Monday, August 8, 2011

Hacking Into Real Concerns

So, there was this hacker’s conference in Las Vegas recently.

That was where Jay Radcliffe, a security researcher and fellow Type 1 diabetic, gave a presentation about his findings that someone could remotely hack into insulin pumps and continuous glucose monitors to manipulate data and even control the devices.

Some specialty publications picked up the story, as did the Associated Press and then basically the same story ran in a number of newspapers nationwide, including U.S.A Today. Eventually TV media-players like Fox and CBS picked it up with their own variations, too. Headlines and stories reiterated the basic point of what Jay said at the conference: 'Hackers can do this to kill people using these devices, and we should all be concerned."

This issue came up earlier in the year with an MSNBC article on hackable medical devices, and this is the latest highlighting a topic that may very well be possible and a concern for those of us using these devices.

That's where we are now. This has all sparked discussion about how Jay presented his findings about this security flaw, the realistic concerns this may or may not present, the media portrayal of all this, and potential unintended consequences this could have on public perception, the regulatory review process, and our patient-community that needs and lives with this kind of technology every day.

Frankly, I’m a little split on this whole issue. First, I am not even sure how I feel about Jay's presenting this at the conference and giving the media a “pump-attack” story in the first place. Would it be different if he discovered this and just blogged about it online? Should he have kept it hush-hush and just contacted the device manufacturer(s) without letting the masses know? Is this reasonable proactive awareness on a potential security flaw, or a needless scare tactic being used to prove a point?

I've read that Jay used some sensational skull-and-crossbone images to promote this at the hacker's conference, and contacted the press ahead of time. And it does appear that this was self-promotional, rather than a "protect my fellow PWD" message... But I don't know. It's tough and I am torn. But really, that's not the point. The media response to all of this is.

From what I’ve read, pretty much all of the articles – whether it be the specialty hacker/techie publications or the mainstream newspaper stories – seem balanced and fair. They are essentially reporting on what Jay presented on. The AP story that ended up nationwide didn’t "sensationalize" the story, or do what that terms means when it comes to media sensationalism, and it doesn't strike me as an example of irresponsibly playing this up. It focused on Jay's research/presentation, offered responses from the FDA and medical device industry, and included objective perspective from another researcher on this type of thing. I don't see anything editorially or journalistically wrong with that.

They are reporting on a story, just as a local reporter would write about a local county government meeting where someone does a Power Point on how rezoning a property will lead to mass development years down the road - you are just reporting on what they tell you and getting the different sides. Even if the readers disagree with the rezoning and what one person says future development might look like, and the readers despise the fact that anyone would even discuss this in the first place, it's still information that is worth getting out to people so they can use their own minds to decide for themselves whether it's an issue or not.

Here, Jay said publicly that he hacked his pump and others could do the same, that it could be done to kill someone. The media isn’t overplaying anything; just reporting on what he said is possible. Two examples stand out, from what I’ve seen published online: CBS and a techie blog that do seem to use overly-sensational language to make the point. While I don’t like that on its face, even those writings overall balanced things out in their coverage based on what Jay put out there.

We can’t shoot the messenger; in this case that's the media and even Jay Radcliffe. Just because he talked about it and the media wrote a story, and people may react negatively to it and it could have unintended consequences, doesn't mean the story shouldn't have been told or written.

This comment from the MSNBC article sums up my feelings on this, i think:

"Pretending a problem doesn't exist is a great way to turn it into a crisis. Security through obfuscation is a joke and a policy that has been discarded by every decent security researcher in the field. Sticking your head in the sand doesn't solve anything and it is only (through) identifying problems openly that solutions can be developed and deployed."

However, I think the Diabetes Community does need to be concerned now with any potential unintended consequences from all of this. I do think we need to keep perspective on how minimal this really is as far as something to be concerned about when talking about D-devices. My response would go something like this:

1. Medical device makers - we trust you in recognizing these issues and addressing them as needed.

2. FDA: We hope you will hold companies responsible in addressing these issues, but not needlessly hold up technology when a company has addressed these potential concerns. This isn't a practical issue for anyone who uses these devices, and shouldn't overshadow the real world problems the diabetes community faces without these products and the developing innovations out there. Overnight lows, swinging blood sugars, and long-term complications resulting from these BG issues are what the focus should be when evaluating the devices.

3. Media: Please maintain the practice of fair and balanced coverage, both on the potential security risks as well as the practicality and FDA response to all of this. Let’s not sacrifice accuracy in order to sell more papers or get more viewers or page visits. That is our responsibility, as the Fourth Estate. We need to make sure this doesn't become a big deal, when it's really not.

4. Insulin pump users: Calm down. This really isn't a big deal. Avoiding Lows and DKA are much more important. Oh, and making sure the TSA isn’t needlessly hassling us and our fellow PWDs with over-the-line security procedures.

These are just my views. Others have and are writing about this from their perspectives, as well – I encourage you to read those posts. Some of those include:

- Manny Hernandez at TuDiabetes reached out to the medical manufacturers for a response, and so far he's posted this Q&A with Medtronic and then this one from Animas.
- Kerri at Six Until Me has a great interview recap with Jay Radcliffe himself.
- Scott Hanselman also has a more tech-specific analysis of this issue and the initial media coverage.
- Kelly Booth over at Trials & Tribulations has also written on this topic.
- Pearlsa shares some thoughts on this, since she blogs at A Girl and Her Reflections.
-D-Dad Matt at Type 1 Online talks about this from his view as the parent of a CWD, and as someone in the IT industry.
- Bennet also has this brilliant post going at how we should keep this all in perspective, and not get overly concerned about this when the reality doesn't dictate it as a big deal.
- Sara's post at Moments of Wonderful talks about the hackers that really don't care about us.
- Scott Strange has a simple message, that the threat is real but the risk is essentially non-existent.

You can also follow discussions on Twitter using #pumphack as a hashtag.

Overall, I agree that the D-Community should get our collective voice out there to the medical device makers that we trust them to handle this, and to the FDA that this isn't what they should be worrying about because it’s really not that big of an issue in the bigger picture. The focus shouldn't shift from the benefits, and true live and death dangers that exist by NOT having these resources available.

7 comments:

Kelly Booth said...

Great article Mike! I am with you, I have mixed feelings also. I would prefer to know that something could happen, even if the chances are very tiny that they actually would happen. Most of the articles I read were pretty fair and I don’t think we should hang every media outlet because of a couple bad ones.

Bennet said...

Hey Mike.

Thanks for adding you thoughts to the conversation. I think you bring additional wisdom to the conversation. I appreciate the way you frame the media's roll.

I agree that pretending a problem doesn't exist is a fool hard practice. I do think there should be a prioritization of risks. I fear that there are many more significant risk in life with diabetes than pump hacks. Here you ad to the balancing of those risks and I think that is a wonderful thing.

All the best.

Bennet

Pearlsa said...

Great post, knowing a pump can be hacked is good. Now the makers can work on securing it.

Hopefully innovation will not slow because of this.

Sara said...

And here am I still hoping I win the lottery :)

Meagan said...

Very interesting post! I heard snippets of this hacking info recently...such a scary issue, but good to know if you pump.

I am still on injections, but am planning on pumping eventually. I'm sure the companies are amping up the security now, just to be on the safe side.

k2 said...

WELL DONE.

Jeff said...

Great, very balanced post. Kudos.