Johnson & Johnson says insulin pump can be hacked

Johnson & Johnson, it appears, has no interest in being run through the same gauntlet as fellow device maker St. Jude Medical for its cybersecurity sins.

The company has issued a warning that its J&J Animas OneTouch Ping insulin pump is vulnerable to hacking attacks, according to a Reuters report. In letters to patients and providers, Johnson & Johnson calls the probability of hacking “extremely low,” and it tells Reuters it knows of no attacks to the devices, thus far.

Cybersecurity research firm Rapid7 Inc, which discovered the vulnerability last spring, outlines its findings in a blog post, noting that the OneTouch Ping system uses cleartext communication and not encrypted communication. “Due to this lack of encryption, Rapid7 researcher Jay Radcliffe discovered that a remote attacker can spoof the Meter Remote and trigger unauthorized insulin injections,” the post says.

Johnson & Johnson tells Reuters it has worked with Radcliffe on the issues, although Radcliffe clarifies in a note shared on the Rapid7 blog post that he has not been paid by Animas or Johnson & Johnson for his research.

The admission comes in the wake of cybersecurity problems for fellow device maker St. Jude Medical. A report distributed in August by investment firm Muddy Waters and security research firm MedSec revealed cybersecurity vulnerabilities with St. Jude’s cardiac devices. MedSec CEO Justine Bone said that she believed St. Jude knew about its vulnerabilities since 2013, but took very little action to remedy the situation.

A lawsuit filed after the report’s release by St. Jude called the Muddy Waters/MedSec accusations false and manipulative.

In a statement sent to FierceHealthIT, Aaron Lint, vice president of research for security company Arxan, urges all companies to use encryption on its devices.

“In order to prevent such instances from occurring, encrypted communication between any two endpoints is critical for medical devices and all [Internet of Things] devices,” Lint says.