Johnson & Johnson has sent a warning to doctors and patients after it learned of a security vulnerability in one of its insulin pumps that hackers may possibly exploit to overdose diabetic patients with insulin.
The company, however, said that it has not yet learned of any instance that a hacking attempt was made on the Animas OneTouch Ping insulin pump. Johnson & Johnson also said that it is working with security experts and regulatory experts to ensure patient safety and security.
"We also want to assure you that the probability of unauthorized access to the One Touch Ping System is extremely low," the company said in a statement addressed to users of the device.
The company added that sophisticated equipment, technical expertise and proximity to the device would be needed for such an attack since the OneTouch Ping system is not connected to any external network such as the internet.
"In addition, the system has multiple safeguards to protect its integrity and prevent unauthorized action."
Diabetic patients can use the wireless remote control that communicates with the Animas OneTouch Ping to order the pump to give them a dose of insulin without having to access the device itself. The medical device is typically worn under the clothing and can be awkward to reach.
Security firm Rapid7 Inc. researcher Jay Radcliffe, a diabetic himself, however, found out that there are possible ways for a hacker to spoof the communication between the insulin pump and the remote control, which could potentially cause the pump to deliver unauthorized injection.
Radcliffe said that the system is vulnerable since the communications are not encrypted to prevent hackers from gaining unauthorized access to the device.
"The OneTouch Ping insulin pump system uses cleartext communications rather than encrypted communications, in its proprietary wireless management protocol," Rapid7 reported in a blog post dated Sept. 28.
About 114,000 patients in Canada and the U.S. use the OneTouch Ping insulin delivery systems. Users of the device were advised to turn off the radio frequency feature or to set the pump to vibrate when an insulin dose is being delivered so they would know and be able to cancel an unauthorized order.
Marene Allison, Johnson & Johnson's chief information security officer, said that future insulin delivery pumps will come with security measures. Johnson & Johnson has also been working with the U.S. Food and Drug Administration (FDA) on medical device cybersecurity guidelines.