Recently Johnson & Johnson informed their patients that a potential cyber security bug has hit one of its insulin pumps (Animas OneTouch Ping insulin pump) which can provision cyber criminals and hackers to exploit the device to overdose diabetic patients with insulin. The insulin pump is a medical device that patients attach to their bodies that inject insulin through catheters. They have currently identified the risk of the vulnerability as low.
It’s one of the few times any health device manufacturer has had issued such a warning to patients about cyber security. it is also currently a hot topic in the industry following revelations last month about possible vulnerabilities in a pacemaker and defibrillators.
In addition, the executives of Johnson & Johnson have informed that they knew of no examples of attempted attacks on the devices – Johnson & Johnson’s Animas OneTouch Ping insulin pump. The company is, however, warning all its customers and providing advice on how to fix the problem.
In one of the letters mailed out to doctors and patients in the US and Canada who use the device, the company said: “The probability of unauthorized access to the OneTouch Ping system is extremely low”.
Earlier this year there were multiple claims by a cyber security research firm which alleged of potential life-threatening cyber vulnerabilities in heart devices from St. Jude Medical Inc . The US Food and Drug Administration is also preparing to release a formal guidance on how medical device makers should handle reports about cyber vulnerabilities.
Johnson and Johnson’s executives also noted that they worked on the security problems with Jay Radcliffe, a diabetic, and well known medical device hacking researcher with cyber security firm Rapid7 who reported vulnerabilities in the pump to the company.
The vulnerability identified with the Insulin Pump
The Animas OneTouch Ping is sold with a wireless remote control that patients can use to order the pump to dose insulin so that they do not need access to the device itself, which is typically worn under clothing and could be awkward to reach.
The security researcher has identified ways for a hacker to spoof communications between the remote control and the OneTouch Ping insulin pump, potentially forcing it to deliver unauthorized insulin injections. Dosing a patient with too much insulin could cause hypoglycemia, or low blood sugar, which in extreme cases can be life-threatening, said Brian Levy, chief medical officer with J&J’s diabetes unit.
The system is fundamentally vulnerable because those communications between the insulin pump and remote control are not encrypted, or scrambled, to prevent hackers from gaining access to the device.
The technicians within Johnson and Johnson were able to replicate the security researcher‘s findings, confirming that a hacker could order the pump to dose insulin from a distance of up to 25 feet. Even though it is agreed upon that such attacks are difficult to pull off because the cyber criminals or hackers would require specialized technical expertise and sophisticated equipment.
Johnson & Johnson’s letter to doctors and patients said that if patients were concerned, they could take several steps to thwart potential attacks which include discontinuing the use of a wireless remote control and programming the pump to limit the maximum insulin dose.
It is to be noted that vulnerabilities were only identified in Johnson & Johnson’s Animas OneTouch Ping, but not the Animas Vibe line of insulin pumps.
Many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches. In addition, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates.
Cybersecurity vulnerabilities and incidents that could directly impact medical devices or hospital network operations are enormous, including:
- Network-connected/configured medical devices infected or disabled by malware;
- The presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices;
- Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel);
- Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices);
Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection
Internet of Insecure Things
However, Animas may be deluding itself about the difficulty of exploiting the cyber security issue in its pumps. If the attacker has access to a pump and remote for testing the whole idea of the exploiting the vulnerability requires expensive sophisticated technology may not be true in all cases. Multiple software defined radios which are quite inexpensive can be had for $300 to bypass and hack Radio Frequency (RF).
A lot of hype around Internet of Things (IOT) including RF IOT is currently transcending wherein the security community is focusing on identifying and exploiting multiple security vulnerabilities. For exploiting the vulnerabilities identified in the insulin pumps, a high degree of sophistication would not be needed to gain control of Animas’ pump.
Because the Animas pumps aren’t connected to the Internet, they may have less value to hackers than medical devices that have such connections, however.
“There is a real risk to connected medical devices right now — the risk of service disruption due to those devices becoming infected by botnet malware and leveraged to support large denial-of-service attacks,” maintained Anthony DiBello, senior director for product management and marketing at Guidance Software.
The source code for Mirai — the software used to corral millions of IoT devices into a botnet that recently launched one of the largest DDoS attacks in Internet history — recently turned up online for anyone to download.
“With the Mirai source code out in the wild, it is not a stretch to imagine malicious developers augmenting it to take advantage of additional device types, such as those used in the medical fields, to increase the scope of botnet-driven activities even further,” DiBello told TechNewsWorld.
Pumps Targeted Before
This isn’t the first time that a vulnerability has been found in an insulin pump. Five years ago, a proof-of-concept attack was demonstrated at the Hacker Halted conference in Miami on an insulin pump made by Medtronic.
Using home brewed software and hardware, McAfee researcher Barnaby Jack demonstrated how he could seize control of the pump from up to 300 feet and issue commands to it, including dumping its reservoir all at once.
Insulin pumps aren’t the only devices shown to be vulnerable to attack, either. Academic researchers in 2008 demonstrated how implantable cardiac devices and pacemakers could be compromised — either turned off, or used to issue life-threatening electric shocks to a patient.
Securing the Insulin Pump
Users of OneTouch Ping insulin pumps can take a number of steps to secure their device against unauthorized access, according to Animas. For example, the pump’s wireless feature can be turned off. If that’s done, however, glucose readings will have to be entered manually on the pump.
Further, insulin amounts can be customized. Any attempt to alter those amounts without a patient’s knowledge would set off an alarm.
Animus recommends activating the vibrating alert feature on the device so that when an insulin dose is about to be delivered, the patient has an option of canceling the delivery.
Suggestions to device manufacturers
Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cyber security, and are responsible for putting appropriate mitigations in place to address patient safety and assure proper device performance.
The medical device manufacturers generally take appropriate steps to limit the opportunities for unauthorized access to medical devices.
In evaluating your device, consider the following:
- Take steps to limit unauthorized device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks.
Appropriate security controls may include: user authentication, for example, user ID and password, smartcard or biometric; strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
- Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches, and methods to restrict software or firmware updates to authenticated code.
- Use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”
- Provide methods for retention and recovery after an incident where security has been compromised.
Cybersecurity incidents are increasingly likely to happen with more frequency and manufacturers are one of those entities who would reflect their incident response plans that address the possibility of degraded operation and efficient restoration and recovery.