Johnson & Johnson has issued a security alert on one of its insulin pumps, sending letters to consumers warning them of a vulnerability that hackers could exploit to overdose diabetic patients.
“We have been notified of a cybersecurity issue with the OneTouch Ping, specifically that a person could potentially gain unauthorized access to the pump through its unencrypted radio frequency communication system,” said J&J in its letter to users of the insulin pump.
“We want you to know that Animas has investigated this issue and has worked with the appropriate regulatory authorities and security experts, as we are always evaluating ways to further ensure patient safety and security.”
The company tried to play down the risk by describing it as “low,” but recent events where security researchers have demonstrated how utterly easy it is to hack into everything from thermostats to autonomous vehicles shows that this is a grave danger.
“We also want to assure you that the probability of unauthorized access to the One Touch Ping System is extremely low. It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network. In addition, the system has multiple safeguards to protect its integrity and prevent unauthorized action.”
The Animas OneTouch Ping is sold with a wireless remote control to allow patients remotely activate the pump to dose insulin so that they do not need access to the device itself.
The system is vulnerable because the communications are not encrypted, or scrambled, to prevent hackers from gaining access to the device, and a hacker can spoof communications between the remote control and the OneTouch Ping insulin pump, potentially forcing it to deliver unauthorized insulin injections.
Other connected medical devices, including defibrillators and pacemakers, are also susceptible to hacking, but this is the first time a manufacturer is taking the proactive step of warning its customers of the security flaw in its medical product. J&J also provided steps on how to fix the issue, including turning off the pump’s radio frequency feature.