More on Risk Management

Johnson & Johnson says insulin pumps could be hacked

Vulnerability could give cybercriminals way to potentially force the pump to deliver unauthorized insulin injections.

Officials at Johnson & Johnson have sent out a letter warning users about the potential for a hacker to program the company's Animas OneTouch Ping insulin pump to deliver a fatal dose of the hormone to a user.

Jay Radcliffe, a diabetic and researcher with cyber security firm Rapid7, said he had identified ways for a hacker to spoof communications between the remote control and the OneTouch Ping insulin pump, potentially forcing it to deliver unauthorized insulin injections, according to a Reuters report.

The system is vulnerable because those communications are not encrypted, or scrambled, to prevent hackers from gaining access to the device, said Radcliffe, who reported vulnerabilities in the pump to J&J in April and published them this week on the Rapid7 blog.

[Also: Hackers hit SCAN Health Plan, breach data of nearly 90,000 patients]

According to Brian Levy, chief medical officer with J&J's diabetes unit, company technicians were able to replicate Radcliffe's findings, confirming that a hacker could order the pump to dose insulin from a distance of up to 25 feet. He added that such attacks are difficult to pull off because they require specialized technical expertise and sophisticated equipment.

"The probability of unauthorized access to the OneTouch Ping system is extremely low," the company said in letters sent to doctors and roughly 114,000 patients in the U.S. and Canada. "It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network."

Twitter: @HC_Finance