Johnson & Johnson says insulin pump can be hacked

Johnson & Johnson

Johnson & Johnson, it appears, has no interest in being run through the same gauntlet as fellow device maker St. Jude Medical for its cybersecurity sins.

The company has issued a warning that its J&J Animas OneTouch Ping insulin pump is vulnerable to hacking attacks, according to a Reuters report. In letters to patients and providers, Johnson & Johnson calls the probability of hacking “extremely low,” and it tells Reuters it knows of no attacks to the devices, thus far.

Cybersecurity research firm Rapid7 Inc, which discovered the vulnerability last spring, outlines its findings in a blog post, noting that the OneTouch Ping system uses cleartext communication and not encrypted communication. “Due to this lack of encryption, Rapid7 researcher Jay Radcliffe discovered that a remote attacker can spoof the Meter Remote and trigger unauthorized insulin injections,” the post says.

Johnson & Johnson tells Reuters it has worked with Radcliffe on the issues, although Radcliffe clarifies in a note shared on the Rapid7 blog post that he has not been paid by Animas or Johnson & Johnson for his research.

The admission comes in the wake of cybersecurity problems for fellow device maker St. Jude Medical. A report distributed in August by investment firm Muddy Waters and security research firm MedSec revealed cybersecurity vulnerabilities with St. Jude’s cardiac devices. MedSec CEO Justine Bone said that she believed St. Jude knew about its vulnerabilities since 2013, but took very little action to remedy the situation.

A lawsuit filed after the report’s release by St. Jude called the Muddy Waters/MedSec accusations false and manipulative.

In a statement sent to FierceHealthIT, Aaron Lint, vice president of research for security company Arxan, urges all companies to use encryption on its devices.

“In order to prevent such instances from occurring, encrypted communication between any two endpoints is critical for medical devices and all [Internet of Things] devices,” Lint says.

Suggested Articles

Civica Rx, the non-profit drug company formed by a collection of hospitals to help control generic drug supplies and prices, is putting down roots.

Two senators introduced this week bipartisan legislation to establish a third-party oversight committee to help monitor the implementation of the new EHR…

ONC is moving another step closer to implementing a framework designed to improve data sharing between health information networks.