Main

stayontheblack.com

Health

MHealth Developer Warns Doctors, Patients About Hacking Threat

Oct 05 2016

The logo of healthcare company Johnson & Johnson is seen in front of an office building in Zug Switzerland

At that time, the New Brunswick, N.J., company confirmed the weakness, notified authorities and sent the letter to patients and doctors on September 27.

Hacked devices, be they insulin pumps, pacemakers and defibrillators, have been the subject of industry speculation for years, but for the most part have been confined to "what if" scenarios and TV shows like "Homeland", which killed off a vice president several years ago by having his pacemaker reprogrammed.

In a blog post about the research, Radcliffe wrote that the episode shows why medical companies, regulators, and security researchers must take the time to track down any problems in devices.

Parents like the convenience of the systems, which include a pump for delivering insulin and a meter for measuring blood-sugar levels that can also be used as a remote to program the pump.

The company was notified of a cybersecurity issue with the OneTouch Ping, specifically that a person could potentially gain unauthorized access to the pump through its unencrypted radio frequency communication system.

By interfering with those communications, a hacker with the proper equipment and expertise could remotely send malicious commands to a patient's implanted pump, said Mr. Radcliffe, a researcher with Rapid7, a Boston-based security firm.

Radcliffe reported the potential threat to J&J; in April and according to executives at the company, they are working on the security issues.

Dr. Levy said the company hasn't found any vulnerabilities in another system, Animas Vibe, in which a blood-sugar measuring device sends readings to the insulin-deliver pump using radio frequencies.

We also want to assure you that the probability of unauthorized access to the One Touch® Ping® System is extremely low.

It said anxious patients could take precautions, such as not using the pump's remote and programming the device to limit its maximum dose.

The FDA has said it knows of no cases where hackers have exploited cyber vulnerabilities to harm a patient.

"We believe the OneTouch Ping system is safe and reliable".

The firm said the vulnerability concerned its OneTouch Ping pump which is only sold in the United States and Canada. The investment company made a simultaneous short call on St. Jude's shares that allowed it to profit if the stock fell.

Because of the sophistication required to wage such an attack, however, both the security researcher and the device's manufacturer believe the issues pose little risk to patients.

J&J; Chief Information Security Officer Marene Allison said her team would make sure other J&J; products do not have similar bugs.

The DHS said in 2014 it was aware of about 24 cases involving medical devices and pieces hospital equipment that were vulnerable to cyberattack. "Due to this lack of encryption, Rapid7 researcher Jay Radcliffe discovered that a remote attacker can spoof the Meter Remote and trigger unauthorized insulin injections". "We urge patients to stay on the product", Brian Levy, chief medical officer for J&J;'s diabetes business, told Reuters.


Related News