JNJ Johnson and Johnson

Johnson & Johnson has warned diabetes patients and doctors that one of its insulin pumps is vulnerable to cyber hacking.

A hacker in close proximity to the OneTouch Ping insulin pump system could use sophisticated equipment to find the unencrypted radio signal used by the device and program the pump to supply insulin, J&J officials said.

"The risk to patients is extremely, extremely low," said Brian Levy, chief medical officer of J&J's diabetes-care business. "The more important thing is people use their meters and pumps because this is an important part of their health care."

J&J's Animas unit has sold 114,000 of the OneTouch Ping systems in the U.S. and Canada, mostly for Type 1 diabetes patients. J&J doesn't break out revenue numbers for the device, though Dr. Levy characterized it as a "very good seller."

Parents like the convenience of the systems, which include a pump for delivering insulin and a meter for measuring blood-sugar levels that can also be used as a remote to program the pump. The meter communicates with the pump, from as far as 25 feet away, over unencrypted radio frequencies.

Late last month, the company sent a letter to doctors and patients warning a hacker could identify the specific frequency the device is using and then issue commands to the pump.

The warning, first reported by Reuters, is the latest indication of the susceptibility of medical devices to computer hacking, a mounting worry as they are increasingly connected to the internet, hospital computer networks and to other medical devices.

So far, the fears haven't been realized. No instances of medical-device hacking have been disclosed, consultants and industry officials say, though firms that advise companies how to reduce their risks of cyberattacks have found and publicized vulnerabilities.

St. Jude Medical Inc. shares fell in August after a short seller and a cybersecurity firm that were working together said they found bugs in some of the company's pacemakers and implantable defibrillators, allegations that St. Jude called "irresponsible, misleading."

Yet the health risk to patients from a cyberattack on a medical device is serious enough that regulators and companies have been taking steps to upgrade security.

This year, the Food and Drug Administration issued a draft of rules for identifying and addressing weaknesses. The agency later issued warnings about the vulnerabilities of some infusion pump systems, made by Pfizer Inc.'s Hospira business, that deliver drugs intravenously to patients.

Following the agency's recommendations, J&J set up a website in April to receive reports of medical-device vulnerabilities. Shortly afterward, a cybersecurity consulting firm reported the OneTouch Ping's flaws, said Marene Allison, J&J's chief information security officer.

At that time, the New Brunswick, N.J., company confirmed the weakness, notified authorities and sent the letter to patients and doctors on Sept. 27.

Dr. Levy said the company hasn't found any vulnerabilities in another system, Animas Vibe, in which a blood-sugar measuring device sends readings to the insulin-deliver pump using radio frequencies.

The OmniPod insulin pump system, made by Insulet Corp., also includes a device that communicates wirelessly to deliver insulin. A spokeswoman for the Billerica, Mass., company did not respond to requests for comment.

Write to Jonathan D. Rockoff at Jonathan.Rockoff@wsj.com

(END) Dow Jones Newswires

October 04, 2016 16:15 ET (20:15 GMT)

Johnson and Johnson (NYSE:JNJ)
Historical Stock Chart
From Mar 2024 to Apr 2024

Johnson and Johnson (NYSE:JNJ)
Historical Stock Chart
From Apr 2023 to Apr 2024