- The Washington Times - Tuesday, October 4, 2016

Insulin pumps used by upwards of 114,000 diabetic patients across the United States and Canada contain security flaws that make them prone to hacking, Johnson & Johnson warned this week.

Doctors and patients who use the Animas OneTouch Ping insulin pump were sent letters Monday informing them about the potential for the medical devices to be hacked — the first time a manufacturer has issued such a warning, according to a Reuters exclusive published Tuesday where the notice was made public.

The flaws stem from the use of unencrypted radio transmissions to broadcast communications between the insulin pump and a wireless remote control sold alongside it, saidJay Radcliffe, a security researcher and Type 1 diabetic who reported the problems to Johnson & Johnson earlier this year.

By interfering with those communications, a hacker with the proper equipment and expertise could remotely send malicious commands to a patient’s implanted pump, said Mr. Radcliffe, a researcher with Rapid7, a Boston-based security firm.

In a worst-case scenario, a hacker acting as a pump’s remote control could force a patient to be injected with potentially lethal amounts of insulin from as far as two kilometers away, he explained.

Because of the sophistication required to wage such an attack, however, both the security researcher and the device’s manufacturer believe the issues pose little risk to patients.

“The probability of unauthorized access to the OneTouch Ping system is extremely low,” Johnson & Johnson said in this week’s letter to customers. “It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network.”

The risk of wide-scale exploitation is relatively low, “and we don’t believe this is cause for panic,” wrote Mr. Radcliffe, who said he previously relied on the insulin pump in question for several years and still recommends it to others.

“Removing an insulin pump from a diabetic over this risk is similar to never taking an airplane because it might crash,” he stated.

Nonetheless, Mr. Radcliffe said the issues discovered affecting the OneTouch pump are important to consider given the ever-increasing connectivity of everyday devices.

“As these devices get more advanced, and eventually connect to the internet (directly or indirectly), the level of risk goes up dramatically,” he wrote. “This research highlights why it is so important to wait for vendors, regulators and researchers to fully work on these highly complex devices. This is not something to be rushed into as there is a patient’s life on the line. We all want the best technology right away, but done in a reckless, haphazard way puts the whole process back for everyone.”

Johnson & Johnson has notified customers of steps to take in order to disable their pump’s ability to communicate wirelessly with radio transmitters. Federal officials at the U.S. Computer Emergency Response Team, Department of Homeland Security and Food and Drug Administration were all made aware of the researcher’s findings in advance, he wrote.

The DHS said in 2014 it was aware of about 24 cases involving medical devices and pieces hospital equipment that were vulnerable to cyberattack. The FDA is expected to soon announce guidelines with respect to how medical manufacturers must go about disclosing details about security vulnerabilities affecting their devices, but declined to comment on Johnson & Johnson’s handling of the OneStep flaws, Reuters reported Tuesday.

Copyright © 2018 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times welcomes your comments on Spot.im, our third-party provider. Please read our Comment Policy before commenting.


Click to Read More and View Comments

Click to Hide