An insulin pump fabricated by Johnson & Johnson has a cyber vulnerability that a hacker could take advantage of, overdosing diabetic patients with insulin, has stated the company.
This is the first time a manufacturer has warned its patients about a security vulnerability, according to medical experts. This announcement follows last month’s controversy regarding bugs in defibrillators and pacemakers.
So far, there has not been any hacking attempt to the J&J Animas OneTouch Ping insulin pump, as stated by J&J executives. However, the company felt it was “safer” to warn its customers and giving counseling.
“The probability of unauthorized access to the OneTouch Ping system is extremely low. It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network,” claimed J&J on hundreds of thousands of letters sent on Monday to doctors and patients in the United States and Canada.
The insulin pump was released six years ago and is sold with a wireless remote control that makes pumping the dose of insulin a more manageable task, since the device is won under clothing and can be unconformable or awkward to reach, especially in public.
Jay Radcliffe, a researcher with cyber security firm Rapid7 Inc. and a person who has diabetes himself, discovered the pump’s vulnerable spot. According to him, a hack could “spoof” the communication between the device and the remote control, forcing the latter to deliver insulin injections without the user noticing.
For Radcliffe, the main problem is that the communications are not scrambled or encrypted, which makes it relatively easy to intervene for an experienced hacker. The researcher reported the security issue to J&J back in April and on Tuesday published the information on his blog.
Overdosing on insulin
If a patient takes more than the prescribed dose of insulin, the body could react by causing low blood sugar, better known as hypoglycemia, something that can be life-threatening as claimed by Brian Levy, chief medical officer with J&J’s diabetes unit.
Technicians from the company replicated Radcliffe’s claims and confirmed that a hacker could intervene the communications and order the pump to dose insulin from a distance of up to 25 feet, or seven meters and a half.
Advice from Johnson & Johnson
The company maintains that a hacking incident would be very improbable since it would require a hacker with sophisticated equipment and specialized technical expertise. J&J still believes that their pumps are “safe and reliable” and urged their users not to change the product.
J&J also gave recommendations to doctors and patients, claiming they can program the pump to limit the maximum insulin dose per day, and can stop using the wireless remote and accessing the device directly.
Radcliffe backed up the company’s claims and said that would be enough to give “peace of mind” to users of the pump.