We blogged about the dangers of medical devices being cyber hacked back in January. This week, Johnson and Johnson (Stock: JNJ) took the unusual move of sending out a letter to their clients about a cyber vulnerability within one of their Insulin Pumps. While they state the chance of an actual attack to be very low, they do provide multiple steps that a user can take, including turning off the radio that enables automatic recording of blood glucose levels.
We applaud Johnson and Johnson for being proactive and alerting users as to the potential cyber vulnerability as well as informing them of steps they can take to further secure the device. Obviously, future products from J&J likely won’t use a similar “unencrypted radio frequency communication system”. That’s a good thing!
Some of the steps involved in users securing the device also breaks desired functionality:
“If you are concerned about unauthorized access for any reason, the pump’s radio frequency feature can be turned off, which is explained in Chapter 2 of Section III of the OneTouch Ping Owner’s Booklet. However, turning off this feature means that the pump and meter will no longer communicate and blood glucose readings will need to be entered manually on the pump.”
But, they do provide other options that limit risk, but doesn’t eliminate it:
If you choose to use the meter remote feature, another option for protection is to program the OneTouch Ping pump to limit the amount of bolus insulin that can be delivered. Bolus deliveries can be limited through a number of customizable settings. Any attempt to exceed or override these settings will trigger a pump alarm and prevent bolus insulin delivery.
We also suggest turning on the Vibrating Alert feature of the OneTouch Ping System, as described in Chapter 4 of Section I. This notifies the user that a bolus dose is being initiated by the meter remote, which gives the patient the option of canceling the bolus.
Clearly, this isn’t the type of letter you want to send out to your customers.
If you’re in the business of designing and manufacturing medical devices, you should be well on your way already in re-designing products to address potential cyber attack exposure similar to J&J’s actions. It’s critical going forward that these types of exposures are eliminated, particularly with the increased attacks on Hospitals that have had to pay blackmail to unlock their hacked systems.