In the modern world of the internet, just about everyone and everything needs proper cyber security.
Especially when it comes to healthcare.
Johnson & Johnson didn’t get the memo it seems.
Why do we say that?
Because the company recently announced that hackers had hacked some of the company’s patient’s insulin pumps.
The company said that the attack happened because of a potential vulnerability bug in its insulin pumps.
Johnson and Johnson sell these insulin pumps under the brand name of Animas OneTouch Ping.
The bug could allow hackers and other cybercriminals to access and exploit the pump’s systems.
Here is the scary part though:
Hackers could easily overdose patients who had diabetes with more than the recommended amount of insulin through the pumps.
Patients usually attach these insulin pumps (which come in the form of a device) to their bodies.
After that, these insulin pumps inject the required amount of insulin via catheters.
Johnson & Johnson representatives say that that the risk involved with using these pumps is low even with the vulnerability present.
Needless to say, Johnson & Johnson is one of the few health device manufacturers that has openly issued a vulnerability warning.
As mentioned before, the warning is directed towards patients who use the pump to control the insulin amount in their bodies.
It seems that they too need to be more aware of cyber security and cyber threats.
Cyber security in healthcare is currently a hot topic as far as the industry is concerned.
Because just last month some reports in the media revealed that medical devices such as pacemakers and defibrillators also had potential vulnerabilities.
Just for clarity’s sake, Johnson & Johnson representatives say that they don’t know any example where a hacker has tried to exploit the bug in their medical devices.
Johnson & Johnson’s latest product Animas OneTouch Ping insulin device is used by many diabetic patients and hence if there is a potential bug, it should be fixed as early as possible.
The company has moved quickly to advise its customers on the issue and ways to fix it.
Johnson & Johnson has also sent letters to patients and doctors throughout the US and Canada who work with the company’s devices.
The company has also stated that the probability of unauthorized access to its insulin pump is actually very low.
Cyber security research firms warned of potential life-threatening consequences of cyber attacks on heart devices earlier this year.
The heart devices that they talked about belonged to St.Jude Medical Inc.
Moreover, agencies such as the United States Food and Drug Administration has also looked into these issues.
It has also prepared guidelines that medical device manufacturers should follow to manage cyber vulnerabilities in their products.
What about Johnson & Johnson itself?
Has it done anything to counter potential problems?
Yes, it has.
Recently the company pointed out that its representatives worked on finding solutions to these cyber security problems
The company cooperated with a diabetic patient J Radcliffe and a Rapid7 medical device researcher.
For those who don’t know, Rapid7 is a cyber security firm that studies potential exploits and hacking avenues in various devices.
The hacker also reported on potential vulnerabilities in the company’s insulin pumps.
Johnson & Johnson Insulin Pump Problems
The new Animas OneTouch Ping comes with a remote control that works wirelessly.
Patients can control the pump to get the required dose of insulin to their bodies.
That way, patients don’t need to have access to the medical device itself.
Moreover, patients usually wear the device under clothing.
And that makes it inconvenient to reach to.
Hackers can use this fact to spoof communications between the Animas OneTouch Ping insulin pump and the remote control itself.
Security researchers at Rapid7 have also found that the hackers can then force the device to inject unauthorized insulin into the patient’s body.
How is that bad?
Let’s just say that too much insulin is bad for the patient because it can cause hypoglycemia.
In other words, low levels of sugar in the blood.
We also know that this can become life-threatening in some cases.
That is what, Brian Levey, who is the chief medical officer at Johnson & Johnson’s diabetes unit believes.
Why is the system vulnerable?
According to researchers, it is the fundamental nature of the system that makes it vulnerable.
In other words, the communications that take place between the remote control and the insulin pump are not encrypted.
In other words, they are not scrambled.
And hence hackers can access the insulin pump’s systems to control it.
Johnson & Johnson technicians replicated the findings from the security researcher and confirmed the issue:
Hackers could indeed control the pump and force it to inject insulin into the patient’s body.
The technicians also said that hackers could do so from up to 25 feet away from the patient.
But cyber attacks of this sort are very difficult to carry out.
Because it would require a lot of expertise and specialized knowledge on part of the hacker.
Such an operation would also require some really sophisticated and expensive equipment.
Regardless, Johnson & Johnson has moved quickly to allay the fears of their customers.
The company has said that if any patient was concerned then they could follow certain steps to make sure that they were safe from potential cyber attacks.
To start off, Johnson & Johnson said patients could just discontinue their use of the wireless remote control.
Patients could also disable the programs that control the pump and then limit the maximum amount of insulin dose.
This is a good time to mention that the vulnerabilities which are currently in the spotlight are only found in Johnson & Johnson Animas OneTouch Ping pump.
Other insulin pumps such as Animas Vibe don’t have such vulnerabilities.
Beating Cyber Threats
Medical devices have one thing in common:
All of them have embedded computer systems which are configurable.
And hence all these devices are inherently vulnerable to cyber attacks.
The problem is compounded by the fact that more and more medical devices are not interconnected.
To interconnect these devices, manufacturers have no other choice but to use the internet.
Moreover, these devices are also connected to hospital networks along with other medical devices.
Now, even smartphones are programmed to connect with these medical devices.
All of this increases the risk of cyber attacks.
Cyberattacks, as mentioned before, exploit the fundamental ways in which these medical devices work.
There are a ton of cybersecurity vulnerabilities.
And hackers can use all these opportunities to cause more untoward incidences.
Almost all of such potential attacks would negatively impact hospital networks and the medical devices themselves.
Some of the potential cyber attack scenarios are as follows,
- A malware could easily disable of infect medical devices such as connected to an insecure network and is configurable
- Malware could infect hospital smartphones, tablets, and computers.
Hackers could then target mobile devices to wirelessly access patient data along with monitoring system and even devices which are planted into the patient’s body.
- Hackers can also take advantage of lapses that occur while distributing important passwords.
Sometimes passwords are disabled which can further complicate things.
Software that has hard-coded passwords for privileged device access is also at risk.
Sometimes these passwords are used to grant access to administrative, technical and maintenance personnel and hence can get misplaced.
- If medical devices don’t get timely software security updates and related patches then hackers can move in there as well.
Technicians should also provide updates for networks and older medical devices which may also have vulnerabilities.
A cyber threat may also come in the form of off-the-shelf security software.
These type of software application usually have security vulnerabilities.
And even though these are designed to prevent unauthorized access via the device or the network, hackers can still take advantage of,
- Plain-text files
- No authentication
- Hard-coded passwords
- Substandard coding and SQL injection techniques
- Service manuals which have documentation related to service accounts
The Problem With Internet Of Things Is Security
Johnson & Johnson, as a company, may not understand the bigger picture.
Mainly, that it isn’t impossible for hackers to exploit security problems in the company’s medical pumps.
All signs indicated that the company is delusional about the whole situation.
If a hacker has access to equipment like an insulin pump and its bundled remote control, then the hacker can test out ideas related to exploiting security vulnerabilities with the device.
The hacker will not need any sophisticated technology which may or may not be expensive.
And, to say that hackers don’t have the means and the right incentives to attack J&J pumps is lunacy.
Radios which are defined by specialized software can come cheap.
In fact, a $300 amount is sufficient to get access to such devices and then use these devices to bypass and then hack a given Radio Frequency.
We know that Internet of Things and RF IOT get a lot of hype.
And because of that, security firms focus only on vulnerabilities that are easily identified and then exploited.
What they don’t understand is that hackers can choose other ways as well.
There are several insulin pump vulnerabilities that do not require a great deal of sophistication or knowledge.
Exploiting such vulnerabilities can easily grant hackers the control of J&J Animas pumps.
What Does Botnet Vehicle Have To Do With This?
Animas pumps which are not connected to the internet are not as lucrative for hackers as the ones which are.
According to Anthony Dibello, who is the senior director of product management and marketing at Guidance Software, the risk is real.
HE says that medical devices that connect to each other and to the internet are genuinely at risk.
Anthony also says that the risk primarily comes from devices which are vulnerable to botnet malware.
Hackers can infect such devices and then leverage them to support a massive DDoS attack.
Take Mirai malware for example.
This is a piece of code that the hackers used to control millions of IoT devices.
The hackers then used these controlled devices to form a botnet.
And with the help of that botnet, they launched one of the biggest DDoS cyber attacks in the history of the internet.
The bad news is, that Mirai software just surfaced again.
Only this time, anyone could download it and then use it with proper tools.
In a recent interview with TechNewsWorld, Dibello said that the Mira source code was indeed out in the world.
He further said that malicious developers could indeed augment the Mirai software to hack into more device types.
These device types could include medical devices.
This would effectively increase the scope of botnet-driven attacks to a great extent.
Previous Hacked Medical Devices
As mentioned before, it is not hard to hack insulin pumps.
Barnaby Jack, a McAfee researcher, provided a proof-of-concept hack and demonstrated it at the Hacker Halted conference held in Miami in 2011.
Jack used home-brewed hardware and software.
Using those he seized control of an insulin pump.
At the time of the experiment, he was 300 feet away from the pump.
Shockingly enough, Jack had no problems in giving commands to the insulin pump.
Using his setup he showed off commands which instructed the pump to release/dump everything in its reservoir in one go.
Hackers can also hack other medical devices apart from insulin pumps.
Back in 2008, researchers showed exactly how hackers could control and then compromise devices such as pacemaker and implantable cardiac equipment.
If controlled, hackers could turn off these devices and could even issue these devices commands which would deliver electric shocks to the related patient.
As you can probably imagine, scenarios such as these could very well be life-threatening.
How To Secure The Insulin Pumps?
As mentioned before, OneTouch Ping insulin pump users can take precautions to secure themselves and their devices against hackers who want unauthorized access.
Animas says that patients should turn off the pump’s wireless features if they feel it would help them stay secure.
There is a downside though.
With the wireless feature disabled, the device can’t take automatic glucose readings.
Patients will then have to enter readings on their devices manually.
Moreover, patients can also customize insulin injection amounts.
Then, they can instruct the device to set an alarm off if the inserted values are changed without their knowledge or prior permission.
Animas has also advised patients to turn on a new vibrating feature.
This feature alerts the patient when an insulin dose is due.
If the patient feels something is wrong then the patient can cancel the injection.
Guidelines For Medical Device Manufacturers
Needless to say, manufacturers should be more vigilant.
They should take all the necessary steps to identify risks and other hazards associated with their devices.
Manufacturers should also give proper attention to issues related to cyber security.
They should also put in place appropriate measures to ensure patient safety.
Manufacturers should ensure that normal device performance is possible even under difficult circumstances.
Generally speaking, medical device manufacturers do take the necessary steps to safeguard patients against unauthorized access to their devices.
To know if your device is sufficiently safe, follow the below-given guidelines,
- Only trusted users should have unauthorized access to medical devices.
Medical devices which are life-sustaining and directly connected to hospital networks should have extra security measures.
- Security features should have advanced user authentication systems.
Examples include a smart card or a biometric one, a unique user ID along with a related password, password protection via encryption, no hard-coded passwords, restricting public access to user passwords even for technical devices, card readers along with physical locks.
- Manufacturers should provide appropriate recovery and retention methods if a device’s security is compromised.
- Medical device manufacturers must design their devices in a way that the device can maintain its critical functionality even when hacked.
- Individual components of devices should have proper protection from exploitation.
Finally, any medical device’s environment should have active security measures.
Companies involved with these devices should develop strategies with due attention and consideration.
Some of the strategies could be,
- Regular and consistent routine deployment
- Validated security patches on time
- Updates for a device’s firmware or software should have authentication codes
Hackers are not going to slow down.
The future is going to have even more hacking opportunities for cyber criminals.
Medical device manufacturers must properly protect their devices against hackers.
Manufacturers need to address issues related to the degradation of device’s operation along with recovery and restoration techniques.