home Cyber Cyber Security CyberSecurity: Now in Medical Equipment as Well

CyberSecurity: Now in Medical Equipment as Well

Oct 16, 2016

This post is also available in: עברית (Hebrew)

In a letter to diabetes patients, Johnson & Johnson said that OneTouch Ping insulin pump owners who are anxious about a potential hack can stop using the remote, or program the pump to limit the maximum dose of insulin. A security vulnerability was found in the insulin pump that a hacker could exploit to overdose diabetic patients with insulin, though the company describes the risk as low.

Following the vulnerabilities revealed in 2011 and the 2012 demonstration of a hack at a security conference in Melbourne, Australia, the US Food and Drug Administration began in 2013 formulating cybersecurity guidance for medical device makers.

Since these attacks require technical expertise and sophisticated equipment, “the probability of unauthorized access to the OneTouch Ping system is extremely low”, the company said in a warning letter to physicians and patients. In case of piracy, the pumps could see their programming changed to provide a higher than expected dose of insulin.

According to a 2011 Bloomberg News report , a cybersecurity flaw in the device could allow hackers to infuse potentially life-threatening additional doses of insulin without a patient’s knowledge. In 2011, however, well-known hacker Jay Radcliffe stunned a Las Vegas tech show audience by gaining access to his own Medtronic insulin pump. They are sold by Animas Corporation, a subsidiary of Johnson & Johnson.

According to crcconnection.com, nearly 114,000 patients use the device in the United States and Canada.

At issue is the so-called “Internet of things”, according to BlackBerry Chief Security Officer David Kleidermacher and Security Expert Graham Murphy.

It is believed attacks against the medical device could take place from up to 10 meters away, but this could be extended to one or two kilometers with off-the-shelf radio kit. This research highlights why it is so important to wait for vendors, regulators and researchers to fully work on these highly complex devices.