In an mHealth industry first, a developer of digital insulin pumps is warning users that one of its devices could be hacked – with possibly fatal results.
Officials at Johnson & Johnson are playing down the potential for a hacker to program the company’s Animas OneTouch Ping insulin pump to deliver a fatal dose of the hormone to a user, but the company has sent out a letter telling its customers to be alert.
"The probability of unauthorized access to the OneTouch Ping system is extremely low," the company said in letters sent to doctors and roughly 114,000 patients in the U.S. and Canada. "It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network."
Still, this is reportedly the first time that a company has issued such a warning.
Hacked devices, be they insulin pumps, pacemakers and defibrillators, have been the subject of industry speculation for years, but for the most part have been confined to “what if” scenarios and TV shows like “Homeland,” which killed off a vice president several years ago by having his pacemaker reprogrammed. In 2011, however, well-known hacker Jay Radcliffe stunned a Las Vegas tech show audience by gaining access to his own Medtronic insulin pump.
In 2014, the Department of Homeland Security admitted that it was investigating potential vulnerabilities in about two dozen devices, and the U.S. Food and Drug Administration issued new guidance for device developers outlining what security features they should include before applying to the FDA for approval.
That fall, WIRED published an article (https://www.wired.com/2014/04/hospital-equipment-vulnerable/) about Scott Erven, head of information security at Essentia Health, who was directed by the Midwestern health system to examine security flaws in and around its 100+ hospitals and other healthcare sites.
“In a study spanning two years, Erven and his team found drug infusion pumps – for delivering morphine drips, chemotherapy and antibiotics - that can be remotely manipulated to change the dosage doled out to patients; Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care,” the article reported.
“Erven’s team also found that, in some cases, they could blue-screen devices and restart or reboot them to wipe out the configuration settings, allowing an attacker to take critical equipment down during emergencies or crash all of the testing equipment in a lab and reset the configuration to factory settings.”
Since then, device security has been a staple at mHealth and telehealth conferences, but always discussed in terms of potential, rather than actual.
Earlier this year, an investment firm disclosed its concerns (https://healthitsecurity.com/news/st.-jude-files-lawsuit-over-medical- device-security-claims) about security flaws in pacemakers and defibrillators made by St. Jude Medical, setting off a new firestorm about how mHealth security is handled and reported. In addition, the FDA has issued several alerts concerning the safety of infusion pumps developed by Hospira (the company has since been acquired by Pfizer).
The FDA is now working on formal guidelines for mHealth companies who receive reports about cybersecurity vulnerabilities.
With this latest move by J&J, meanwhile, the industry is taking a new tack.
Company officials told Reuters, which broke the story (http://www.reuters.com/article/us-johnson-johnson-cyber-insulin-pumps-e- idUSKCN12411L), that Radcliffe notified the company in April of potential weaknesses in the insulin pump. The company then conducted its own investigation alongside Radcliffe, bringing in federal authorities as well, before deciding to notify healthcare providers and customers.
“(T)his research is done to make sure the future of our devices are safe,” Radcliffe, a security researcher at Rapid7, said in a Sept. 28 blog (https://community.rapid7.com/community/infosec/blog/2016/10/04/r7-2016-07-multiple-vulnerabilities-in-animas-onetouch- ping-insulin-pump) that laid out the flaws. “As these devices get more advanced, and eventually connect to the internet (directly or indirectly), the level of risk goes up dramatically. This research highlights why it is so important to wait for vendors, regulators and researchers to fully work on these highly complex devices. This is not something to be rushed into as there is a patient’s life on the line. We all want the best technology right away, but done in a reckless, haphazard way puts the whole process back for everyone.”
"We believe the OneTouch Ping system is safe and reliable. We urge patients to stay on the product," Brian Levy, chief medical officer for J&J’s diabetes business, told Reuters.
Written by: Eric Wicklund
Published by: mHealth Intelligence