Johnson & Johnson warns that its insulin pump can be hacked

But company says the pump isn't web-connected, so can still be used


Johnson & Johnson has contacted hospitals and patients after the company discovered a potentially fatal security vulnerability in one of their insulin pumps.

The pharmaceutical and manufacturing giant delivered a letter to users of the pump, a copy of which Reuters received.

Almost 114,000 patients use the device in the United States and Canada.

Johnson & Johnson discovered that a hacker could potentially manipulate the amount of insulin a patient receives, which could lead to dangerously lowered blood sugar, or life-threatening hypoglycemia.

Advertisement - Article continues below
Advertisement - Article continues below

The vulnerability affects the Animas OneTouch Ping insulin pump, which was launched in 2008. This model is sold with a wireless control allowing patients to remotely operate the pump when insulin is needed.

Speaking to Reuters, Rapid 7 researcher Jay Radcliffe explained he had identified a way for a hacker to manipulate the communications between the remote control and pump, in order to give a higher than normal dose of insulin.

Radcliffe, who is a diabetic, explained to Reuters that the lack of encryption on these communications is the cause of this vulnerability.

In the letter released today, Johnson & Johnson outlined several steps patients can take to prevent potential attacks.

The company recommended that customers should either stop using the remote control device or reprogram the pump manually to limit insulin dosage.

Despite the possible security flaw, Johnson & Johnson believes the device is safe and is urging customers to keep using the product.

Advertisement - Article continues below

As the pump is not connected to the internet and operates with a maximum reach, the company believes a hack would be unlikely.

Its letter stated that: "The probability of unauthorized access to the OneTouch Ping system is extremely low. It would require technical expertise, sophisticated equipment and proximity to the pump..."

So far the Johnson & Johnson Animas OneTouch Ping is the only model identified as having a security flaw.

A Johnson & Johnson spokesperson said: "We are not issuing a recall as we are confident that the Animas OneTouch Ping insulin delivery system is safe and reliable for use. Animas has contacted patients and health care providers about this issue to assure them that the probability of unauthorized access to the One Touch Ping System is extremely low, as it would require technical expertise, sophisticated equipment and proximity to the pump.

Advertisement - Article continues below

"We have also informed patients and health care providers how to enable various pump features for advanced protection should they be concerned."

This article was updated on 5 October to include Johnson & Johnson's statement.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now

Most Popular

identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019

Five signs that it’s time to retire IT kit

29 Nov 2019

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019