The High Stakes of Cybersecurity in Operational Technology: Lessons from Insulin Pumps

// news

OT cybersecurity critical as breaches could be life-threatening, e.g., hacked insulin pump = seizures, loss of consciousness, or death. Long device approval processes can lead to patients hacking their own devices for quality-of-life issues.

Cybersecurity is a balancing act – cybersecurity practitioners constantly balance risk. If that doesn’t implement enough security controls in IT, there could be a data breach (data theft), loss of access to data or hardware (ransomware / DoS), identity theft (person or company), and more. However, the stakes are even higher with an Operational Technology (OT) system. A cybersecurity breach can have life-threatening consequences. For example, a self-driving car could be forced to accelerate, a pacemaker could be shut down, and an insulin pump could be forced to provide neither.

Let’s consider diabetes and insulin pumps from a few years ago for the remainder of this article. In Type 1 diabetes, insulin pumps provide synthetic insulin to people whose bodies don’t produce insulin. Insulin is needed to balance glucose levels in the human bloodstream – basically, humans need insulin to get energy from food successfully. If hacked, an insulin pump can provide too much insulin. In mild cases, this causes confusion, dizziness, blurred vision, a rapid heartbeat, and more. In severe cases, seizures, loss of consciousness, and death are possible. Lack of insulin also causes problems, especially long-term. You probably think, “OK, we get it; if an insulin pump is hacked, users’ health and possibly life are at risk. Let’s make it secure!” This is a fair observation, but let’s continue to consider the situation.

 

When insulin pumps were first introduced, they delivered one insulin dose. Users would then test their blood by pricking their fingers two hours later to see if they needed more insulin. The user would tell the pump to deliver another dose if another dose were required. Innovation then happened – continuous glucose monitors were developed. With continuous glucose monitors, users no longer need to prick their fingers. Continuous glucose monitors sound an alarm when the user needs more insulin, and users can instruct their pump to provide another dose. You may be asking yourself, “Why stop there?” Let’s connect the glucose monitor to the insulin pump that way, and when people require more insulin, the glucose monitor can provide the dose automatically. Insulin users and the industry agree. However, medical devices take a long time to be approved for commercial use.

The approval process takes a long time because medical devices are required to be thoroughly tested and proven safe before use. “That’s an excellent thing, right?” Maybe – maybe not. Sometimes this means that the latest medical devices are kept out of the patient’s hands for a long time. Consider a four-year-old named Evan, who was diagnosed with type 1 diabetes. He had to wake up every 2 hours at night to check his insulin levels. If they didn’t wake up to their alarm, their child might never wake up. It has been reported (wired.com) that Evan’s dad connected a pump and glucose monitor to an iPhone app he created to address this. Based on the glucose monitor’s reading, the iPhone could automatically tell the pump to send more insulin. Eventually, a movement started: “WE ARE NOT WAITING! “

Additionally, many people didn’t want to wait because of quality-of-life issues. Meg Green, 26, followed online instructions to hack her pump. She said, “I was out for drinks, and the pump automatically knew how much insulin to give me. I was stable all night. It was amazing, and I just wanted to cry.” Should people be allowed to hack their own devices? Should people have to wait for the government to catch up with technology? Should people be able to take risks for themselves?

If you want help considering these issues for your company or are interested in a cybersecurity career, contact Knightec for expert assistance in protecting your organization and avoiding life-threatening consequences. If you’re a cybersecurity talent looking to work with existing clients and projects within this critical field, contact us to join our team of experts.

Let us help you and keep you safe

Knightec is a leading company in cybersecurity, with a team of experts who specialize in helping companies navigate the complex landscape of laws, regulations, and standards related to product cybersecurity. These experts can help companies identify potential product vulnerabilities, implement appropriate security protocols, and ensure compliance with relevant cybersecurity laws and regulations. By partnering with Knightec, companies can be confident in creating secure and reliable products that meet the highest cybersecurity standards.

Get in touch with us today by emailing cybersecurity@knightec.se

Related posts

Understanding Operational Technology (OT): Hardware and Software in Industrial Settings

Operational technology (OT) refers to the hardware and software used to monitor and control physical devices and processes in industrial settings. These systems ensure that industrial processes run smoothly, efficiently, and safely.

Read more

Operational Technology Security trends - stay safe by being ahead

As technology evolves, operational technology security challenges become increasingly complex. In the past, cyberattacks on OT systems were often straightforward, but in recent years, cybercriminals have become more sophisticated.

Read more