Johnson and Johnson admits insulin pump known to be vulnerable to cyber-attack
An insulin pump produced by Johnson & Johnson (J&J) has been found to be vulnerable to cyber-attack due to a recently discovered security vulnerability that could allow a hacker to overdose diabetic patients.
Medical device experts said they believe it was the first time a manufacturer had issued such a warning to patients about a cyber vulnerability, a hot topic in the industry following revelations last month about possible bugs in pacemakers and defibrillators.
Johnson & Johnson (J&J) executives said that although they did not believe any attempted hacks have been made so far, the company is nonetheless warning customers and providing advice on how to fix the problem.
“The probability of unauthorized access to the OneTouch Ping system is extremely low,” the company said in letters sent on Monday to doctors and about 114,000 patients who use the device in the United States and Canada.
“It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network.”
Insulin pumps are medical devices that patients attach to their bodies that injects insulin through catheters.
The Animas OneTouch Ping, which was launched in 2008, is sold with a wireless remote control that patients can use to order the pump to dose insulin so that they do not need access to the device itself, which is typically worn under clothing and can be awkward to reach.
Jay Radcliffe, a diabetic and researcher with cyber security firm Rapid7 Inc, said he had identified ways for a hacker to spoof communications between the remote control and the OneTouch Ping insulin pump, potentially forcing it to deliver unauthorized insulin injections.
The system is vulnerable because those communications are not encrypted, or scrambled, to prevent hackers from gaining access to the device, said Radcliffe, who reported vulnerabilities in the pump to J&J in April and published them on the Rapid7 blog on Tuesday. J&J executives said they worked on the security issues with Radcliffe.
Dosing a patient with too much insulin could cause hypoglycemia, or low blood sugar, which in extreme cases can be life threatening, said Brian Levy, chief medical officer with J&J’s diabetes unit.
Company technicians were able to replicate Radcliffe’s findings, confirming that a hacker could order the pump to dose insulin from a distance of up to 25 feet, Levy said.
America’s Food and Drug Administration (FDA) is preparing to issue formal guidance on how medical device makers should handle reports about cyber vulnerabilities.
An early draft of that guidance, which was released in January for public comments, called for device makers to work with security researchers, identify steps to mitigate risks, and provide patients with information about bugs so they can “make informed decisions” about device use.
The FDA declined to comment on J&J’s handling of the vulnerability in the insulin pump.
J&J said it had reviewed the matter with the FDA before sending letters out to patients.
Last year it was alleged that artificial pancreases controlled by software that runs on mobile devices could face targeted security threats.