Remember when Dick Cheney got his pacemaker’s WiFi disabled due to fear of hacking? Well, it happened 3 years back in 2013. The fear of hacking medical devices has only grown in last few years and now manufacturers are taking these possibilities very seriously. Now, Johnson & Johnson has revealed that it has come to know of a security vulnerability in one of its insulin pumps that could be exploited by a hacker. The fear is that once the hacker takes control of this machine he could alter the dosage that could have life threatening consequences for the patient. However, Johnson & Johnson has described the risk as low.
As per the medical device experts this is the first time a manufacturer has come out with such kind of warning to patients about a vulnerability in medical devices that could be exploited by cyber criminals. Apparently such a disclosure is also being attributed to the pressure created on the manufacturers by recent discussions on the security vulnerabilities and bugs in medical devices such as defibrillators and pacemakers.
As per a report published in Reuters, Johnson & Johnson executives said they were not aware of any attempted hacking attacks on their medical device, the J&J Animas OneTouch Ping insulin pump. All they wanted to do was to warn the public in advance on how to fix this problem. The company has sent the warning and advisory letters to doctors and as many as 114,000 patients who use the device in the U.S and Canada. As per the letter issued, “It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network.” The device Animas OneTouch Ping was launched in 2008. It is worn under clothing and a wireless remote is used to control the device and inject insulin into the body through a catheter.
The vulnerability was discovered by Jay Radcliffe, a researcher with cyber security firm Rapid7 Inc, who had first talked about it in his blog. As per him, the vulnerability lies in the communication between the remote control and the insulin pump. He says the communication between the device and the remote control is not encrypted and thus could be exploited by the hackers to gain access to the device. The attacker could cause hypoglycemia (low blood sugar) by increasing the dosage of insulin to be injected which could lead to life threatening complications. Jay said that the patients should discontinue the use of wireless and program the device to limit the maximum dosage of insulin that could be injected in one go.