Johnson & Johnson is warning users of its OneTouch Ping insulin pump that hackers could exploit a cybersecurity flaw to infuse additional doses of the diabetes drug without their knowledge, which could be life-threatening.
“The probability of unauthorized access to the OneTouch Ping System is extremely low,” the company said in a letter to patients alerting them to the risk. “It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the Internet or to any external network.”
The New Brunswick, New Jersey-based device maker said it has worked to address the issues and laid out steps patients can take to reduce their risk, such as turning off the pump’s wireless connection to a blood sugar meter, or setting a limit on the amount of insulin that can be delivered. While the potential risk with insulin pumps has been known since at least 2011 when a security conference in Las Vegas featured the hack of a Medtronic Plc device, the issue has gained attention as more devices include wireless technology to make them easier to use.
A cybersecurity researcher brought the risks to J&J’s attention in April after identifying ways to hack the device, according to Reuters, which first reported the weakness. That allowed the company to investigate and work with U.S. regulators and the hacker, the same security researcher who earlier exposed the issue with Medtronic’s pump.