|
 Medical device experts said they believe it was the first time a
manufacturer had issued such a warning to patients about a cyber
vulnerability, a hot topic in the industry following revelations
last month about possible vulnerabilities in pacemakers and
defibrillators.
J&J executives told Reuters they knew of no examples of attempted
attacks on the device, the J&J Animas OneTouch Ping insulin pump.
The company is nonetheless warning customers and providing advice on
how to fix the problem.
"The probability of unauthorized access to the OneTouch Ping system
is extremely low," the company said in letters mailed out on Monday
to doctors and about 114,000 patients in the United States and
Canada who use the device. A copy of the text of the letter was made
available to Reuters.
The warning is being delivered a month after a prominent short
seller and cyber security research firm went public with allegations
of potentially life-threatening cyber vulnerabilities in heart
devices from St. Jude Medical Inc <STJ.N>.
St. Jude said the allegations were false as its shares tumbled and
the U.S. Food and Drug Administration began an investigation.
The U.S. Food and Drug Administration is preparing to release formal
guidance on how medical device makers should handle reports about
cyber vulnerabilities. J&J said it reviewed the matter with the FDA
before sending the letter.
An early draft of that guidance, which was released in January for
public comments, calls for device makers to work with security
researchers, identify steps to mitigate risks, and provide patients
with information about bugs so they can "make informed decisions"
about device use.
The FDA declined comment on J&J's handling of the vulnerability in
the insulin pump, a medical device that patients attach to their
bodies that injects insulin through catheters.
J&J executives told Reuters that they worked on the security
problems with Jay Radcliffe, a diabetic and well-known
medical-device hacking researcher with cyber security firm Rapid7
Inc <RPD.O> who reported vulnerabilities in the pump to the company
in April.
The Animas OneTouch Ping is sold with a wireless remote control that
patients can use to order the pump to dose insulin so that they do
not need access to the device itself, which is typically worn under
clothing and could be awkward to reach.
Radcliffe said he identified ways for a hacker to spoof
communications between the remote control and the OneTouch Ping
insulin pump, potentially forcing it to deliver unauthorized insulin
injections. Dosing a patient with too much insulin could cause
hypoglycemia, or low blood sugar, which in extreme cases can be life
threatening, said Brian Levy, chief medical officer with J&J's
diabetes unit.
The system is vulnerable because those communications are not
encrypted, or scrambled, to prevent hackers from gaining access to
the device, Radcliffe said.
[to top of second column] |
Company technicians were able to replicate Radcliffe's findings,
confirming that a hacker could order the pump to dose insulin from a
distance of up to 25 feet, Levy said. He said such attacks are
difficult to pull off because they require specialized technical
expertise and sophisticated equipment.
"We believe the OneTouch Ping system is safe and reliable. We urge
patients to stay on the product," Levy said.
J&J's letter said that if patients were concerned, they could take
several steps to thwart potential attacks. They include
discontinuing use of a wireless remote control and programming the
pump to limit the maximum insulin dose.
Radcliffe said he believed that OneTouch Ping users would be safe if
they followed the steps outlined in the letter from J&J.
"They can give peace of mind to the patient or parent of a child
using the device," he said.
J&J Chief Information Security Officer Marene Allison said her team
would make sure other J&J products do not have similar bugs.
Radcliffe said he found vulnerabilities in the Animas OneTouch Ping,
but not the Animas Vibe line of insulin pumps.
Suzanne Schwartz, an FDA official responsible for reviewing bugs in
medical devices, said in a statement that she encourages
collaboration between researchers and device manufacturers to
identify, remediate and alert the public to vulnerabilities.
"It enables all stakeholders to better address device safety with
the interest of patient health in mind," she said.
The FDA has said it knows of no cases where hackers have exploited
cyber vulnerabilities to harm a patient.
The agency last year issued multiple warnings about cyber bugs in
infusion pumps from Hospira, which has since been acquired by Pfizer
Inc <PFE.N>. (http://reut.rs/2duNuZK)
(Reporting by Jim Finkle; Editing by Jonathan Weber and Grant
McCool)
[© 2016 Thomson Reuters. All rights
reserved.] Copyright 2016 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
