Animas OneTouch Ping Insulin Pump Vulnerable To Hackers: J&J Warns

Johnson & Johnson is warning about a risk of security problems with the Animas OneTouch Ping insulin pump, which may be vulnerable to cyber intrusion.

In a letter sent to more than 100,000 owners of the insulin pumps, the company and its Animas Corporation subsidiary warned that the medical device may be hacked due to a lack of encryption. However, Johnson & Johnson indicates that no such hacks are known to have occurred, and that the hacker would have to be less than 25 feet away.

The warning highlights growing concerns over cybersecurity threats involving medical devices that are wirelessly accessible, which could pose a life-threatening risk if hacked.

The Animas insulin pump vulnerability was discovered several months ago by Rapid7, Inc., a cybersecurity firm. In a blog post on September 28, the company confirmed the Johnson & Johnson warning.

“The OneTouch Ping insulin pump system uses cleartext communications rather than encrypted communications, in its proprietary wireless management protocol,” the firm reported. “Due to this lack of encryption, Rapid7 researcher Jay Radcliffe discovered that a remote attacker can spoof the Meter Remote and trigger unauthorized insulin injections.”

The Animas OneTouch Ping has a wireless remote control, which users can use to give themselves insulin injections. It has been on the market since 2008, and Johnson & Johnson said that newer devices have encryption to keep hackers out.

The warning comes about a month after a class action lawsuit was filed against St. Jude by patients who say its pacemakers and other implantable heart devices have cybersecurity flaws, which make them vulnerable to hackers as well.

The St. Jude class action lawsuit came a day after a report was released by Muddy Waters Capital LLC, outlining findings by MedSec Holdings, which identified significant security vulnerabilities in St. Jude’s devices.

The report indicates that the company’s Merlin@home transmitter and Merlin.net PCN, which are used to transmit data from heart devices to physicians, “lacked even the most basic security defenses” such as encryption, anti-tampering devices and anti-debugging tools, which are used by other heart device manufacturers.

Medical Device Cybersecurity Concerns

Cybersecurity threats to the medical field have been a growing concern over the last few years, as vulnerabilities to healthcare organizations record systems and medical devices have surfaced.

Since 2014, the U.S. Department of Homeland Security (DHS) has been actively investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. According to DHS, if preventative actions to strengthen the medical field’s cybersecurity issues are not taken, hackers could exploit these vulnerabilities and put patients in serious risk.

The Department of Health and Human Services (DHHS) manager, Jason Lay, has called the exposed vulnerabilities in the medical field a danger. Lay claimed the possibility of hacks to medical devices are very real, stating hackers could potentially tamper with medical devices and use them to gain access to healthcare organizations health record systems.

Additionally, in a demonstration at the RSA security conference in San Francisco in 2012, researchers were able to hack medical devices such as insulin pumps from up to 300 feet away. The demonstration further showed how hackers could remotely take control of the insulin devices, allowing them to deliver lethal doses of insulin to patients without any notification.

The FDA has been actively working on improving cybersecurity in the medical field since 2013, when the White House issued Executive Order 13636, which called on the public and private sectors to collectively strengthen the gap in cybersecurity infrastructure. Since the order, the FDA issued its first guidance in October 2014, recommending medical device manufactures to incorporate strong anti-hack programs during the design stages of device development.

The agency proposed a second guidance on January 15, outlining important steps medical device manufacturers should take to proactively plan for and to assess vulnerabilities, to keep patients safe and better protect public health.