According a recent Reuters report, company Johnson & Johnson has warned the public that its J&J Animas OneTouch Ping Insulin pump can be potentially exposed to hackers. While they have reassured that the probability of a hack is low to consumers, they have nonetheless cautioned that there is still a risk due to a cybersecurity issue first discovered by computer security firm, Rapid 7.
The OneTouch Ping insulin pump works to self-administer insulin to diabetic patients by using a two-part wireless system that communicates through radiofrequencies.
The newfound issue lies in the communication between the meter remote provided and the insulin pump. Wireless information sent between the devices uses clear text communications rather than encrypted communication, giving hackers the potential to remotely access the meter remote and prompt unauthorized injections of insulin, which could lead to life threatening symptoms of hypoglycemia if the user is overdosed.
Animas, major medical manufacturer of the insulin pump and owned by Johnson and Johnson, issued a letter addressing the security issue reassuring the public that though there is cause for concern, the probability of a hack is very low.
The statement read, “It would require technical expertise, sophisticated equipment, and proximity to the pump, as OneTouch Ping system is not connected to the internet or any external network.”
Animas included in their statement that there are several safety features already installed on the device to ensure the user that they are only getting what they need, when they need it.
If the user is concerned for any reason about the security of their pump or remote, they can simply turn off the radio frequency feature on the pump, stopping communication between the two devices. The user will have to then manually enter their blood glucose readings on the pumps themselves.
A second alternative is to activate the device’s vibrating feature. When a dose is about to be administered, the user will feel a vibration, allowing them to cancel the injection before it is given.
Animas also stated that the device can customize dosage amounts and daily dosage limits to further protect the user. Any attempt to exceed these settings will trigger an alarm on the device, preventing any additional injections.
Although reports of hacked individual medical devices like insulin pumps and pacemakers may seem like a new epidemic, the use of ransomware in the medical industry is not.
Head of information security at Essentia Health, Scott Erven conducted a two-year study that found that drug infusion pumps among many other medical devices found in hospitals can be hacked with ease. Though these devices are likely not connected directly to the internet, they are typically connected to internal systems set up throughout the hospital.
Just this past year, California’s Hollywood Presbyterian Hospital was hacked back in March by criminals who successfully accessed the hospital’s database, encrypted their data, and got away with a paid ransom of $17,000.
These systems can be initially accessed by hackers through hospital employee email systems, or by a hacker who is simply inside the hospital with their own laptop plugged into the hospital network.
As a diagnosed Type 1 diabetic and user of the OneTouch Ping for over two years, Rapid7 researcher Jay Radcliffe gave some additional insight to current users with growing concern.
He stated in his findings that the research done on this device and many other medical products of the like are conducted to ensure their continued safety. He warns that as medical technology only continues to become more advanced, that the inevitable connection of these devices to the internet will only increase levels of risk. As medical devices such as the OneTouch Insulin pump continue to improve and evolve, security measures to support and protect them will need to be one step ahead to ensure unwanted future hacking.