Johnson & Johnson is alerting patients to a cyber security flaw that makes its insulin pumps vulnerable to hackers. The concern is that a hacker is able to access these devices and overdose diabetic patients with insulin. The company says the risk of this actually occurring is low.
According to Reuters, this is reportedly the first time a manufacturer has warned of cyber security threats with its medical device. The subject is especially relevant in light of a recent GAO report that found a number of cyber security weaknesses in the FDA’s information systems. Another report alleged weaknesses in pacemakers and defibrillators.
The warning involved the J&J Animas OneTouch Ping insulin pump. J&J executives say no one has attempted to hack the system so far, Reuters reports.
J&J wrote in a letter to its customers “The probability of unauthorized access to the OneTouch Ping system is extremely low,” according to Reuters. The letters were mailed to physicians and roughly 114,000 patients in the United States and Canada who use the insulin pumps.
The Animas OneTouch Ping is a device that delivers insulin to patients with diabetes. Insulin is the hormone that signals cells to take up sugar and process them for energy. A wireless remote control is included with the Animas OneTouch Ping so that patients can easily administer a dose of insulin. The device is often worn under clothing, so having to access it each time can be inconvenient and uncomfortable.
The bug was reported by Jay Radcliffe, a well-known medical-device hacking researcher with diabetes. Radcliffe, who works with cyber security firm Rapid7, informed J&J of the issues in April. J&J says they worked on the security problems with Radcliffe, the company said to Reuters.
Radcliffe says that since communications between the remote control and the device are not encrypted, someone could hack the system and cause the device to deliver dangerously high levels of insulin. Administering very high doses of insulin can lead to hypoglycemia.