Insulin pumps marketed by Minneapolis-based Medtronic have a serious, life-threatening security flaw, and the company couldn’t care less.
For these two reasons, this isn’t your typical security flaw, and Medtronic’s response–in 30 years, we’ve ever seen a problem that we know of–is beyond deplorable. Ford’s infamous decision to pay lawsuits rather than fix a deadly flaw in the Pinto comes to mind.
The problem is twofold. Last month at the Black Hat security convention, Jay Radcliffe, a security researcher and diabetic, demonstrated the ability to wirelessly control the rate at which certain Medtronic insulin pumps dispense insulin. That’s bad.
But this is no prank or inconvenience. Tampering with insulin levels can be deadly. Possible complications include blindness, kidney failure, nerve damage, heart attack, stroke, coma, and death.
What makes this even more infuriating to me is that Medtronic’s insulin pumps are insanely expensive. The pumps start at around $7,000 and some models reach $10,000. And the supplies are even more ridiculous. The plastic tubing that connects the pump to your abdomen costs $15-$20 and lasts 3 days. And the reservoirs cost about $5. The reservoirs last about a week, but a couple of years ago, Medtronic stopped selling the two things seperately so they could jack their customers for another $260 per year.
So before you start sympathizing with Medtronic, keep in mind that they make $1,300 per year per patient just by supplying little plastic tubes and little plastic cups to their customers so they can use their $7,000 insulin pumps.
The insulin pumps generally last about five years. At which point you have to send the pump in to get a new one, and then the racket continues. You pay a few grand to get current, then they refurbish your old pump and sell it to someone else for a few grand.
Medtronic has about 400,000 insulin pumps in operation at the moment. Based on the cost of the pumps and supplies, Medtronic stands to generate $1 billion per year in revenue for the rest of those 400,000 patients’ lives. And if you’re concerned about future growth potential, there are 21 million diabetics in the United States, and that number is growing due to poor modern diets.
Also consider the continuous blood sugar monitoring devices that Medtronic pimps out to their patients–often against their doctors’ wishes. Not all diabetics have them, and not all diabetics who have them use them because they can be extremely painful, but for those who do, Medtronic can bring in another $2,500 in revenue per year.
Computer companies manage to ensure that the hardware and software they produce are safe to use, with lower margins than what Medtronic enjoys. And frequently the vulnerabilities they fix are inconveniences, not matters of life and death.
The risks are small. Probably lower than that of a Ford Pinto. But I can think of two scenarios. The more obvious one is someone with a vendetta against someone with a Medtronic insulin pump and the ability to wirelessly send code to that insulin pump. Not many people have both, but it’s not inconceivable. Another possibility is a sociopath who sets up a device in a public place that broadcasts signals to make Medtronic insulin pumps go nuts in hopes of seeing some chaos.
The question is whether one death is too many. I believe the answer is yes. Medtronic seems to think the answer is no. And Medtronic gives the non-advice of securing the device by disabling its wireless connection, which is a feature the device doesn’t have. It’s PR spin to appease stockholders, not to help its customers.
I have one number for you: $36.73 billion. That’s Medtronic’s market capitalization. This isn’t two guys working out of a garage. It’s a huge multinational corporation with deep pockets and tremendous margins. For comparison’s sake, Adobe is a $12 billion company. Red Hat is a $7 billion company. Dell is a $27 billion company. Lexmark is a $2.5 billion company. None of those four companies could get away with having a life-or-death security hole in any of their products for long. And I really don’t think any of them would try.
I’m not a fan of ambulance chasers, but this is one instance where an ambulance chaser can go make the world a better place. So I hope some ambulance chaser is eying that $36.73 billion right now. Go get ’em.
And if you happen to be a diabetic who uses a Medtronic insulin pump, call your insurance company and ask them how soon you can switch to another manufacturer. Jay Radcliffe switched to Johnson & Johnson. Other makers of insulin pumps include Abbott Laboratories and Roche Pharmaceuticals.