Oct. 4 — Johnson & Johnson is warning users of its OneTouch Ping insulin pump that hackers could exploit a cybersecurity flaw to infuse additional doses of the diabetes drug without their knowledge, which could be life-threatening.
“The probability of unauthorized access to the OneTouch Ping System is extremely low,” the company said in a letter to patients alerting them to the risk. “It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the Internet or to any external network.”
The New Brunswick, N.J.-based device maker said it has worked to address the issues and laid out steps patients can take to reduce their risk, such as turning off the pump’s wireless connection to a blood sugar meter, or setting a limit on the amount of insulin that can be delivered. While the potential risk with insulin pumps has been known since at least 2011 when a security conference in Las Vegas featured the hack of a Medtronic Plc device, the issue has gained attention as more devices include wireless technology to make them easier to use.
A cybersecurity researcher brought the risks to J&J’s attention in April after identifying ways to hack the device, according to Reuters, which first reported the weakness. That allowed the company to investigate and work with U.S. regulators and the hacker, the same security researcher who earlier exposed the issue with Medtronic’s pump.
The experience with J&J’s device stands in sharp contrast to the disclosure of similar potential vulnerabilities with St. Jude Medical Inc.’s pacemakers and defibrillators in August. Short-seller Carson Block and his Muddy Waters Capital LLC investment firm issued a report with MedSec LLC, a cybersecurity company, alleging possible cybersecurity flaws in St. Jude’s products. The investment company made a simultaneous short call on St. Jude’s shares that allowed it to profit if the stock fell.
Block and his colleagues said they didn’t give St. Jude early warning about the potential risks, which has traditionally been the standard in the cyber community, because the deficiencies were so great and St. Jude had been negligent in ignoring them.
St. Jude countered that the deficiencies identified by Muddy Waters and MedSec were actually a safety feature, and that the device the firms tested was functioning normally. Abbott Laboratories, which agreed in April to buy St. Jude for $25 billion, has said it remains committed to the transaction.