It is pretty unusual to be reading Bloomberg Businessweek and see an article with the main picture featuring a purple PCB (the picture above, in fact). But that’s just what we saw this morning. The story is about an open source modification to an insulin pump known as the RileyLink. This takes advantage of older Medtronic brand insulin pumps and allows you to control the BLE device from a smartphone remotely and use more sophisticated software to control blood sugar levels.
Of course, the FDA isn’t involved. If they were, the electronics would cost $7,000 instead of $250 — although, in fairness, that $250 doesn’t cover the cost of the used pump. Why it has to be a used pump is a rather interesting story. The only reason the RileyLink is possible is due to a security flaw and an active hacker community.
Features Built on a Security Hole
In 2011 Medtronic, a major manufacturer of insulin pumps. was told by security researchers that their wireless link was insecure. Future devices closed that security hole, but the existing devices were never upgraded. This left thousands of pumps in circulation.
Although the researchers were worried about the malicious use of the security hole, [Ben West], a programmer with diabetes, started a five-year reverse engineering effort to understand the communication protocol. A group of hackers also figured out how to relay glucose monitoring data to remote smartphones. By 2014 [West] met a couple who had a workable insulin dosing algorithm and the automatic pancreas was born.
It is a great story and a great example of what hackers can do to change lives for the better when they work together. To their credit, though, Medtronic seems to be willing to work with the hackers and exchange ideas. You have to wonder, though.
How Can Open Source Medical Device Add-Ons Become Widespread?
It sounds like RileyLink has been a great success and we’re glad. It’s built on an a device which previously won FDA approval, but depends on what is essentially a design flaw. You can imagine the FDA would not be pleased (although not all of the users are in the US). If something did go wrong, what would happen then? If something bad happened on this or a similar project, there would be a feeding frenzy in the courtrooms as well as the court of public opinion. And how do you differentiate a sensible project like this from someone scamming people with a miracle cure add-on?
You can argue that the pump is an existing approved device. However, the FDA would — if this were a commercial product — regulate the software and data collection just as closely. In fact, there’s at least one start-up company aiming to put a lot of the software side of medical devices in the cloud to help cut the cost of FDA approval. Getting well-designed open source devices into the hands of those that need them (not just those who have the know-how to build and install them) is the next step and solving the regulation path and safety protocols are the biggest obstacles.
The need for insulin monitoring and dosing has attracted quite a bit of homebrew interest and we’ve seen artificial pancreas projects pop up before. OpenAPS, for example, uses approved medical devices just like RileyLink. If you want more details about life with an artificial pancreas, [Dan Maloney] has first-hand experience managing his daughter’s. Where there’s a need and interest from patients, parents, hardware engineers, and industry, there must be a way to bring everyone together to the benefit of all.