Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Science

How an Obsolete Medical Device With a Security Flaw Became a Must-Have For Some Patients With Type 1 Diabetes (theatlantic.com) 124

From a report on The Atlantic: In 2014, a few hackers realized that the security flaw in certain Medtronic pumps could be exploited for a DIY revolution. Type 1 diabetes is a disease where the pancreas is unable to produce insulin to control blood sugar. For years, Boss (the anecdote in the story who purchased used insulin pumps from some dealer on Craiglist) had counted, down to the gram, the carbohydrates in every meal and told his pump how much insulin to dispense. [...] By 2014, the hardware components of a DIY artificial pancreas -- a small insulin pump that attaches via thin disposable tubing to the body and a continuous sensor for glucose, or sugar, that slips just under the skin -- were available, but it was impossible to connect the two. That's where the security flaw came in. The hackers realized they could use it to override old Medtronic pumps with their own algorithm that automatically calculates insulin doses based on real-time glucose data. It closed the feedback loop.

They shared this code online as OpenAPS, and "looping," as it's called, began to catch on. Instead of micromanaging their blood sugar, people with diabetes could offload that work to an algorithm. In addition to OpenAPS, another system called Loop is now available. Dozens, then hundreds, and now thousands of people are experimenting with DIY artificial-pancreas systems -- none of which the Food and Drug Administration has officially approved. And they've had to track down discontinued Medtronic pumps. It can sometimes take months to find one. Obviously, you can't just call up Medtronic to order a discontinued pump with a security flaw. "It's eBay, Craigslist, Facebook. It's like this underground market for these pumps," says Aaron Kowalski, a DIY looper and also CEO of JDRF, a nonprofit that funds type 1 diabetes research. This is not exactly how a market for lifesaving medical devices is supposed to work. And yet, this is the only way it can work -- for now.

This discussion has been archived. No new comments can be posted.

How an Obsolete Medical Device With a Security Flaw Became a Must-Have For Some Patients With Type 1 Diabetes

Comments Filter:
  • And yet, this is the only way it can work in the U.S. -- for now

    There you go.

    • by Anonymous Coward on Monday April 29, 2019 @05:03PM (#58512688)

      Nope, that's not correct either. Medtronic has had a pump (670G) out for 3 years now that is combined with a continuous blood sugar monitor will automatically adjust your basal rate. Having had this pump since it came out I can tell you that my A1C dropped from 9 to 6.8 in less than 6 months. This device was available overseas before the US but only for about 6 months.

      Don't get me wrong. This is good news for people that have older devices for whatever reason and want to try to take advantage of some of the ways these guys have been able to get them to behave. The Auto mode alone is life changing and does provide for better overall control of blood sugars instead of always trying to guess.

  • by unfortunateson ( 527551 ) on Monday April 29, 2019 @04:40PM (#58512586) Journal

    While medical devices are much less tightly scrutinized than drugs (it's a lot easier -- but slow), the companies that create them need to test them, record them, and insure against customers adverse experiences (both reducing the risks and insuring against damages).

    It's not cheap, and it's not quick, and with insulin pumps being a commodity, there's not a lot of incentive to innovate.
    I'd be very cautious about using a completely automated, closed-loop system that hasn't been through extensive testing and validation. What if there's a problem with the sensor and it keeps feeding you more and more insulin, thinking your glucose level is too high, or cuts you off thinking the glucose is already low when it isn't? You need to monitor, set limits, etc., which patients may not be patient enough to do. An app that interacts with the system, records trends and has alerts would be a good step (then your phone becomes a regulated medical device too).

    This is why we should be spending more tax dollars on research (and fewer on the military) - an NIH-based study, that requires reasonable prices for these upgrades to the pump and glucose monitor, yet is backed by the support of the manufacturer, _should_ show benefits to public health: fewer diabetic comas, fewer patients with long-term damage, etc. More FDA Center for Devices and Radiological Health reviewers would help too.

    Note: I am not a physician nor a manufacturer of drugs or medical devices, but I work with the companies that do to get them approved.

    • by omnichad ( 1198475 ) on Monday April 29, 2019 @04:58PM (#58512664) Homepage

      In fact, there should be multiple glucose sensors and the loop should only continue while the sensors agree. Otherwise, it should alarm and switch over to manual control.

      • Yes, you wouldn't want your pancreas to be found floating in the ocean off Indonesia or in an Ethiopian field.

      • A Boeing jet analogy?

        • I assumed that medical devices would be designed the same way if they are acting autonomously. Not an analogy to Boeing. Just a best practice that should cover either industry.

    • by Major Blud ( 789630 ) on Tuesday April 30, 2019 @08:37AM (#58515898) Homepage
      I'm a Type 1 that uses a Medtronic pump. I tried using the Medtronic continuous glucose monitor (CGM) a few years ago (this is a necessary component of the closed-loop system). I wouldn't call myself a beta tester, but I found the following issues with it: 1) The monitor was widely inaccurate, sometimes off by over 100 points. I still had to check my blood glucose using a traditional monitor at least 4 times a day to calibrate the CGM. I realize that the purpose of the CGM is to provide your doctor with trend data, but this wouldn't help you at all with a closed loop system. I ended up just using it for the week before I went to the doctor so that he could have some reasonable data to work with. 2) The transmitters had to be changed every few days, and being that they were so new, they weren't covered by many insurances. They were pretty pricey at the time. 3) They were also uncomfortable and I had yet another piece of equipment sticking in my body. All that said, I've heard that the technology has improved drastically since then, and prices have dropped considerably. I upgraded to a newer version of their pump early last year, which works in conjunction with the CGM to automatically adjust your basal rate (this is the amount of insulin delivered throughout the day). This isn't a true-closed loop system, because it doesn't automatically adjust your bolus (this is what's delivered to handle your carbohydrate intake during meals). The bolus is hard to account for automatically, because the CGM wouldn't detect it until all of those carbohydrates have already entered your bloodstream, and you'd risk having hyperglycemia for a few hours until the insulin took affect.
  • by hdyoung ( 5182939 ) on Monday April 29, 2019 @04:42PM (#58512606)
    This will be fixed eventually. The benefits of this are obvious. Someone will fast track it through the FDA. It has the power to move things like this along.

    On the other hand, fast tracking means that it'll take a few years instead of a decade+. To the people who are doing this now and demonstrating the usefullness, I salute you. On the other hand, there's a reason for the FDA. If a sensor goes bad, you're dead. FDA approved devices have failsafes and redundancies that account for stuff like this... and jack up the price.
    • by Anonymous Coward

      The same company already makes and sells an insulin pump with a continuous glucose sensor. I'm sure it's a bit more expensive than a DIY hack, but probably safer.

  • by Applehu Akbar ( 2968043 ) on Monday April 29, 2019 @05:33PM (#58512802)

    After a number of states passed "right to try" laws allowing terminal patients to experiment on themselves with compounds that have passed only Stage 1 testing (for non-toxicity) for compounds in the FDA pipeline, right-to-try was passed at the federal level last year. Although in practice there are not many compounds in test that are available for experimentation in this way, it's a concept that could easily be extended to self-experimentation using hacked medical devices.

    Let's include a stipulation that users log results that would be made available as ancillary data for medical trials. There's no such thing as too much experimental data.

    • "There's no such thing as too much experimental data."

      Poorly collected and annotated data can be worse than none. And it's hard to tell the difference between the two, once said shit data is integrated into the whole.
      • I love seeing Medical Attitude on display. Assuming that everybody other than yourself is stupid is not how you make new technical breakthroughs. It's ancillary data, not formal experimental data, to be taken with the appropriate amount of sodium chloride.

  • Need to take the profit out of healthcare!

    • Yeah, then we can stop people from experimenting with unapproved stuff like this at all! We can rely purely on the elite and super-smart government bureaucrats who are paragon's of moral good intentions and only have our best at heart to decide everything for us instead! They may take decades to allow people to heal themselves or deal with their symptoms, but if anything goes wrong they'll at least have a really long paper trail to determine who to blame and it won't be them!

      In fact, you should take the pro

    • Indeed. If there were no profit then there would be no pumps at all and thus no bugs, and no hackers. Problem solved! \(o_o)/

  • I am using the new pump with sensor and it provides only very limited feedback. It has a hard limit of 25 units bolus (old pump could do 40) which is very limited for me. When I finish my contract with Medtronic for sensors I'm going to experiment with this.

    • When have you ever needed to do a 40 unit bolus?!?!?! Christ your glucose level must have been over 700 :-)
  • by Guidii ( 686867 ) on Tuesday April 30, 2019 @06:28AM (#58515388) Homepage
    I really wish that Jay Radcliffe [slashgear.com] hadn't publicized the well-known security issues with my pump. I'm fairly convinced that that led to the lock-down on insulin pumps.

    I've been looping for several years now, and the results are amazing. It's way more effective than any other therapy I've used (way better control, better A1C), but more importantly I now have a hardware solution that offloads about 100 decisions per day from my life. That part is truly life changing.

    Unfortunately, my current device is held together with duct tape, and it's unlikely that any new hackable devices will be brought to market. I expect it will be 10+ years before the commercially supported devices provide the same control I've enjoyed from a home-built solution, since the manufacturers are understandably conservative/risk-averse.

    • Thanks for your first hand perspective. Are the devices mechanically or electrically complex? I.e. is it feasible to build one from scratch?

      • by Guidii ( 686867 )
        There's not much to it, in terms of mechanical (high precision+reliable motor) or electronics (replaceable battery + four buttons + microchip). I think the biggest thing is testing and approval process.

        They charge a lot for the devices, but a lot of that cost goes into patient training before they hand over a high-risk medical device.

    • Well, I have some good news for you!

      https://loopkit.github.io/loop... [github.io]

  • If you read this and don't think the healthcare situation in the US is fucked up, then you're in a coma. Maybe a diabetic coma.

"Pok pok pok, P'kok!" -- Superchicken

Working...