Johnson & Johnson is warning users of its OneTouch Ping insulin pump that hackers could exploit a cybersecurity flaw to infuse additional doses of the diabetes drug without their knowledge, which could be life-threatening.
A hacker in close proximity to the OneTouch Ping insulin pump system could use sophisticated equipment to find the unencrypted radio signal used by the device and program the pump to supply insulin, J&J officials said.
He found communications between the pump and its radio frequency remote could be hijacked - in theory allowing a hacker to administer unauthorised injections. In a letter to patients, which it also posted online, Johnson & Johnson's Animas Corp. subsidiary said the likelihood of someone gaining control of the pump "is extremely low".
So far the Johnson & Johnson Animas OneTouch Ping is the only model identified as having a security flaw.
At that time, the New Brunswick, N.J., company confirmed the weakness, notified authorities and sent the letter to patients and doctors on September 27.
Radcliffe, who is a diabetic, explained to Reuters that the lack of encryption on these communications is the cause of this vulnerability.
Netflix Honors 'Gilmore Girls' Reboot With a Luke's Diner Takeover
All 50 states will be represented by at least one pop-up, and the full list can be found at TownOfStarsHollow.org. Netflix contacted Brew Ha-Ha about transforming into Luke's for a day, which the shop enthusiastically agreed to.
Medical device experts said they believe it was the first time a manufacturer had issued such a warning to patients about a cyber vulnerability, a hot topic in the industry following revelations last month about possible vulnerabilities in pacemakers and defibrillators.
J&J executives told Reuters that they worked on the security problems with Jay Radcliffe, a diabetic and well-known medical-device hacking researcher with cyber security firm Rapid7 Inc who reported vulnerabilities in the pump to the company in April. The US Food and Drug Administration, which has called security threats to medical devices "a growing concern", is developing cybersecurity guidelines for medical device manufacturers.
Rapid7 said the vulnerability "can be used to remotely dispense insulin and potentially cause the patient to have a hypoglycemic reaction", a bout of low blood sugar that can cause confusion, fatigue, blurred vision, and even unconsciousness or death in severe cases.
It said anxious patients could take precautions, such as not using the pump's remote and programming the device to limit its maximum dose. In addition, the FDA has issued several alerts concerning the safety of infusion pumps developed by Hospira (the company has since been acquired by Pfizer).
The OneTouch Ping does not communicate on 802.11 WiFi, or otherwise communicate on the internet. This research highlights why it is so important to wait for vendors, regulators and researchers to fully work on these highly complex devices. "We all want the best technology right away, but done in a reckless, haphazard way puts the whole process back for everyone".
The FDA declined comment on J&J's handling of the vulnerability in the insulin pump, a medical device that patients attach to their bodies that injects insulin through catheters.