Barnaby Jack, who works for antivirus vendor McAfee, has also demonstrated problems with Medtronic products, taking Radcliffe’s findings a step further by showing how to use an antenna to scan public places and attack pumps from up to 300 feet away.
“I have to give Medtronic a lot of credit,” Radcliffe said. “It takes a lot for a corporate structure to say, maybe we didn’t do it right.”