J&J alerts patients to insulin pump cybersecurity flaws, but says risk is low

On Monday, Johnson & Johnson’s Animas unit disclosed cybersecurity flaws in its wirelessly controlled insulin pump that hackers could exploit and potentially deliver unauthorized doses of insulin to patients. While such an attack could result in insulin overdose and hypoglycemia, Animas says the risk of attack is low.

The OneTouch Ping Glucose Management System comprises an insulin pump worn by the patient and a remote that uses a radio frequency communication system to wirelessly tell the pump to deliver insulin. Cybersecurity firm Rapid7 first identified the security issues earlier this year and communicated them to Animas in April.

The major vulnerability is that there is not any protection against a replay attack, Jay Radcliffe, a senior security researcher at Rapid7, told FierceMedicalDevices. If a person is in range of the device and can pick up its communications, they could “replay” those signals to cause the pump to do things that the user doesn’t command it to do, he said. Such an attack is possible because the transmissions between the remote and pump are not encrypted. They don’t use sequence numbers either, which are unique numbers for each communication that allow the device components to talk to each other, but would ensure a hacker couldn’t carry out a replay attack.

Animas disclosed the security issues in a letter to customers on Monday. “We also want to assure you that the probability of unauthorized access to the One Touch Ping System is extremely low,” the company wrote. Animas did not respond to a request for comment by press time, but told Reuters that it considered the device to be “safe and reliable.”

“We urge patients to stay on the product," said Brian Levy, chief medical officer with J&J's diabetes unit, as quoted by Reuters. Rapid7’s Radcliffe worked with Animas on the security issues and underscored the importance of understanding risk: “Removing an insulin pump from a diabetic over this risk is similar to never taking an airplane because it might crash,” he wrote in a blog post.

But if patients were concerned, they could disable the pump’s radiofrequency features and instead manually enter blood glucose readings into the system, Animas said in the letter. If they choose to continue using the wireless remote, patients could also program a limit to the amount of insulin that the pump can deliver before triggering an alarm and preventing further insulin delivery, the company said.

While using encryption technology or sequence numbers in pairing the pump and the remote would address these vulnerabilities, Radcliffe said it would not be easy to do so with this device. “It would be a pretty significant undertaking,” he said. “ … These devices aren’t really designed to have an update like the iPhone. You can’t push a new operating system or patch to it. Any changes like that would require the device to be completely recalled.”

As we look to the future, more and more medical devices will connect to mobile devices and computers in a bid to improve patient care. This increased connectivity will help doctors keep up with their patients’ treatment and even make adjustments to treatment remotely. But linking to other devices via the internet opens up the risk to cyberattacks, Radcliffe said. As we move forward, companies and patients should think more closely about what safety mechanisms they have in place and what device testing they may perform.