It can be difficult for experts stop looking at everything around them with a critical eye – and Jay Radcliffe is no different.
The diabetic – who also happens to be the senior security consultant at Boston cybersecurity firm Rapid7 – discovered earlier this month that a Johnson & Johnson insulin pump can be hacked to potentially deliver extra doses of insulin.
The pharmaceutical company’s subsidiary, Animus Corp., says it’s sent letters warning doctors and patients who use the OneTouch Plug insulin pump, but it’s not aware of any attempts to hack into the device’s remote control system.
Dr. Brian Levy is the Chief Medical Officer of Johnson & Johnson’s Diabetes Care companies. He says approximately 114,000 devices in circulation since 2008 in the United States and 2009 in Canada. “And there have been zero patient or user complaints or concerns.”
Rapid7 found that the main vulnerability was that communications between the remote and the pump were not encrypted, making it possible for an individual with the proper skills to send incorrect signals to the pump.
Levy says Johnson & Johnson is working to address the problem, but the OneTouch Plug insulin pump does have some safeguards in place against hacking.
First, hacking the pump would require close proximity – 25 feet or less – in an unobstructed space. That, Levy says, greatly lowers the opportunity for attackers to cause damage. “If a patient were really concerned, they don’t have to use the remote or the radio frequency feature.” The pump can also be use manually.
Secondly, patients set in advance the maximum amount of insulin a pump can deliver over specific periods of time, Levy says. “If any of those limits are exceeded, the pump alarms and tells the patient too much insulin is set to be delivered, and the patient has the option to accept or decline the administration of the insulin.”
Finally, the pump vibrates as a warning whenever the insulin is ready to be delivered remotely, according to Levy.
The U.S. Food and Drug Administration has called security threats to medical devices with digital communications a "growing concern," and is in the process of developing security guidelines for manufacturers.
We may hear more about threats to medical devices, Levy says, “but as new products are developed, [the industry] does take into consideration – much more than in years past – the potential for cybersecurity concerns. And safety is our primary concern.”
