Elizabeth Weise

USATODAY

SAN FRANCISCO — A major maker of medical devices has for the first time issued a warning about a potential computer security flaw in a consumer product, but cautions that the danger to patients is extremely low.

Johnson & Johnson on Tuesday issued a warning about a possible cybersecurity issue with its Animas OneTouch Ping Insulin Infusion Pump. The problem was first reported by Reuters.

Computer security firm Rapid 7 discovered that it might be possible to take control of the pump via its an unencrypted radio frequency communication system that allows it to send commands and information via a wireless remote control. The company alerted Johnson & Johnson, which issued the warning.

Getting too high or too low a dose of insulin could severely sicken or even kill.

There have been no instances of the pumps being hacked, Johnson & Johnson said.

Insulin pumps are used to control diabetes. They are worn on the body and deliver insulin into the body via a catheter placed under the skin. They are overwhelmingly used by patients with Type 1 diabetes, the least common type in the United States.

In the OneTouch Ping device, the user can order the pump to give them a dose of insulin via a wireless remote control which talks to the insulin pump via an unencrypted radio frequency communication system.

An entire community of hackers has arisen in recent years that focuses on diabetes hacking, though generally to tweak their own devices or to better understand how they work. This appears to be the first instance where a company has taken direct action due to external research on them, however.

To hack into the OneTouch Ping system, someone would need to use a radio frequency monitor to detect that the person had this particular insulin pump and then which of 16 possible channels it was transmitting on. They could then record a command to deliver more insulin and the repeat that command over and over, potentially resulting in a very high dosage of insulin, said Jay Radcliffe, the senior security researcher with Rapid 7 who found the flaw.

“Someone would have to have malicious intent, they would have to want to harm another human being. And they’ve have to have technical expertise, they’ve have to have radio antennas and they’d have to be within 25 feet, unobstructed,” said Marene Allison, the company’s chief information security officer.

However to do so would require that the potential hacker were within 25 feet of the device and would require technical expertise and sophisticated equipment, Animas said in a statement Tuesday. Animas is owned by Johnson & Johnson.

While there are many diabetics in the United States, 29.1 million according to the American Diabetes Association, the vast majority of them have Type 2 diabetes. Just 4%, or 1.25 million Americans, have Type 1 diabetes, which is caused by an autoimmune disorder that destroys the cells that release insulin.

There are 114,000 OneTouch Ping insulin delivery systems in circulation in the United States and Canada, according to Johnson and Johnson.

Type 2 diabetics don’t typically need the sophisticated and frequent insulin delivery that an insulin pump offers, said Sarah Kim, who directs the diabetes clinic at Zuckerberg San Francisco General Hospital.

“Someone would have to go to extreme measures to hack in and command the insulin pump without the person’s knowledge. At this point it seems like an unnecessary worry,” she said.

In its release, Animas said that users of its insulin pump can turn off the radio frequency feature. They can also set the pump to vibrate when an insulin dose begins to be delivered, giving them time to cancel the order if they themselves did not give it.

Radcliffe said it’s important to note that insulin pumps and in fact all medical devices operate on a much longer development cycle than say cell phones. “This pump was probably designed ten or 15 years ago, when no one was thinking about security around communications protocols,” he said.

He said Johnson & Johnson “has done a great job” responding to the issue. “If my child were diagnosed with diabetes today, I would have no problem putting them on an Animas pump,” he said.

Johnson & Johnson has actually been working with the Food and Drug Administration on guidelines for medical device cybersecurity for the past 18 months. Those guidelines were published in January, said Allison.

Future Johnson and Johnson insulin delivery pumps will incorporate security measures, she said.