Johnson and Johnson Insulin Pump Potentially Vulnerable to Cyber Attack

Johnson & Johnson recently warned its customers of a cybcersecurity issue with one of its insulin pumps, Image result for johnson and johnsonpotentially leaving thousands of users vulnerable.  According to Johnson & Johnson’s letter, “a cybersecurity issue with the OneTouch Ping could allow unauthorized access to the pump through its unencrypted radio frequency communication system.”

According to its website, Animas, a subsidiary of Johnson & Johnson, specializes in insulin pumps including the OneTouchImage result for animas Ping and is dedicated to improving diabetes management.  The OneTouch Ping includes a two-part system: an insulin pump and a “meter remote” that communicates wirelessly to deliver insulin from the pump.  While Animas advertises that the OneTouch Ping® Meter Remote controls pump functions from up to 10 feet away, healthline reports that the unencrypted radio frequency used to enable remote communication between the pump and meter could potentially be tampered with, allowing someone to deliver insulin from as far as 25 feet away.

OneTouch Ping GetMoreFromYourPumpThe Wall Street Journal explains that a hacker in close proximity to the device could use sophisticated equipment to determine the device’s radio signal and use the signal to instruct the pump to supply insulin or gain other personal information.  Regardless, Brian Levy, chief medical officer of Johnson & Johnson’s diabetes-care business said, “[T]he risk to patients is extremely, extremely low. . . .  The more important thing is people use their meters and pumps because this is an important part of their health care.”

So far, no instances of hacking have been disclosed and Johnson & Johnson published a second notice, entitled “OneTouch Ping® Insulin Delivery System Remains Safe and Reliable,” in an attempt to dispel some of the fears arising from the potential vulnerability.  This release notes that the OneTouch Ping insulin delivery system has multiple safeguards in place.  Additionally, according to the release:

[Johnson & Johnson] recognize[s] the valuable role of security researchers in identifying potential medical device cybersecurity issues in order to help increase patient safety, which is always our primary focus.

In the meantime, while Johnson & Johnson and Animas continue to work with regulatory agencies and security experts, Animas recommends that users of the insulin system, who are concerned about unauthorized access for any reason, turn off the pump’s radio frequency feature, which will cut off any communication between the pump and meter and eliminate the risk.

Regulatory agencies, such as the FDA continue to closely monitor security issues in medical devices.  This year alone, the FDA issued draft guidance for identifying and addressing security weaknesses and issued warnings about the vulnerabilities of other medical devices that deliver drugs to patients.

Joshua Berk
Joshua Berk is an associate in our Orange County office. His practice focuses on patent litigation and prosecution. Mr. Berk attended Seton Hall University School of Law, where he completed a concentration in intellectual property law. He also served as the Senior Notes Editor for the Seton Hall Legislative Journal and President of the Intellectual Property Law Association. Before law school, he graduated from Syracuse University with an undergraduate degree in mechanical engineering. Mr. Berk joined the firm in 2015.
Click here to read full bio
View all posts published by Joshua Berk »

Leave a Reply

By using this blog, you agree and understand that no information is being provided in the context of any attorney-client relationship. You further agree and understand that nothing herein is intended to be legal advice. This blog is solely informational in nature, and is not intended as, and should not be used as, a substitute for competent legal advice from a retained and licensed attorney in your state. Knobbe Martens LLP makes no representations or warranties as to the accuracy, completeness, timeliness or availability of the information in this blog. Knobbe Martens LLP will not be liable for any injury or damages relating to your use of, or access to, any such information. Knobbe Martens LLP undertakes no obligation to correct or update information on this blog, which may be incorrect or become incorrect or out of date over time. Knobbe Martens LLP reserves the right to alter or delete content or information on the blog at any time. This blog contains links and references to other websites and publications that you may find of interest. Knobbe Martens LLP does not control, promote, endorse or otherwise have any affiliation with any other websites or publications unless those websites or publications expressly state such an affiliation. Knobbe Martens LLP further has no responsibility for, and makes no representations regarding, the content, accuracy or any other aspect of the information in such websites or publications.