Not all insulin pumps are safe. A model with wireless control from the Johnson & Johnson laboratory is at risk of hacking.
The healthcare sector is not immune to hacker attacks. The American laboratory Johnson & Johnson has warned 14,000 customers on the North American continent. A security breach has been discovered in one of its medical devices: an insulin pump marketed since 2008. The company is still reassuring. The risk of attack is low, she says.
762 meters of insecurity
The offending model, J&J Animas OneTouch Ping, is indicated for the treatment of diabetic patients who need to inject insulin. To facilitate the process, these pumps are permanently installed. Each patient is thus equipped with a box which injects this hormone on demand, through a catheter. The product offered by the American laboratory is equipped with a wireless control, supposed to bring more comfort.
More practical, of course, but also more vulnerable. Because the exchanges between the pump and the control are neither encrypted nor scrambled. It was in April that this flaw was reported to the laboratory. Concretely, a hacker located less than 762 meters from a pump can increase the dose of insulin delivered. It is used to regulate the level of glucose in the blood. Such an action would therefore cause hypoglycemia, which can prove to be fatal for a fragile patient.
A directive under development
To date, no malicious attacks have been reported by customers. The risk of this type of incident occurring is very low. Johnson & Johnson has also adopted a reassuring tone in the mail sent to them. “This would require technical expertise, sophisticated equipment and proximity to the pump, since the OneTouch Ping system is not connected to the Internet or to an external network”, specifies the document consulted by Reuters.
Cautious, the laboratory still planned to solve the problem. Several methods are envisioned, including ending the use of a wireless device and programming a maximum dose of insulin deliverable by the pumps. Work in close collaboration with the FDA, the United States Food and Drug Administration, is underway. The health authority is preparing an official directive for manufacturers of medical devices. At a time when the first artificial pancreas are emerging, this question is very topical. Especially since this is not the first alert to be launched. In September, possible bugs on pacemakers and defibrillators were notified. During his mandate as Vice President of the United States, Dick Cheney had even deactivated his pacemaker because of the risk of piracy.
.
