Johnson & Johnson has informed approximately 14,000 patients in the U.S. and Canada that hackers could exploit a security vulnerability in the Animas OneTouch Ping insulin pump, potentially resulting in insulin overdoses. A copy of the company’s letter was obtained by the Reuters news service.
J&J executives told Reuters that they knew of no cases of attempted hacking attacks on the device. Nevertheless, the company is warning patients and is providing advice on how to fix the problem.
The Animas OneTouch Ping device, which was launched in 2008, is sold with a wireless remote control that patients can use to order the pump to dose insulin so that they don’t need to access the device itself, which is typically worn under clothing and can be difficult to reach.
Jay Radcliffe, a researcher with a cyber-security firm, said he had identified ways for a hacker to “spoof” communications between the remote control and the OneTouch Ping insulin pump, potentially forcing the pump to deliver unauthorized insulin injections. The system is vulnerable because those communications are not encrypted, or scrambled, to prevent hackers from gaining access to the device, Radcliffe said. He reported the vulnerabilities to J&J in April, and company executives worked with him to address the problem. Radcliffe found no vulnerabilities in the Animas Vibe line of insulin pumps.
J&J’s letter said that if patients were concerned about the One Touch Ping insulin pump, they could take several steps to thwart potential attacks. These steps include discontinuing the use of a wireless remote control and programming the pump to limit the maximum insulin dose.
The FDA has said that it knows of no cases where hackers have exploited cyber vulnerabilities to harm a patient.
Source: Reuters; October 4, 2016.