Jay Radcliffe is a fellow type 1 diabetic, and I remember reading his diabetes blog way back in the day, when I first started blogging. We read and commented on each other’s posts, and we were both part of the blogosphere when the DOC first started to grow. I knew he was married, had children, and did the day-to-day diabetes stuff that I did.
Which is why when I read the mainstream media’s take on his pump-hacking research (this article, Insulin Pumps Vulnerable to Hacking, for example), I reached out to him immediately. “Can I just tell you that my mother sent me this article about your research? Do you have time to talk?”
Jay was out in Las Vegas this morning, attending the Black Hat security conference, but he and I had a chance to hash it out over the phone.
“I know you! And I know you as a diabetic, not as this guy who hacks insulin pumps and has a billion articles floating around about it on the web right now. I have a few questions. Starting with, why did you decide to hack into your own insulin pump?”
“I’m a professional security researcher. I’m curious – I want to find out how things work,” Jay said. “I saw a presentation two years ago on parking meter hacking, and I was really inspired by that. It prompted me to talk to my co-worker with type 1 and said, ‘We should try that.’ I’m wearing these devices every day, and I wanted to find out how secure these things are.”
“So you took your own pump, and your own continuous glucose monitor, and hacked it to bits, literally and figuratively?”
“Hacking isn’t what people often think it is. It’s not about breaking into things or being malicious. Hacking is making something do something it’s not supposed to do, or not intended to do. Like the guys on Mythbusters do,” Jay said. “And vendors need to know about these vulnerabilities. Is it deterring from actual diabetes cure research? I don’t think so, but if it is, people can’t be mad at me for bringing the issue up. If you want your insulin pumps to be safer, I have to do this. I’m sorry if it makes people upset, but I’m doing this as ethically as possible. I didn’t disclose the brand of device that I wear, and I kept the company protected to the best of my ability.”
This makes sense, but I ran a quick Google search before getting on the phone with Jay, and I saw all kinds of articles making it sound like people with insulin pumps were the next targets for technological terrorism, and people within the diabetes community were upset because this kind of security breach potential could perhaps cause the already-slow FDA to cease diabetes device approvals in their tracks. To me, as an Animas pumper who is waiting impatiently for the Vibe to be approved, I was not soothed.
“Are you concerned that you may have given the FDA another reason to hit pause on some device approvals?” I asked him. ”I am concerned. Aren’t you concerned about the fact that the FDA doesn’t have any guidelines around wireless transmissions? Don’t blame the FDA’s crappy process and make things less secure because you want something better. Make it comprehensive and make it better, don’t just move fast to get it on the market.”
“I get that, but I’m not at all worried about someone hacking into my diabetes devices. Jay, do you really think people with diabetes are targets of some kind? And don’t you wonder if, by bringing this issue up in such a public and pretty sensationalist way, that you’re planting the idea into people’s heads?”
Jay is unflagging in support of his research. “I’ve presented it on stage, and showed over five thousand hackers how to do it. I suspended my own insulin pump, and I did it remotely. And yet I’m still wearing my pump, and I am not afraid to wear my pump. My hope is that other people will pick up the idea and work on it, and that the ethical and professional people will do more research and help make things secure.”
“But do you really have to show the insulin pumper with X’s over their eyes and the evil, pump-suspending guy lurking in the background?”
(I can’t help it: I respect the views of my fellow PWDs, but that doesn’t mean I’m not frustrated when people sensationalize diabetes. It’s the same viewpoint I have when people want to use images of chainsaws when they are informing people about the very real risks of diabetes-related amputations. I’m just not into that kind of press for diabetes. I don’t agree with sensationalist journalism, so I don’t agree with the method that Jay chose to present his information. While I get the whole “sex sells, so you have to keep it sexy” ideology, his choice to present this security issue as though it was a secret agent plot isn’t something I agree with at all. Similarly, I’m annoyed that the mainstream media is making it sound like diabetics wearing pumps are ticking targets. This is the information about diabetes that makes the front page? Societal fail.)
Fellow PWD and tech blogger, Scott Hanselman, summed it up nicely: “I appreciate the message that Jerome is trying to get out there. Wireless medical devices need to be designed with security in mind. I don’t appreciate blogs and “news” organizations inaccurately scaring folks into thinking this is a credible threat.”
“In security research, you have to bring home the point,” said Jay. “The technical details can be boring, but a presentation at a conference like this can’t be. You need to show the most dramatic asset to keep people’s attention and to make them care. In this instance, the insulin pump is hackable. I can suspend your pump. And that can have serious consequences. I’m not trying to hurt my fellow people with diabetes. Instead, I’m trying my best to protect them.”
As a pump wearer myself, and a continuous glucose monitor wearer, I’m not concerned about being hacked. I’ll sleep fine tonight … until I see the sensationalist headlines of tomorrow. And that’s when I might need a bolus of serenity.
*This blog post was originally published at Six Until Me.*