Insulin Pump Could Be Hacked, Warns Chester County Company
by Ian Bush
PHILADELPHIA (CBS) -- An insulin pump made by a Chester County company is the subject of a warning that's thought to be a first from a medical device manufacturer. It involves security flaws that could allow a hacker to trigger an insulin injection.
The OneTouch Ping has a remote that communicates with the pump over an unencrypted radio frequency.
"Three vulnerabilities that were discovered by a security researcher have the potential to allow a malicious attacker to interfere with the pump's operation to deliver insulin doses when the patient is not specifically intended to have them," said Tim Erlin, part of the computer security firm TripWire.
Chesterbrook-based Animas and its parent Johnson & Johnson say one option for OneTouch Ping users is to turn on a vibrating alert, which signals when an insulin dose is triggered by the remote.
The companies note that "the probability of unauthorized access...is extremely low." Erlin agrees such an attack would be tough to pull off, and applauds Animas and J&J for publicly acknowledging the issue.
But, he says, when it comes to 'smart' medical equipment:
"We're headed in a direction of more connection, more connectivity between devices, and so now is the time to start putting in place the rigor for testing the security of these connected devices -- before we experience an attack of significance," said Erlin.
You can read a letter to patients sent by Animas HERE.
