Insulin pump vulnerable to hacking, J&J warns people with diabetes - Action News
Home WebMail Tuesday, November 26, 2024, 08:06 AM | Calgary | -16.5°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Health

Insulin pump vulnerable to hacking, J&J warns people with diabetes

Johnson & Johnson is telling patients that it has learned of a security vulnerability in one of its insulin pumps that a hacker could exploit.

'Probability of unauthorized access to the OneTouch Ping system is extremely low'

J&J executives told Reuters they knew of no examples of attempted hacking attacks on the device, the J&J Animas OneTouch Ping insulin pump. The company is nonetheless warning customers and providing advice on how to fix the problem. (Arnd Wiegmann/Reuters)
Johnson & Johnson is tellingpatients that it has learned of a security vulnerability in oneof its insulin pumps that a hacker could exploit to overdosediabetic patients with insulin, though it describes the risk aslow.

Medical device experts said they believe it was the firsttime a manufacturer had issued such a warning to patients about
a cyber vulnerability, a hot topic in the industry followingrevelations last month about possible bugs in pacemakers and
defibrillators.

J&J executives told Reuters they knew of no examples ofattempted hacking attacks on the device, the J&J Animas OneTouchPing insulin pump. The company is nonetheless warning customersand providing advice on how to fix the problem.

"The probability of unauthorized access to the OneTouch Pingsystem is extremely low," the company said in letters sent onMonday to doctors and about 114,000 patients who use the devicein the United States and Canada.

"It would require technical expertise, sophisticatedequipment and proximity to the pump, as the OneTouch Ping systemis not connected to the internet or to any external network."

A copy of the text of the letter was made available toReuters.

Insulin pumps are medical devices that patients attach totheir bodies that injects insulin through catheters.

The Animas OneTouch Ping, which was launched in 2008, issold with a wireless remote control that patients can use toorder the pump to dose insulin so that they do not need accessto the device itself, which is typically worn under clothing andcan be awkward to reach.

Communications not encrypted

Jay Radcliffe, a diabetic and researcher with cyber securityfirm Rapid7 Inc, said he had identified ways for ahacker to spoof communications between the remote control andthe OneTouch Ping insulin pump, potentially forcing it todeliver unauthorized insulin injections.

The system is vulnerable because those communications arenot encrypted, or scrambled, to prevent hackers from gainingaccess to the device, said Radcliffe, who reportedvulnerabilities in the pump to J&J in April.

J&J executives said they worked on the security issues withRadcliffe.

Dosing a patient with too much insulin could causehypoglycemia, or low blood sugar, which in extreme cases can belife threatening, said Brian Levy, chief medical officer withJ&J's diabetes unit.

Patients urged to stay on the product

Company technicians were able to replicate Radcliffe'sfindings, confirming that a hacker could order the pump to doseinsulin from a distance of up to 25 feet, Levy said. He saidsuch attacks are difficult to pull off because they requirespecialized technical expertise and sophisticated equipment.

"We believe the OneTouch Ping system is safe and reliable. We urge patients to stay on the product," Levy said.

J&J's letter said that if patients were concerned, theycould take several steps to thwart potential attacks. Theyinclude discontinuing use of a wireless remote control andprogramming the pump to limit the maximum insulin dose.

In August, a prominent short seller and a cyber securityresearch firm went public with allegations of potentiallylife-threatening cyber vulnerabilities in heart devices from St.Jude Medical Inc.

As its shares tumbled, St. Jude said the allegations werefalse, and the U.S. Food and Drug Administration began aninvestigation.

FDA guidance on medical devices to come

The FDA is preparing to issue formal guidance on how medicaldevice makers should handle reports about cyber vulnerabilities.

An early draft of that guidance, which was released inJanuary for public comments, called for device makers toworkwith security researchers, identify steps to mitigate risks, andprovide patients with information about bugs so they can "makeinformed decisions" about device use.

The FDA declined to comment on J&J's handling of thevulnerability in the insulin pump.

J&J said it had reviewed the matter with the FDA beforesending the letters.

Radcliffe said he believed that OneTouch Ping users would besafe if they followed the steps outlined in the letters from
J&J.

"They can give peace of mind to the patient or parent of achild using the device," he said.

J&J Chief Information Security Officer Marene Allison saidher team would make sure other J&J products do not have similarbugs.

Radcliffe said he found vulnerabilities in the AnimasOneTouch Ping, but not the Animas Vibe line of insulin pumps.

Suzanne Schwartz, an FDA official responsible for reviewingbugs in medical devices, said in a statement that she encouragescollaboration between researchers and device manufacturers toidentify, remediate and alert the public to vulnerabilities.

"It enables all stakeholders to better address device safetywith the interest of patient health in mind," she said.

The FDA has said it knows of no cases where hackers haveexploited cyber vulnerabilities to harm a patient.

The agency last year issued multiple warnings about cyberbugs in infusion pumps from Hospira, which has since been
acquired by Pfizer Inc.