J&J Warns Insulin Pump Vulnerable to Cyber Hacking
October 04 2016 - 4:26PM
Dow Jones News
By Jonathan D. Rockoff
Johnson & Johnson has warned diabetes patients and doctors
that one of its insulin pumps is vulnerable to cyber hacking.
A hacker in close proximity to the OneTouch Ping insulin pump
system could use sophisticated equipment to find the unencrypted
radio signal used by the device and program the pump to supply
insulin, J&J officials said.
"The risk to patients is extremely, extremely low," said Brian
Levy, chief medical officer of J&J's diabetes-care business.
"The more important thing is people use their meters and pumps
because this is an important part of their health care."
J&J's Animas unit has sold 114,000 of the OneTouch Ping
systems in the U.S. and Canada, mostly for Type 1 diabetes
patients. J&J doesn't break out revenue numbers for the device,
though Dr. Levy characterized it as a "very good seller."
Parents like the convenience of the systems, which include a
pump for delivering insulin and a meter for measuring blood-sugar
levels that can also be used as a remote to program the pump. The
meter communicates with the pump, from as far as 25 feet away, over
unencrypted radio frequencies.
Late last month, the company sent a letter to doctors and
patients warning a hacker could identify the specific frequency the
device is using and then issue commands to the pump.
The warning, first reported by Reuters, is the latest indication
of the susceptibility of medical devices to computer hacking, a
mounting worry as they are increasingly connected to the internet,
hospital computer networks and to other medical devices.
So far, the fears haven't been realized. No instances of
medical-device hacking have been disclosed, consultants and
industry officials say, though firms that advise companies how to
reduce their risks of cyberattacks have found and publicized
vulnerabilities.
St. Jude Medical Inc. shares fell in August after a short seller
and a cybersecurity firm that were working together said they found
bugs in some of the company's pacemakers and implantable
defibrillators, allegations that St. Jude called "irresponsible,
misleading."
Yet the health risk to patients from a cyberattack on a medical
device is serious enough that regulators and companies have been
taking steps to upgrade security.
This year, the Food and Drug Administration issued a draft of
rules for identifying and addressing weaknesses. The agency later
issued warnings about the vulnerabilities of some infusion pump
systems, made by Pfizer Inc.'s Hospira business, that deliver drugs
intravenously to patients.
Following the agency's recommendations, J&J set up a website
in April to receive reports of medical-device vulnerabilities.
Shortly afterward, a cybersecurity consulting firm reported the
OneTouch Ping's flaws, said Marene Allison, J&J's chief
information security officer.
At that time, the New Brunswick, N.J., company confirmed the
weakness, notified authorities and sent the letter to patients and
doctors on Sept. 27.
Dr. Levy said the company hasn't found any vulnerabilities in
another system, Animas Vibe, in which a blood-sugar measuring
device sends readings to the insulin-deliver pump using radio
frequencies.
The OmniPod insulin pump system, made by Insulet Corp., also
includes a device that communicates wirelessly to deliver insulin.
A spokeswoman for the Billerica, Mass., company did not respond to
requests for comment.
Write to Jonathan D. Rockoff at Jonathan.Rockoff@wsj.com
(END) Dow Jones Newswires
October 04, 2016 16:11 ET (20:11 GMT)
Copyright (c) 2016 Dow Jones & Company, Inc.
Johnson and Johnson (NYSE:JNJ)
Historical Stock Chart
From Aug 2024 to Sep 2024
Johnson and Johnson (NYSE:JNJ)
Historical Stock Chart
From Sep 2023 to Sep 2024