Johnson & Johnson notifies patients of insulin pump vulnerabilityBy Shawn Knight
Most security vulnerabilities lead to situations that are classified as more of an inconvenience than anything else. In other instances, however, an exploited flaw can be far more dangerous and potentially even fatal.
Johnson & Johnson recently learned of one such vulnerability affecting its Animas OneTouch Ping insulin pump (Johnson & Johnson purchased Animas in 2006) and has sent letters (PDF) informing doctors as well as the approximately 114,000 patients that currently use the device of the issue.
Animas said in the letter that a nefarious individual could potentially gain unauthorized access to the pump through its unencrypted radio frequency communication system. The probability of unauthorized access is extremely low, the company said, adding that it would require technical expertise, sophisticated equipment and proximity to the pump (within a distance of 25 feet or less) as it isn't connected to the Internet or any external network.
The company further pointed out that the system has multiple safeguards in place to protect its integrity and prevent unauthorized action. Users that are concerned can disable the pump's radio frequency feature although this means they would have to manually enter blood glucose readings on the pump.
Furthermore, users can program the pump to limit the amount of insulin that can be delivered and activate a vibrating delivery alarm that will notify the user each time a dose is being administered.
Neither Johnson & Johnson nor the FDA have found any evidence that would suggest hackers have exploited the vulnerability in the wild.