Insulin Pump at Risk for Cyber Hacking

Written by: Kimberly Commito on Monday, October 17, 2016 Posted in: HME/DME, Home Infusion

uhohOn October 4, Johnson & Johnson (J&J) and Animas sent a warning to physicians and patients—some 114,000 in the U.S. and Canada (1)—who are currently using J&J’s Animas OneTouch Ping insulin pump. The device, which has been available since 2008, utilizes a wireless remote control, so patients can direct an insulin injection without having to access the pump directly. According to the letter, the unencrypted radio frequency communication system used by the remote control is susceptible to unauthorized access, which could pose a health risk to its users if it is hacked. (2)

Protect your business with CareTend!

There have been no reports that any type of attack has occurred, but researchers with the cyber security firm Rapid7 identified the vulnerabilities and reported them to J&J. Brian Levy, chief medical officer with J&J’s diabetes unit, confirmed to Reuters that his company’s technicians were able to replicate Rapid7’s results, saying that a hacker could “order the pump to dose insulin from a distance of up to 25 feet.” However, he added that doing so would require sophisticated equipment and technical expertise. (3) It would also require proximity to the pump because the device is not able to connect to the internet or external networks.

To minimize the risk, J&J advised OneTouch Ping users that they could turn off the pump’s radio frequency feature although that would mean that “the pump and meter will no longer communicate, and blood glucose readings will need to be entered manually.” (4) The letter suggested other options as well including programming the pump to limit the bolus insulin that could be delivered. “Bolus deliveries can be limited through a number of customizable settings … and any attempt to exceed or override these settings will trigger a pump alarm and prevent bolus insulin delivery.” (5) Despite concerns, both J&J and Rapid7 say the OneTouch Ping system is safe and reliable.

This is believed to be the first time a manufacturer has delivered a warning about cyber vulnerability although the U.S. Food and Drug Administration (FDA) has issued multiple warnings about other devices, including an infusion pump. Currently, the FDA is preparing formal guidance on how device makers should handle these issues.

Nevertheless, as we move toward mobile technology, telehealth, and post-acute health monitoring, it is vital that providers make sure that their technology is encrypted with the highest standards so that every patient’s health remains safe and their information confidential and secure.

See how CareTend’s .net technology and hosted deployment are secured with the highest standards in the industry through SOC certification.



Leave a Reply

Your email address will not be published. Required fields are marked *