Inside Scoop: J&J Confirms Insulin Pump Security FlawsFuture Devices Will Fix Flaws Discovered by Researcher Jay Radcliffe
Vulnerabilities in certain Johnson & Johnson wireless insulin pumps put the devices at risk for hacker exploitations that could cause the delivery of an insulin overdose to patients, says cybersecurity researcher Jay Radcliffe, who discovered the flaws.
Johnson & Johnson's Animas unit is sending letters to about 114,000 patients and physicians based on the findings by Radcliffe, a researcher at the security firm Rapid7. Radcliffe, who is a diabetic, used his own Animas OneTouch Ping insulin pump in identifying vulnerabilities that put the product at risk for cyberattacks, he explains in an interview with Information Security Media Group.
A wireless control unit enables patients to remotely command the dose of insulin delivered by the Animas pumps without having to actually touch the pumps, he explains. The radio frequency communication path between the wireless control unit and the insulin pump, however, is unencrypted, he points out. As a result, a malicious attacker could potentially create remote commands for the pumps to deliver an overdose of insulin to patients, he explains, although he portrays the risk as low.
Radcliffe and his team at Rapid7 have been working closely with Johnson & Johnson to address the risks since he discovered the problems in April.
Animas says in a statement provided to ISMG: "The OneTouch Ping insulin delivery system has multiple safeguards to protect the integrity of the pump and remains safe and reliable. The probability of unauthorized access to the One Touch Ping System is extremely low. It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network. For this reason also, there isn't a capability to push out a patch."
As a result of Radcliffe's findings, Animas says, its next generation of insulin pumps "will leverage different communication protocols which leverage industry best security practices." The company did not specifically address whether it plans to encrypt the product's remote communication functions.
The Animas letter sent to patients and doctors includes three mitigation approaches, Radcliffe explains. That includes turning off the pump's remote radio frequency feature, programming the pump to limit the maximum amount of insulin that can be delivered or turning on the pump's "vibrating" feature so that a patient is alerted when an insulin delivery is being initiated, providing the individual the option of cancelling the dosage.
FDA Lauds Coordinated Vulnerability Announcement
In a statement, the Food and Drug Administration tells ISMG: "The FDA was made aware of the cybersecurity vulnerabilities identified in the Animas OneTouch Ping insulin pump during the coordinated disclosure process used by the medical device manufacturer and the research firm. This coordinated disclosure employed by Johnson & Johnson and Rapid7 demonstrates directly the basic principles proposed in the FDA's draft guidance on postmarket management of cybersecurity in medical devices."
The federal regulator said Johnson & Johnson's work with Radcliffe's team at Rapid7 is "the proactive behavior the FDA has been looking to see from the medical device manufacturer and research community and demonstrates the collaborative manner in which vulnerabilities can be addressed in a way that best protects patients."
In the interview (see audio player below photo), Radcliffe also discusses:
- How the vulnerabilities in the Animas insulin pumps differ from earlier security flaws Radcliffe identified in 2013;
- Why medical device makers often don't respond positively to independent researchers who identify cyber flaws in their products;
- Rapid7's relationship with device manufacturers in its role as an independent research firm.
Radcliffe, has spent more than 20 years in security, including work in managed security services. He specializes in medical-related environments and the internet of things and is known for his research on security vulnerabilities in medical devices.