Over 350 Total Lots Up For Auction at Two Locations - NY 03/21, FL 03/22

J&J to diabetics: Insulin pump open to hacking

by Thomas Dworetzky, Contributing Reporter | October 05, 2016
Health IT Medical Devices Risk Management
OneTouch Ping courtesy of animas.com
A white-hat security expert and diabetic uncovered a flaw allowing others to manipulate insulin levels remotely in the Johnson & Johnson Animas OneTouch Ping insulin pump.

This is just the latest threat emerging from the new world of interconnected and remotely controlled devices as they play a larger role in health care.

The health care giant issued a warning concerning the exploitable flaw in security involving its pump's RF wireless communications publicly, a first for a manufacturer say medical experts, according to a Reuters exclusive this week.

“The OneTouch Ping insulin pump system uses cleartext communications, rather than encrypted communications, in its proprietary wireless management protocol,” the security firm Rapid7 announced on its site in late September. It stated that “researcher Jay Radcliffe discovered that a remote attacker can spoof the Meter Remote and trigger unauthorized insulin injections.”

Although both J&J and Rapid7 noted that the risk was “low,” this opening could permit “an adversary within sufficient proximity" (which can depend on the radio transmission equipment being used) to “remotely harm users of the system and potentially cause them to have hypoglycemic reaction, if he or she does not cancel the insulin delivery on the pump.”

Radcliffe told Reuters that the steps advised in the J&J letter would keep users safe. "They can give peace of mind to the patient or parent of a child using the device," he told the news service.

Rapid7 first let Animas, the FDA, CERT/CC (the coordination center for the computer emergency response team for the Software Engineering Institute) and DHS know of the problem prior to going public, according to its announcement, which let the vendor be “highly responsive,” contacting users and recommending ways to address the risks.

Brian Levy, chief medical officer with J&J's diabetes unit told Reuters that the company was able to “duplicate” Radcliffe's work to establish that the pump could be hacked from up to 25 feet away – but stressed to the agency that special know-how would be needed to accomplish this.

"We believe the OneTouch Ping system is safe and reliable. We urge patients to stay on the product," Levy said, according to the news agency.

This is not the first hack issue arising with pumps. For example, the FDA issued a warning about Hospira infusion pumps, reported by HCB News in August 2015.

"Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network. This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies," The FDA stated in its safety alert on July 31 of that year.

At issue is the so-called "Internet of Things," according to BlackBerry Chief Security Officer David Kleidermacher and Security Expert Graham Murphy. In a YouTube video of their presentation at the BlackBerry Security Summit 2015, they showed just how simple it was to hack an infusion pump — using the built in Ethernet jack at the back of the pump, with the help of the device's manual, which provided the fixed IP address that let Murphy break into it. To make matters worse, Murphy was even able to hack into the WiFi on the pump, so that he could control it remotely.

You Must Be Logged In To Post A Comment