Wednesday, 5 October 2016

On 10:03 by admin   No comments
Johnson & Johnson has warned over 100,000 diabetes patients of a flaw in their insulin pumps, marking the first time that a medical device manufacturer has publicly announced a cyber security problem with a product.
The US company sent patients a letter saying hackers could gain unauthorised access to its “OneTouch Ping” insulin pump using its unencrypted radio frequency communication system — but said the likelihood was “extremely low”.
The letter, sent to 114,000 users of the pump that is distributed in the US and Canada, came after Jay Radcliffe, a security researcher at Rapid7 and a Type-1 diabetic, discovered the flaw when experimenting on his own pump.
“The important thing is that this foreshadows what is coming with medical devices which are now being connected to cell phones and cloud computer systems,” Mr Radcliffe said.
The revelation came as scrutiny is growing of the cyber security capabilities of medical device manufacturers, which are embracing “Internet of Things” connectivity as part of a push towards remote monitoring.
St Jude Medical, a pacemaker manufacturer, was accused in August of having a security flaw in its devices in a report propagated by Muddy Waters. The hedge fund teamed up with security researchers at MedSec to short the stock. But St Jude Medical sued Muddy Waters, saying there was no security vulnerability.
J&J’s “OneTouch Ping” was developed in 2008 and does not connect to the internet. A hacker could only exploit the flaw when within metres of the patient. The pump would alert the user that it was administering insulin because of a remote instruction and it would hit up against a limit for how much insulin can be pumped. J&J said patients could turn off remote access on their pumps if they wished.
Shares in J&J barely budged after the announcement on Tuesday, closing up 0.01 per cent at $118.82. The company was praised by Rapid7 for co-operating with the security researcher and following new guidance by the Food and Drug Administration, the US regulator, on keeping the public informed.
Marene Allison, chief information security officer at J&J, said its product security team examines all of its connected devices. When told of the security flaw, it informed the FDA, the US Department of Homeland Security and the US Computer Emergency Readiness Team.
Dr Brian Levy, chief medical officer for J&J’s diabetes companies, said to threaten patient health, there would have to be a hacker with both the malicious intent and the technical expertise in close proximity to the pump user. He said he was “surprised” about the vulnerability because the device had been used since 2008 with no patient complaints about the matter.
“We take every patient complaint and concern exceedingly seriously,” he said. “Our pump administers insulin which is a life-saving medication or hormone without which people will get gravely ill or in the worst case scenario they might die.”

The Hackers Day Conference,  is a novel occasion  will be held in Lucknow, on the January 15th-16th, 2017. For more details : www.hackersday.org

0 comments:

Post a comment