Dive Brief:
- Rapid7, a cyber security research firm, has identified three security vulnerabilities in the Animas OneTouch Ping insulin pump, a remote blood glucose meter.
- Jay Radcliffe, a diabetic and researcher at Rapid7, alerted Animas in April, and has been working with the Johnson & Johnson company to address these issues.
- The vulnerability could allow unauthorized access to the OneTouch Ping via its unencrypted radio frequency communication system, although it is unlikely any breaches have occurred and future risk is low, Animas said in an October 4 letter.
Dive Insight:
The vulnerability in the OneTouch Ping could potentially allow unauthorized access to receive health information or to administer insulin. However, this would require someone in close proximity to the device and patient, as well as advanced technical knowledge. Animas recommended patients concerned with a breach turn off remote functionality in its letter to patients and providers.
While there appears to be little risk associated with the OneTouch Ping, cybersecurity remains a concern to medical device makers, providers and patients. St. Jude Medical is currently engaged in a legal battle over allegations of security flaws in its pacemakers and defibrillators. The FDA also recently announced it would make cybersecurity a priority moving forward.
While concern is warranted, news of cybersecurity vulnerabilities should be taken with a grain of salt from all parties while understanding that threats are real. In the case involving St. Jude, the medical device maker denied allegations and accused cybersecurity firm MedSec and investment firm Muddy Waters Capital, which revealed the vulnerabilities, of releasing the information in a profit-making move. In the case of OneTouch Ping pumps, the real likelihood of a breach occurring is low and there is a quick fix. That said, it shouldn't be discounted that the medical device industry is entering a new age of greater cybersecurity awareness and should be thinking of such concerns in R&D.