Medical device cybersecurity continues to be a major concern for companies given the impact breaches can have on the health of patients. Johnson & Johnson (J&J) and St. Jude Medical are prime examples. Johnson & Johnson’s Animas unit recently disclosed cybersecurity flaws in its wirelessly controlled insulin pump that hackers could exploit and potentially deliver unauthorized doses of insulin to patients. While such an attack could result in insulin overdose and hypoglycemia, Animas says the risk of attack is low.
The OneTouch Ping Glucose Management System comprises an insulin pump worn by the patient and a remote that uses a radio frequency communication system to wirelessly tell the pump to deliver insulin. Cybersecurity firm Rapid7 first identified the security issues earlier this year and communicated them to Animas in April.
In an interview with FierceMedicalDevices, Jay Radcliffe, a senior security researcher at Rapid7, explained that the major vulnerability is that the device lacks protection against a replay attack. If a person is in range of the device and can pick up its communications, they could “replay” those signals to cause the pump to do things that the user doesn’t command it to do. Such an attack is possible because the transmissions between the remote and pump are not encrypted. They don’t use sequence numbers either, which are unique numbers for each communication that allow the device components to talk to each other, but would ensure a hacker couldn’t carry out a replay attack.
Animas disclosed the security issues in a letter to customers. “We also want to assure you that the probability of unauthorized access to the One Touch Ping System is extremely low,” the company wrote. Animas told Reuters that it considered the device to be “safe and reliable.”
“We urge patients to stay on the product,” said Brian Levy, chief medical officer with J&J’s diabetes unit, as quoted by Reuters. Rapid7’s Radcliffe worked with Animas on the security issues and underscored the importance of understanding risk. He shared in a blog post that “removing an insulin pump from a diabetic over this risk is similar to never taking an airplane because it might crash.”
Besides Johnson & Johnson, St. Jude Medical has been dealing with medical device cybersecurity issues. A report on cybersecurity vulnerabilities in St. Jude Medical’s implantable heart devices was jointly released in August by cybersecurity research firm MedSec Holdings and investment firm Muddy Waters, which primarily focuses on short selling, or betting that the stock prices of companies it picks will decline. The report claimed that pacemakers and implantable defibrillators sold by St. Jude could be hacked in ways that could jeopardize a user’s safety. The implanted devices have wireless radios to connect to a home monitoring station that can then back up data to St. Jude.
In a Fortune article, University of Michigan researchers stated that the report by MedSec and Muddy Waters didn’t prove the flaws existed. “We’re not saying the report is false,” Kevin Fu, associate professor of computer science and engineering and director of the Archimedes Center for Medical Device Security at University of Michigan, said in a statement. “We’re saying it’s inconclusive because the evidence does not support their conclusions. We were able to generate the reported conditions without there being a security issue.”
St. Jude said the MedSec/Muddy Waters report analyzed outdated software and demonstrated a “fundamental lack of understanding of medical device technology.” Security expert Robert Graham also challenged some of the MedSec findings by stating in his blog, “The report is clearly designed to scare other investors to drop St. Jude stock price in the short term so that Muddy Waters can profit. It’s not designed to withstand long term scrutiny. It’s full of misleading details and outright lies.” To be transparent, MedSec and Muddy Waters did disclose that they had a joint financial arrangement to profit from a fall in St. Jude’s stock price.
Whether it is J&J’s Animas unit, St. Jude or another medical device company, cybersecurity remains a high priority. The FDA further underscored the importance with the release of recommendations for managing cybersecurity vulnerabilities for medical devices. The ultimate test is how well medical device companies can protect patient health by preventing cyber breaches or quickly recovering when breaches happen.
———–
Ryan Lahti is the founder and managing principal of OrgLeader, LLC. Stay up to date on Ryan’s STEM-based organization tweets here: @ryanlahti
(Photo: Johnson & Johnson, Flickr)