Insulin Goes Viral?


New study shows some viruses produce insulin-like hormones that have potential to cause disease

Every cell in your body responds to the hormone insulin, and if that process starts to fail, you get diabetes.

In an unexpected finding, Harvard Medical School scientists at Joslin Diabetes Center have identified four viruses that can produce insulin-like hormones that are active on human cells. The discovery brings new possibilities for revealing biological mechanisms that may cause diabetes or cancer.

“Our research may help open up a new field that we might call microbial endocrinology,” said Emrah Altindis, HMS instructor in medicine at Joslin Diabetes Center and lead author on a paper in the journal PNAS  on the work.

“We show that these viral, insulin-like peptides can act on human and rodent cells. With the very large number of microbial peptides to which we are exposed, there is a novel window for host-microbe interactions. We hope that studying these processes will help us to better understand the role of microbes in human disease,” Altindis said.

“Indeed, the discovery of the viral insulin-like hormones raises the question of what their role might be in diabetes, as well as in autoimmune disease, cancer and other metabolic conditions,” said C. Ronald Kahn, the HMS Mary K. Iacocca Professor of Medicine and Joslin’s chief academic officer.

The key idea for the investigation came when Altindis, whose previous research focused on creating vaccines against bacteria, attended a Joslin seminar that discussed potential causes of the autoimmune reaction that drives type 1 diabetes.

From left, Altindis and Kahn.  Image: Courtesy Joslin Diabetes CenterFrom left, Altindis and Kahn. Image: Courtesy Joslin Diabetes Center

He began to hypothesize whether bacteria or viruses could create insulin-like peptides (small versions of proteins) that could help to trigger the disease.

By analyzing large public research databases that hold viral genomic sequences, he and his colleagues at Joslin found that various viruses can produce peptides that are similar in whole or in part to 16 human hormones and regulatory proteins.

“What really caught our attention were four viruses that had insulin-like sequences,” said Kahn, who was senior author on the paper.

Infecting Fish

These viruses were from a family of viruses known to infect fish. To find out if they could be active in mammals, the Joslin team collaborated with Richard DiMarchi, professor of chemistry at Indiana University, Bloomington, whose lab chemically synthesized these viral insulin-like peptides (VILPs).

Experimenting in mouse and human cells, the scientists studied whether the VILPs could act like hormones. Their experiments proved that the VILPs could indeed bind to human insulin receptors and receptors for a closely related hormone called IGF-1 (insulin-like growth factor 1).

These are the critical proteins on the cells that tell them to take up glucose and to grow. Additionally, the peptides could stimulate all of the signaling pathways inside the cells that were stimulated by human insulin and IGF-1.

Mice injected with the viral peptides exhibited lower levels of blood glucose, another sign of insulin action. Moreover, analysis of databases of viruses found in the human intestine showed evidence that humans are exposed to these viruses.

“These viruses are definitely known to infect fish and amphibians, but they are not known to infect humans,” Kahn pointed out. “However, it’s possible that humans get exposed to these viruses through just eating fish. Nobody has checked directly whether under some conditions the viruses could either infect cells or be at least partly absorbed through the gut intestine.”

The scientists now will broaden their search for other viruses that produce human-like hormones.

“This finding is the tip of an iceberg,” Kahn said. “There are thought to be more than 300,000 viruses that can infect or be carried in mammals, and only 7,500 or so of these, or about 2.5 percent, have been sequenced. Thus, we certainly expect to find many more viral hormones, including more viral insulins, in the future.”

“This research also opens up a new aspect to study in type 1 diabetes and autoimmunity,” he said.

“It may be that these or similar microbial insulin-like molecules could be an environmental trigger to start the autoimmune reaction in type 1 diabetes. On the other hand, you could also imagine that this might desensitize the immune response and could be protective,” Kahn said.

Viral Peptides

A similar question is open for metabolic diseases such as type 2 diabetes and obesity, in which the body fails to respond properly to insulin.

“You could envision that these viral peptides could either protect from or contribute to insulin resistance,” Kahn said.

These or similar viruses might also be a factor in certain human cancers.

“If these viruses are inside the gut, could the VILPs they produce stimulate growth of gut cells so that you get polyps or tumors of the gut?” Kahn asks. “Or if they’re absorbed or become infectious, could they infect any organ in the body?”

Analyzing such viral peptides may eventually help drug companies to design new forms of synthesized human insulins.

“We might be able to learn something, for example, about making insulins that don’t need refrigeration and can be stored for long periods of time, or insulins that are absorbed more quickly or degrade more slowly,” he said.

Given Altindis’s earlier research on infectious disease rather than in endocrinology, “our discovery gives an example of how work in one field can stimulate thought in another field,” Kahn added. “It really underlines the importance of cross-fertilization in the scientific discovery process, which is so valuable but so underappreciated.”

Advertisements

How an Insulin Pump Can Help Improve Your Holiday Meal Coverage


Holiday Meal Coverage

One of the most notable differences between insulin pump therapy and multiple daily injections (MDI) is the ability to deliver an insulin bolus over an extended period of time. This can provide a great deal of flexibility and control when eating certain types of food, as well as when you’re eating over a longer period of time, like at parties or buffets.

Many people with diabetes find that certain high-fat foods, like pizza, lasagna and ice cream, are more challenging to their blood glucose control than others. As a result, these foods are often avoided.

How Can an Insulin Pump Help?

By using an extended bolus, you can enter all of the carbs you plan to eat, but choose to only deliver a certain percentage of your insulin up front, and have the rest delivered over an extended period of time. This helps to better match the insulin release with the carb breakdown.

Extended Bolus

In insulin pumps by Tandem Diabetes Care, the Extended Bolus option is conveniently included in the normal bolus workflow, so it’s simple to use when you need it.

To learn more about extended boluses call (877) 801-6901 to speak to a pump specialist.

Free Virtual Demo!

New to Tandem pumps? You can try out the Extended Bolus feature on the simple touchscreen interface of Tandem pumps with your smartphone or tablet using our t:simulator™ mobile app.

If you’ve never used the extended bolus feature before, talk to your health care provider about strategies for using it to make this holiday season a little easier to manage. This information is a summary only, if you’d like to learn more please reference your pump’s User Guide for further information.

From time to time, Tandem Diabetes Care may pass along: suggestions, tips, or information about other Tandem Insulin Pump user experiences or approaches to the management of diabetes. However, please note individual symptoms, situations, circumstances and results may vary. Please consult your physician or qualified health care provider regarding your condition and appropriate medical treatment. Please read the Important Safety Information linked below before using a Tandem Diabetes Care product.

Medtronic launches new user-friendly insulin pump design in US


Medtronic has announced that its MiniMed 360G system with SmartGuard technology has been launched in the United States.

“This latest innovation demonstrates Medtronic’s vision to transform diabetes care to enable greater freedom and better health through a commitment to continually improving both outcomes and user experience,” Alejandro Galindo, president of the intensive insulin management business at Medtronic, said in a press release.

The FDA approved the system for the treatment of patients aged at least 16 years with diabetes. The new system features an insulin pump hardware platform and user-friendly design that will combine personalized diabetes management with industry-leading clinical performance, according to the release.

The system uses the Contour Next Link 2.4 blood glucose meter from Ascensia Diabetes Care to provide highly accurate blood glucose test results. Results are transmitted to calculate boluses using the Bolus Wizard calculator to calibrate the continuous glucose monitor sensor to help prevent manual entry errors, according to the release.

The SmartGuard technology is designed to trigger an alarm when continuous glucose monitoring levels reach a low threshold and releases insulin if the patient is unaware of the alarm.

“Low blood sugar at night is of particular concern, when up to 75% of severe hypoglycemia occurs and patients are unlikely to be aware of symptoms while they are asleep,” Satish Garg, MD, editor-in-chief of Diabetes Technology & Therapeutics and professor of pediatrics and medicine and director of the adult diabetes program at the University of Colorado Denver, Barbara Davis Center for Childhood Diabetes, said in the release. “The ability to automate the suspension of insulin at night is an important feature, as prolonged hypoglycemia could be life-threatening.”

10 Tips for Your Insulin Pump


PumpsHandheldMen_190Whether you’re new to insulin pumps, or have been pumping for most of your life, there’s always something new to learn! Here are our top 10 tips for your MiniMed insulin pump.

  1. The Bolus Wizard on your insulin pump lets you set up to 8 sensitivity settings throughout the day. Your insulin sensitivity is the amount that your blood glucose level is reduced by one unit of insulin and might vary throughout the day.
  2. If you have different schedules on different days (like work days and weekends) which leads to different insulin needs, you can program up to 2 additional basal rate patterns. This allows you to switch from a basal rate on a normal day to different basal rates an instant.
  3. If you ever need just a little more insulin for a bolus (ok, let’s say a whole lot more), but reached the maximum delivery on your pump, here’s how to change the “Max bolus” setting.
  4. Dual Wave bolus gives you an immediate bolus with the remaining insulin delivered over a set amount of time. This feature is useful for meals with both rapid and slowly absorbed carbohydrates (i.e. a lunch buffet or pizza night).
  5. Each of the bars on your battery icon on your pump screen represents approximately 25% of your battery life. Here are more 5 things to learn about the icons on your pump screen.
  6. When your battery is in a normal mode, if you hold the “B” button and press the down arrow at the same time during any active alert your pump light will turn on. Good to know when you’re in the dark and your pump starts alarming.
  7. Open and close your battery cap with a thick coin, like a nickel or quarter. Tighten until the slot is horizontal to prevent it from overtightening.
  8. There’s a taping technique that can be used with your infusion set known as an “open face sandwich” that helps your sets stick better. We promise you there’s no turkey and bread involved.
  9. If you ever need to clean your pump, use a damp cloth with water mixed with mild detergent to wipe the outside of your pump. Don’t place it under running water.
  10. Sometimes life happens and things can go wrong, so having a backup plan in place can bring you some piece of mind. Make sure you have extra diabetes and pump supplies on hand in case you need them and talk to your doctor about having a diabetes management backup plan in place.

Important Safety Information

Medtronic Diabetes insulin infusion pumps, continuous glucose monitoring systems and associated components are limited to sale by or on the order of a physician and should only be used under the direction of a healthcare professional familiar with the risks associated with the use of these systems.

Pump therapy is not recommended for people who are unwilling or unable to perform a minimum of four blood glucose tests per day. Insulin pumps use rapid-acting insulin. If your insulin delivery is interrupted for any reason, you must be prepared to replace the missed insulin immediately. NOTE: Do NOT use the Bolus Wizard to calculate a bolus for a period of time after giving a manual injection by syringe or pen. The Bolus Wizard does not account for manual injections, and could prompt you to deliver more insulin than needed. Too much insulin may cause hypoglycemia.

How Insulin Pumps Are Helping Type 1 Diabetics Live Longer


Great news for those who love their insulin pumps: a recent study done in Sweden reports that people with type 1 diabetes who use insulin pumps have a much lower risk of dying prematurelyfrom stroke or heart disease compared to those taking their insulin via multiple daily injections (which includes insulin pens).

“As done in Sweden at the time of this study, insulin pump treatment almost halved cardiovascular mortality,” said study author Dr. Isabelle Steineck, from Aarhus University Hospital in Denmark.

The study consisted of approximately 18,000 people with type 1 diabetes from the Swedish National Diabetes Register. Only 2,500 of the participants wore insulin pumps.

The detailed results concluded that insulin pumpers have:

  • a 45 percent lower risk of dying from heart disease
  • a 42 percent lower risk of dying from stroke
  • a 27 percent lower risk of all-cause death

The data was taken from a 7-year period of time.

The average age of those on pumps was 38 years old, and 41 years old for those taking injections. Approximately 1,200 participants died during the study.

Like many (or most) studies these days, this was an observational study which means the researchers can’t claim for certain that it is truly the use of an insulin pump that reduced participants’ risk of death. In order to claim firmly that the reduced death rates were from using a pump, the study would have had to control many other aspects of the participants lives and daily management, rather than just noting which method they used to deliver their insulin doses.

One aspect of the study worth noting, however, is that no funding for the study came from insulin pump manufacturers, explained Dr. Steineck.

For everyone living with type 1 diabetes, the risk of heart disease and stroke is nearly twice as high compared to the risk of someone in the general population.

Why does an insulin pump reduce risk of death?

The first theory, explains the Dr. Steineck, on why insulin pumps are reducing premature death is that pumps lead to fewer severe low blood sugar episodes.

The second theory suggests that when a patient chooses to go onto an insulin pump they inevitably receive more in-depth education around their diabetes management because the settings for an insulin pump are more in-depth than the “settings” for multiple daily injections. This theory perhaps points out a huge hole (and area for much-needed improvement) in general diabetes management education within the healthcare system.

“We evaluated the patients who used insulin pump therapy and do not know if the observed effect is attributable to continuous infusion of insulin or that some, if not all, of the effect is attributable to intensified glucose monitoring, increased motivation to control blood glucose, or a better knowledge about having type 1 diabetes,” she explained.

However, Vincent Crabtree from the JDRF feels the results aren’t actually conclusive.

“Continuous insulin infusion, otherwise known as pump therapy, is a more physiologic approach that has been shown in many analyses to be beneficial,” said Vincent Crabtree, director of research business development for JDRF. “This paper is intriguing, but will need more research to draw definitive conclusions.”

Crabtree reports less than half of the Americans with type 1 diabetes are actually using insulin pumps, but Steineck hopes her recent study will increase that percentage. Even more importantly, she also hopes it will encourage health insurance companies to be more agreeable when it comes to providing coverage for insulin pumps and the expensive supplies required to continue using one on a regular basis.

What do you think? How has your insulin pump changed your life with diabetes?

Adding Glucagon to Artificial Pancreas May Cut Hypoglycemia


Possible reduction in hypoglycemia in pooled small outpatient studies

 Using both a glucagon and insulin pump integrated with continuous glucose monitoring could reduce nighttime hypoglycemia in type 1 diabetes, a combined analysis of two small outpatient studies suggested.

Overnight use of the dual-hormone system was associated with less time spent in the hypoglycemic range under 72 mg/dL, at 1.0% compared with 3.1% with the single-hormone system and 5.1% with conventional insulin pump therapy, Ahmad Haidar, PhD, of McGill University in Montreal, and colleagues found.

The difference was almost entirely accounted for during the first half of the night, the time when glucagon was administered, whereas insulin delivery was otherwise similar between the two artificial pancreas systems.

Those were the findings from two randomized open-label crossover trials, one with 21 adults and seven children in a home setting using Medtronic pumps and sensors for two nights per intervention and the other with 33 children in a camp setting using Dexcom sensors and Roche pumps for 3 nights per intervention.

Combined analysis was reported here at the American Diabetes Association annual meeting, along with simultaneous publication of the pediatric camp study online inLancet Diabetes and Endocrinology.

The two artificial pancreas systems yielded similar overall glucose levels, both averaging 122 mg/dL compared with 140 mg/dL with conventional pump therapy.

Time spent at night in the hyperglycemic range over 144 mg/dL was 21% with the dual system, 23% with the single-hormone system, and 48% with conventional pump therapy.

The difference in nocturnal hypoglycemia was not significant in the pediatric study on its own, given the higher bar for statistical significance with multiple looks.

That study used a research-level set-up, with the kids’ continuous glucose monitors reading out to a sensor set outside the camp tent every 10 minutes, which was then entered manually by study staff into a tablet computer to run a dosing algorithm for the artificial pancreas systems that was then used to manually deliver the medications via remote control.

The researchers suggested that their findings warrant larger, longer studies with the goal of a fully integrated system.

Such a system would be more complex and more expensive, Jessica R. Castle, MD, of the Oregon Health & Science University in Portland, cautioned in an editorial accompanying the Lancet paper.

“Many advancements are needed to make a dual-hormonal automated system commercially viable,” she wrote, “including the approval of a stable glucagon formulation, a dual-chamber pump for combined storage and delivery of insulin and glucagon, and preferably a specialized infusion set that allows for combined delivery through a single insertion site.

“Despite these hurdles, the ongoing development of dual-hormonal systems is needed. Until a truly ultra-rapid insulin is available, an insulin-only system will be suboptimal, particularly in situations where insulin needs drop rapidly, such as during exercise.”

FDA Approves Animas Vibe Insulin Pump and Continuous Glucose Monitoring System


The FDA has approved the Animas Vibe insulin pump and continuous glucose monitoring (CGM) system for management of patients with diabetes who require insulin, according to a press release from the manufacturer.

The integrated system, which features Dexcom G4 Platinum sensing technology, allows patients to view glucose data and administer insulin from the pump. The latest glucose readings appear on the pump screen along with a view of glucose highs, lows and rates of change over time. These data complement fingerstick testing results and can be used to guide or adjust immediate and long-term insulin delivery.

FDA Approves Animas Vibe Insulin Pump and Continuous Glucose Monitoring System

Animas Vibe offers insulin dosing with a low basal increment of 0.025 U per hour across all available ranges (0.025 U per hour to 25.00 U per hour) and a low bolus increment of 0.05 U across all available bolus ranges (0.05 U to 35.00 U).

Dosing can also be personalized by selecting individual insulin-to-carbohydrate ratios, insulin sensitivity factors and blood glucose targets in 30-minute increments with up to 12 personal settings, according to the release.

Additional features include:

  • Dexcom CGM sensor technology that is approved for up to 7 days of continuous wear.
  • Waterproof up to 12 feet for 24 hours, and the Dexcom G4 Platinum transmitter is water-resistant for up to 8 feet for 24 hours.
  • Customizable alarms that signal high and low glucose levels.
  • A high-contrast color screen with color-coded graphs and arrows to indicate direction and rate of glucose change.

“For many people who are insulin-dependent, diabetes is a demanding disease that can require day-to-day and hour-by-hour management. We are pleased to now offer people with diabetes in the U.S. a solution with CGM technology that provides the ability to make more informed decisions to manage their disease, which can ultimately improve blood glucose control,” Brian Levy, MD, Chief Medical Officer of the Animas Corporation, said in the release.

Pacemakers Get Hacked On TV; Could It Happen in Real Life?


Jay Radcliffe breaks into medical devices for a living, testing for vulnerabilities as a security researcher.

He’s also a diabetic, and gives himself insulin injections instead of relying on an automated insulin pump, which he says could be hacked.

“I’d rather stab myself six times a day with a needle and syringe,” Radcliffe recently told security experts meeting near Washington, D.C. “At this point, those devices are not up to standard.”

Concern about the vulnerability of medical devices like insulin pumps, defibrillators, fetal monitors and scanners is growing as health care facilities increasingly rely on devices that connect with each other, with hospital medical record systems and —directly or not — with the Internet.

Radcliffe made headlines in 2011 by showing a hackers’ convention how he could exploit a vulnerability in his insulin pump that might enable an attacker to manipulate the amount of insulin pumped to produce a potentially fatal reaction. Now he talks about going without a pump to raise awareness about the potential for security lapses and the need for better engineering.

While there have been no confirmed reports of cyber criminals  gaining access to a medical device and harming patients, the Department of Homeland Security is investigating potential vulnerabilities in about two dozen devices, according to a Reuters report. Hollywood has already spun worst-case scenarios, including a 2012 episode in the Homeland series portraying a plot to kill the vice president by manipulating his pacemaker.

“The good news is, we haven’t seen actual active threats or deliberate attempts against medical devices yet,” said Kevin Fu, a University of Michigan researcher who has made his career testing the vulnerability of medical systems.

The bad news is that hospital medical devices may be vulnerable to hackers simply because they can be the weak link that gives a criminal access to a hospital’s data system — especially if the devices haven’t been updated with the latest security patches, said Ken Hoyme, a scientist at Adventium Labs, a cybersecurity firm in Minneapolis.

In the real world, he said, a hacker is more likely interested in stealing records he can sell than in harming a patient.

“There are not that many bad…guys whose goal in life is to go and randomly mess with patients in hospitals,” Hoyme said. “They want money, not to shut off the ventilator of a particular patient.”

Hospitals are targets because they collect so much data, from patients’ Social Security numbers and financial information, to diagnosis codes and health insurance policy numbers.

Radcliffe estimates that medical identity information is worth 10 times more than credit card information —about $5 to $10 per record on the black market compared to 50 cents per account for credit card information.

Crooks can use it to apply for credit, file fake claims with insurers or buy drugs and medical equipment that can be resold.

And unlike the victims of credit card theft, those with stolen medical identities might not know for months or even years, giving the thieves more time to use their information.

New FDA Guidelines

Yet there are few cybersecurity standards for medical devices.

In October, the FDA issued guidance outlining what security features developers should bake into their products when seeking approval for a new device.

The guidelines, which aren’t binding, say that when seeking approval for a new device, manufacturers should detail cybersecurity threats they considered and create better ways to detect when it might have been hacked.

They should also build in protections, such as limiting access to authorized users and restricting software updates only to products with authenticated coding.

While a good start, some security experts say the guidelines should be binding. Others fear that giving them the force of regulation could be more harmful because they would become outdated quickly.

Nonetheless, the FDA’s guidance has, in effect, changed the conversation among device makers from, “‘Do I believe this is a real threat?’ to ‘What do I have to do to satisfy the FDA?’” said Hoyme.

By the end of the year, the agency is expected to issue similar recommendations for devices already on the market.

Common Vulnerabilities

One reason many existing devices might be vulnerable is they run on defunct operating systems like Windows XP, which Microsoft stopped supporting in April, meaning there won’t be any new security patches. Other, newer devices may have built-in passwords that are difficult to update. Gaining access to them can be fairly easy which could make them more vulnerable to attack, researchers say. In addition, sometimes, a password is intentionally disabled so it’s easily accessible to medical staff in an emergency.

Hackers can also get into some inadequately protected hospital systems when staff members click on links in emails, not knowing they contain malicious code. Once transmitted to a hospital’s intranet, that malware could find its way into unprotected device software and cause malfunctions, said Hoyme and Fu.

“If cyber criminals decide they can hack into a device to get health records, they won’t think about whether they’re messing with device performance: They’re going after the money,” Hoyme said.

Security experts warn that some of the same design flaws that make medical devices vulnerable would also make breaches hard to track.

“If your iPhone is compromised, it’s a lot more straightforward for someone to determine if it’s been tampered with. We’re not there yet” with medical devices, said Billy Rios, a former Google software engineer turned security consultant.

He describes how he was able to buy a secondhand EKG machine, used to measure the heart’s electrical activity, for just $25 online. Some infusion pumps and patient monitoring systems go for less than $100. That makes devices more readily available to those who want to figure out vulnerabilities to exploit.

“The effort required is so much lower,” he says. “That’s not a good position to be in.”

What Hospitals Are Doing

Hospitals are loathe to talk about device security publicly, but many are working to ensure their systems are stronger.

In a two-year test of information security, experts working for Essentia, a large Midwestern health system, found that many devices were hackable. For instance, they found settings on drug infusion pumps could be altered remotely to give patients incorrect doses, defibrillators could be manipulated to deliver random shocks and that medical records could be changed.

Stephen Curran, acting director of the Division of Resilience and Infrastructure Coordination with the Department of Health and Human Services, could not say how many facilities have a chief security officer or someone in charge of cybersecurity.  But even small facilities have some relatively simple options for boosting the security of devices on their networks, he said, including “routine backups and patching of the systems and the use of anti-virus firewalls.”

Still, while “we definitely see a trend in hospitals to improve their security,” says Mike Ahmadi, global director of critical systems security at cybersecurity firm Codenomicon, vendors have to do more to engineer security.

“The bigger issue is that vendors are not held accountable for writing insecure code,” says researcher Rios. “There’s no incentive…so they don’t invest.”

Pressure On Vendors

A few hospitals, including the Mayo Clinic, have started to write security requirements into their procurement contracts.

At the University of Texas MD Anderson Cancer Center in Houston, any new software application has to be approved by the hospital’s security team, headed by Lessley Stoltenberg, chief information security officer.

He says device makers also will have to meet a slew of security requirements: Can the device be encrypted?  Is there a unique identification for users? If the vendor is hosting the device, what does their system look like in terms of firewalls and other protections? Will the manufacturer provide up-to-date security patches?

Some companies, like Ahmadi’s Codenomicon, specialize in selling software to detect software bugs that could lead to security holes.

While Codenomicon has a number of device makers as customers, those are a fraction of the more than 6,500 medical device manufacturers in the U.S., some of which may not be doing even the most basic testing. Most vendors are small — 80 percent have fewer than 50 employees — and many are startups without the capital to invest in a security expert.

So, could hackers target infusion pumps or ventilators?

“Is it possible?” Stoltenberg mused. “Yes. Is it likely? No.  No device in the world is absolutely 100 percent secure.”

Pacemakers Get Hacked on TV, but Could It Happen in Real Life?


Jay Radcliffe breaks into medical devices for a living, testing for vulnerabilities as a security researcher.

He’s also a diabetic and gives himself insulin injections instead of relying on an automated insulin pump, which he says could be hacked.

“I’d rather stab myself six times a day with a needle and syringe,” Radcliffe recently told security experts meeting near Washington, D.C. “At this point, those devices are not up to standard.”

Concern about the vulnerability of medical devices like insulin pumps, defibrillators, fetal monitors, and scanners is growing as healthcare facilities increasingly rely on devices that connect with each other, with hospital medical record systems and — directly or not — with the Internet.

Radcliffe made headlines in 2011 by showing a hackers’ convention how he could exploit a vulnerability in his insulin pump that might enable an attacker to manipulate the amount of insulin pumped to produce a potentially fatal reaction. Now he talks about going without a pump to raise awareness about the potential for security lapses and the need for better engineering.

While there have been no confirmed reports of cyber criminals gaining access to a medical device and harming patients, the Department of Homeland Security is investigating potential vulnerabilities in about two dozen devices, according to a Reuters report. Hollywood has already spun worst-case scenarios, including a 2012 episode in the Homeland series portraying a plot to kill the vice president by manipulating his pacemaker.

“The good news is, we haven’t seen actual active threats or deliberate attempts against medical devices yet,” said Kevin Fu, a University of Michigan researcher who has made his career testing the vulnerability of medical systems.

The bad news is that hospital medical devices may be vulnerable to hackers simply because they can be the weak link that gives a criminal access to a hospital’s data system — especially if the devices haven’t been updated with the latest security patches, said Ken Hoyme, a scientist at Adventium Labs, a cybersecurity firm in Minneapolis.

In the real world, he said, a hacker is more likely interested in stealing records he can sell than in harming a patient.

“There are not that many bad … guys whose goal in life is to go and randomly mess with patients in hospitals,” Hoyme said. “They want money, not to shut off the ventilator of a particular patient.”

Hospitals are targets because they collect so much data, from patients’ Social Security numbers and financial information to diagnosis codes and health insurance policy numbers.

Radcliffe estimates that medical identity information is worth 10 times more than credit card information — about $5 to $10 per record on the black market compared with 50 cents per account for credit card information.

Crooks can use it to apply for credit, file fake claims with insurers, or buy drugs and medical equipment that can be resold.

And unlike the victims of credit card theft, those with stolen medical identities might not know for months or even years, giving the thieves more time to use their information.

New FDA Guidelines

Yet there are few cybersecurity standards for medical devices.

In October, the FDA issued guidance outlining what security features developers should bake into their products when seeking approval for a new device.

The guidelines, which aren’t binding, say that when seeking approval for a new device, manufacturers should detail cybersecurity threats they considered and create better ways to detect when it might have been hacked.

They should also build in protections, such as limiting access to authorized users and restricting software updates only to products with authenticated coding.

While a good start, some security experts say the guidelines should be binding. Others fear that giving them the force of regulation could be more harmful because they would become outdated quickly.

Nonetheless, the FDA’s guidance has, in effect, changed the conversation among device makers from, “‘Do I believe this is a real threat?’ to ‘What do I have to do to satisfy the FDA?'” said Hoyme.

By the end of the year, the agency is expected to issue similar recommendations for devices already on the market.

Common Vulnerabilities

One reason many existing devices might be vulnerable is they run on defunct operating systems like Windows XP, which Microsoft stopped supporting in April, meaning there won’t be any new security patches. Other, newer devices may have built-in passwords that are difficult to update. Gaining access to them can be fairly easy which could make them more vulnerable to attack, researchers say. In addition, sometimes, a password is intentionally disabled so it’s easily accessible to medical staff in an emergency.

Hackers can also get into some inadequately protected hospital systems when staff members click on links in emails, not knowing they contain malicious code. Once transmitted to a hospital’s intranet, that malware could find its way into unprotected device software and cause malfunctions, said Hoyme and Fu.

“If cyber criminals decide they can hack into a device to get health records, they won’t think about whether they’re messing with device performance: They’re going after the money,” Hoyme said.

Security experts warn that some of the same design flaws that make medical devices vulnerable would also make breaches hard to track.

“If your iPhone is compromised, it’s a lot more straightforward for someone to determine if it’s been tampered with. We’re not there yet” with medical devices, said Billy Rios, a former Google software engineer turned security consultant.

He describes how he was able to buy a secondhand EKG machine, used to measure the heart’s electrical activity, for just $25 online. Some infusion pumps and patient monitoring systems go for less than $100. That makes devices more readily available to those who want to figure out vulnerabilities to exploit.

“The effort required is so much lower,” he says. “That’s not a good position to be in.”

What Hospitals Are Doing

Hospitals are loathe to talk about device security publicly, but many are working to ensure their systems are stronger.

In a 2-year test of information security, experts working for Essentia, a large Midwestern health system, found that many devices were hackable. For instance, they found settings on drug infusion pumps could be altered remotely to give patients incorrect doses, defibrillators could be manipulated to deliver random shocks, and that medical records could be changed.

Stephen Curran, acting director of the Division of Resilience and Infrastructure Coordination with the Department of Health and Human Services, could not say how many facilities have a chief security officer or someone in charge of cybersecurity. But even small facilities have some relatively simple options for boosting the security of devices on their networks, he said, including “routine backups and patching of the systems and the use of anti-virus firewalls.”

Still, while “we definitely see a trend in hospitals to improve their security,” says Mike Ahmadi, global director of critical systems security at cybersecurity firm Codenomicon, vendors have to do more to engineer security.

“The bigger issue is that vendors are not held accountable for writing insecure code,” says researcher Rios. “There’s no incentive … so they don’t invest.”

Pressure on Vendors

A few hospitals, including the Mayo Clinic, have started to write security requirements into their procurement contracts.

At the University of Texas MD Anderson Cancer Center in Houston, any new software application has to be approved by the hospital’s security team, headed by Lessley Stoltenberg, chief information security officer.

He says device makers also will have to meet a slew of security requirements: Can the device be encrypted? Is there a unique identification for users? If the vendor is hosting the device, what does their system look like in terms of firewalls and other protections? Will the manufacturer provide up-to-date security patches?

Some companies, like Ahmadi’s Codenomicon, specialize in selling software to detect software bugs that could lead to security holes.

While Codenomicon has a number of device makers as customers, those are a fraction of the more than 6,500 medical device manufacturers in the U.S., some of which may not be doing even the most basic testing. Most vendors are small — 80 percent have fewer than 50 employees — and many are startups without the capital to invest in a security expert.

So, could hackers target infusion pumps or ventilators?

“Is it possible?” Stoltenberg mused. “Yes. Is it likely? No. No device in the world is absolutely 100% secure.”

Threshold-Based Insulin-Pump Interruption for Reduction of Hypoglycemia.


BACKGROUND

The threshold-suspend feature of sensor-augmented insulin pumps is designed to minimize the risk of hypoglycemia by interrupting insulin delivery at a preset sensor glucose value. We evaluated sensor-augmented insulin-pump therapy with and without the threshold-suspend feature in patients with nocturnal hypoglycemia.

METHODS

We randomly assigned patients with type 1 diabetes and documented nocturnal hypoglycemia to receive sensor-augmented insulin-pump therapy with or without the threshold-suspend feature for 3 months. The primary safety outcome was the change in the glycated hemoglobin level. The primary efficacy outcome was the area under the curve (AUC) for nocturnal hypoglycemic events. Two-hour threshold-suspend events were analyzed with respect to subsequent sensor glucose values.

RESULTS

A total of 247 patients were randomly assigned to receive sensor-augmented insulin-pump therapy with the threshold-suspend feature (threshold-suspend group, 121 patients) or standard sensor-augmented insulin-pump therapy (control group, 126 patients). The changes in glycated hemoglobin values were similar in the two groups. The mean AUC for nocturnal hypoglycemic events was 37.5% lower in the threshold-suspend group than in the control group (980±1200 mg per deciliter [54.4±66.6 mmol per liter]×minutes vs. 1568±1995 mg per deciliter [87.0±110.7 mmol per liter]×minutes, P<0.001). Nocturnal hypoglycemic events occurred 31.8% less frequently in the threshold-suspend group than in the control group (1.5±1.0 vs. 2.2±1.3 per patient-week, P<0.001). The percentages of nocturnal sensor glucose values of less than 50 mg per deciliter (2.8 mmol per liter), 50 to less than 60 mg per deciliter (3.3 mmol per liter), and 60 to less than 70 mg per deciliter (3.9 mmol per liter) were significantly reduced in the threshold-suspend group (P<0.001 for each range). After 1438 instances at night in which the pump was stopped for 2 hours, the mean sensor glucose value was 92.6±40.7 mg per deciliter (5.1±2.3 mmol per liter). Four patients (all in the control group) had a severe hypoglycemic event; no patients had diabetic ketoacidosis.

CONCLUSIONS

This study showed that over a 3-month period the use of sensor-augmented insulin-pump therapy with the threshold-suspend feature reduced nocturnal hypoglycemia, without increasing glycated hemoglobin values.

Source: NEJM