Johnson & Johnson Warns Patients Insulin Pump Is Hackable But “Low Risk” Of Attack

Tech can be pretty great, and smart, connected tech can be really great. Miniaturization and the ability to control devices remotely has led to some fantastic advances in, for example, health care. But today in “wow, our glorious tech-driven future is so strange and dystopic some days,” we are reminded that anything that can be networked is vulnerable, and can be hacked.

Reuters reports this morning that Johnson & Johnson has found that one of its medical devices has a bug in it that can leave it vulnerable to remote intrusion — i.e., hacking.

While it’s strange to think of the company best known for Band-Aids and baby shampoo — decidedly non-digital products — as hackable, J&J also makes and sells a whole range of medical devices to hospitals and doctors. One of those devices is a line of insulin pumps, the One Touch Ping, to help patients manage diabetes.

The One Touch Ping is a two-part system. One part is the pump, that a patient wears; the other part is a remote that lets them control how much insulin the pump delivers. The two-part delivery means that folks managing their diabetes don’t have to fiddle with a device under their clothes, or excuse themselves to a private room, to manage insulin dosing — discretion that many patients value.

But that means that the actual pump part, by definition, can be accessed wirelessly. And that’s where the bug comes in: the person holding the authorized remote isn’t the only person who can do that accessing. Communications inside the system are not encrypted, so hacker can fake signals between the remote control and the pump, forcing the pump to deliver unauthorized insulin injections. Deliver a high enough insulin dose from up to 25′ away, using a hacked pump, and, well, it could become a perfect locked-room murder mystery.

A medical-device hacking researcher, himself diabetic, discovered and reported the vulnerability in April; J&J internal researchers tested and confirmed the flaw before communicating to their customers.

Johnson & Johnson sent letters this week to 114,000 patients in the U.S. and Canada informing them of the vulnerability in the device, Reuters says. Executives for the company told Reuters they knew of no actual hacking attempts on the device, and the letter described the probability of unauthorized access as “extremely low.”

One company executive explained to Reuters that a hack, while possible, would be difficult to pull off because it required specialized expertise and equipment. “We believe the OneTouch Ping system is safe and reliable. We urge patients to stay on the product,” he told Reuters.

There are as yet no formal rules in the U.S. on how medical device makers must handle software security problems. The FDA has a draft set of guidance out for public comment, but there is not yet any rule.

However, as internet-capable and -connected health devices continue to proliferate, stories about firmware bugs will only continue to become more common. That means consumers and patients would benefit from a strong rule about it sooner rather than later.

Exclusive: J&J warns patients of insulin pump cyber bug, low hacking risk [Reuters]