Johnson & Johnson recently warned its customers of a cybcersecurity issue with one of its insulin pumps, potentially leaving thousands of users vulnerable.  According to Johnson & Johnson’s letter, “a cybersecurity issue with the OneTouch Ping could allow unauthorized access to the pump through its unencrypted radio frequency communication system.”

According to its website, Animas, a subsidiary of Johnson & Johnson, specializes in insulin pumps including the OneTouch Ping and is dedicated to improving diabetes management.  The OneTouch Ping includes a two-part system: an insulin pump and a “meter remote” that communicates wirelessly to deliver insulin from the pump.  While Animas advertises that the OneTouch Ping^® Meter Remote controls pump functions from up to 10 feet away, healthline reports that the unencrypted radio frequency used to enable remote communication between the pump and meter could potentially be tampered with, allowing someone to deliver insulin from as far as 25 feet away.

The Wall Street Journal explains that a hacker in close proximity to the device could use sophisticated equipment to determine the device’s radio signal and use the signal to instruct the pump to supply insulin or gain other personal information.  Regardless, Brian Levy, chief medical officer of Johnson & Johnson’s diabetes-care business said, “[T]he risk to patients is extremely, extremely low. . . .  The more important thing is people use their meters and pumps because this is an important part of their health care.”

So far, no instances of hacking have been disclosed and Johnson & Johnson published a second notice, entitled “OneTouch Ping® Insulin Delivery System Remains Safe and Reliable,” in an attempt to dispel some of the fears arising from the potential vulnerability.  This release notes that the OneTouch Ping insulin delivery system has multiple safeguards in place.  Additionally, according to the release:

[Johnson & Johnson] recognize[s] the valuable role of security researchers in identifying potential medical device cybersecurity issues in order to help increase patient safety, which is always our primary focus.

In the meantime, while Johnson & Johnson and Animas continue to work with regulatory agencies and security experts, Animas recommends that users of the insulin system, who are concerned about unauthorized access for any reason, turn off the pump’s radio frequency feature, which will cut off any communication between the pump and meter and eliminate the risk.

Regulatory agencies, such as the FDA continue to closely monitor security issues in medical devices.  This year alone, the FDA issued draft guidance for identifying and addressing security weaknesses and issued warnings about the vulnerabilities of other medical devices that deliver drugs to patients.