Securing medical in the IoT
Radcliffe, diagnosed with diabetes at age 22, found the hack of the necessary medical device “surprisingly easy” and, obviously, concerning as the pump could be hacked to provide a lethal dose of insulin. His presentation shed much-needed light on security design in medical devices, a rapidly developing segment of IoT (the Internet of Things), the designs for which have the potential to be not only health- and life-improving but life-saving.
Radcliffe, now a highly regarded senior security consultant and researcher for Rapid7 and keynote speaker at next week’s Designers of Things conference, recently spoke to EDN about IoT and medical devices, what it means to be a hacker, how security needs to be engineered into medical devices, and FDA oversight. Below are excerpts of that conversation.
On your LinkedIn profile you use the phrase “pursuit of intellectual happiness.” What does that phrase mean to you?
People in our field are very curious people. We always want to know how things work. The original concept behind the term “hacker” is just that; we want to know how the internal pieces and elements of computer systems, or anything really, work and how they can be manipulated to do other things.
To take something and see how it works and what else it can do in a creative perspective is what a lot of people who are good in my field do, whether that be an insulin pump or a computer program or a mechanical thing. When we figure that out, when we have that “aha moment” at a deep level, it makes us very happy.
You define yourself as a hacker, then?
Absolutely … There’s a lot of confusion about the term “hacker.” It’s often thrown around without definition. We often get painted as a “bad guy” in a black mask who steals your data. I look at people who want to have a deeper understanding of things as a hacker, and less of as a malicious attacker.
Do you think the emerging medical world is ill equipped for the advancements of an IoT connected world?
There’s so much excitement around the potential of having these devices connected and the data they provide that we have to move fast to get that to people so they can be healthier and we can save lives with that information and increase quality of care and quality of life. But sometimes when you move that fast you forget about certain things. One of those things could potentially be security.
We’ve seen it in some of these devices. We’ve seen it in cars, where we kind of add the Internet onto a device without thinking about the consequences of that, then we go back and [realize] we should have given that more thought.
Who does the responsibility to fix that fall to: the designers of such IoT things, medical device manufactures, devices users?
It takes a community to secure all this information. We can look at something as simple as email or online banking. There are a lot of components in there that individuals have responsibilities for. Your online banking account is only as secure as the password you use. Users have a hand in it as far as keeping their individual passwords and security heightened. Banks have to do the same thing. They have to understand what the best practices are and put that in their software.
The designers of those things need to be able to give the tools to the banks or the medical device manufacturers to be able to implement those things correctly. There are lots of different parts there that have responsibilities.
Then there’s the concern of oversight. Is there any FDA oversight over [a device’s design]? Is there someone making sure that someone is keeping it all in check?
From your technical background, is there anything engineers, makers, or hackers could specifically be doing to help?
Much like when you need to have heart surgery done, you’d go to a heart surgeon, not a general practitioner or a pediatrician. Similarly for electrical engineers and Internet of Things designers, when it comes to security, they should seek out security professionals to get help in designing security in.
We are seeing this done a lot more. Instead of coming to a security person just before the device comes to market, getting the security in early in the process makes that device a lot more secure. I can’t expect electrical engineers and computer programmers to be security experts, but they can go out and get security expertise to make sure they are doing all the things right and that there’s security in their products. It’s become too complicated and too cumbersome to put that burden on them. It has to be part of the process now to go out and get special talent.
Five years ago, you could find someone that was a security expert and they would be able to provide expertise in all areas of security. But now, the field has grown so much that no one person can be a security expert. You can be an expert in one area, just like doctors or lawyers.
How are medical regulations playing into this changing, now-connected landscape?
There’s a little bit of a struggle right now. Medical regulators have always been people who are very much focused on the science of taking care of humans. This [world of connected devices] is very abstract to them. It’s a supportive element to medicine.
The FDA, for example, is equipped to look at how medicines affect the body but it does not have the staffing or expertise to make those security calls. Is this software secure enough to deliver medicine to a person? It goes back to that sub-specialty area. The FDA does not have the staffing to do so, nor does it have the authority to do so.
The FDA can’t just decide to regulate something on its own. It can only do what Congress allows it to do. The FDA is very much aware that there are a lot more computers involved in our medical care now but there’s the question of if they have the ability to regulate, which is why you see them give guidance statements not regulations. I think [the FDA] is doing everything that it can to try to get medical device manufacturers and the medical community up to speed on some issues and incorporating independent research, but it has to stay within the bounds of what it can do legally.
One last question. I’ve heard you have a ham radio license. Is that true?
I’ve had a ham radio license since I was 12. It’s kind of one of the things that is the philosophy of being a hacker. Ham radio has a long history of taking scraps of things and making something out of it, and understanding the deep workings of a radio and electronics. A lot of the Internet technology that we use is stuff that was used in ham radio back in the late 1980s/early 1990s. It’s very much a frontier for what will come in the future from electronics and technical masses. I think that’s still true today.
- Non-invasive blood glucose monitoring using near-infrared spectroscopy
- Embedded systems face design, power, security challenges
- Product How-To: Enabling secure wireless medical devices with the MSP430 MCU
- How to improve IoT security
- Ham radio in the 21st century
Jay Radcliffe will be speaking at the upcoming Designers of Things conference about the Internet of Things for medical devices. Register now for the only conference dedicated to Wearable Tech, 3D Printing, and IoT. Experience two days filled with expert insights, networking, and training at DoT 2015, being held in San Jose, December 2 & 3.
Make sure to follow updates about DoT's talks, programs, and announcements in the Designers of Things Collection and social media accounts on Twitter, Facebook, and LinkedIn. Designers of Things is managed by UBM, EDN's parent company.