News is swirling over fresh revelations that the Animas OneTouch Ping insulin pump is at risk for hacking, with the manufacturer issuing a reassuring letter to patients that includes tips about reducing the cybersecurity risk.
On Tuesday Oct. 4, 2016 JnJ-owned Animas issued a cybersecurity alert to users of the OneTouch Ping, which has been available since 2008 and communicates with a glucose meter for remote bolusing.
JnJ says it discovered a potential flaw based on a tip from well-known cybersecurity expert Jay Radcliffe, who lives with T1D and made a name for himself by exposing hacking risks in Medtronic pumps several years ago. He contacted the company in April to say he'd discovered a way for someone to potentially gain unauthorized access to the pump through its unencrypted radio frequency communication system.
They've collectively been exploring the issue since, have notified the FDA and Department of Homeland Security, and now six months later, are ready to reveal the issue publicly with specifics on how to combat it.
Of course, mainstream media picked up on the story quickly, though not quite to the level of frenzy we've seen in the past. Medical device hacking always makes for juicy news, and has been a plot line in popular TV shows like The Blacklist a few years ago.
In this case, Animas says the risk is extremely low and that no evidence exists of anyone actually hacking into the device. Instead, this is a "zero day" event in which the company is compelled to expose the vulnerability for transparency on the potential risk, and offer fixes.
To be clear, we at the 'Mine don't think this is particularly threatening. Honestly, we're more likely to see a Samsung Note 7 phone battery explode nearby than see someone hack into an insulin pump to do harm.
But nevertheless, security of our devices has to be taken seriously; it's an important topic on which
Now, the Animas pump becomes the latest device to raise red flags about the potential dangers...
Animas Explains the Issue
Earlier this week, JnJ organized a conference call with a small number of diabetes media and advocates to discuss this issue. On that call were JnJ's Chief Medical Officer Dr. Brian Levy and VP of Information Security Marene Allison.
They explained that JnJ had set up a website in April for patients about potential cybersecurity concerns, which was tied to the FDA guidance and came after 18 months of discussion between the manufacturer, the FDA's Cybersecurity Division and the Dept. of Homeland Security.
Soon after setting up that site, they received word from Radcliffe about this particular security flaw in the Animas Ping -- specifically that the unencrypted radio frequency used to enable remote communication between the pump and meter could potentially be tampered with, allowing someone to deliver insulin from as far as 25 feet away (Radcliffe has published the technical details on this Rapid7 info security website).
J&J Animas emphasizes that no one has hacked the OneTouch Ping. Rather, Radcliffe did his testing in a "controlled environment" just to prove that he could hack into the device and in doing so, exposed the potential risk.
The company spokespeople explained that they've decided not to issue an update for the meter remote in large part because of the very low risk, and the fact that the risk can be mitigated with some easy steps. A "patch fix" apparently isn't possible given the radio frequency used, as it would render the current systems unusable.
The letter the company sent to 114,000 Ping patients and their doctors in the U.S. and Canada offered this advice to those concerned:
Set Vibrating Alerts: Turn on the vibration feature for the insulin pump, which will notify a user that a bolus dose is being started by the meter remote. This gives the user the option to cancel any unwanted bolus, and of course it's only possible to change basic bolus and basal settings from the pump itself.
Watch Insulin History: Animas urges Ping users to keep tabs on the insulin history records inside the pump. Every insulin delivery amount, whether it's triggered by the meter or the pump, is recorded in this history and can be reviewed for any concerns.
Turn Off Meter Remote Feature: This will of course stop the radio frequency communication between the One Touch Ping meter and the insulin pump, meaning users won't be able to see blood sugar results on their pump or use the meter to control bolus dosing. Instead, users would have to manually key in BGs on the pump and bolus from that device.
Limit Bolus Amounts: For those who want to continue using the meter for remote bolusing, you can use the pump's settings to limit the max bolus amount, the amount delivered within the first two hours, and the total daily dose of insulin. Any attempt to exceed or override those settings will trigger a pump alarm and prevent bolus insulin delivery.
We appreciate Animas taking measures to calm fears and offer sound tips to those who might be worried. Still, it's odd that it took five years to discover this weakness in the Ping system given that a similar issue came up back in 2011 with a rival pump.
Animas says this isn't an issue for its current Animas Vibe system that communicates with the Dexcom CGM, because that doesn't include the same RF-enabled feature allowing the meter and pump to talk to each other. But of course the company says it plans to "build cybersecurity into future devices" as it moves forward with its product pipeline.
Cybersecurity Hacker Says...
For those who haven't heard Jay Radcliffe's name before, he's been prominent on the cybersecurity front for several years now. Diagnosed with T1D at age 22, he first made headlines in 2011 when hacking a Medtronic pump and releasing his findings about potential flaws -- also involving the remote bolusing feature -- at a leading hacker conference.
Then in an interesting turn of events, he joined forces with the FDA to become a consultant on medical cybersecurity issues. And he's now been working for cybersecurity firm Rapid7 since early 2014.
We reached out to him about this latest Animas cybersecurity discovery.
This time is different from the Medtronic situation, Radcliffe tells us, in that he had a chance to work with Animas directly before revealing the issue publicly. This time, the public release was timed in conjunction with the company's notice to consumers about how to protect themselves.
He says it's significant that this is the first time a major medical device manufacturer has proactively issued a warning about potential computer security flaws in a consumer product -- even when no related adverse events have been reported by customers.
He's happy with Animas' response, he says, and is not actually overly concerned about how safe and secure the OneTouch Ping is for PWDs.
"It is not perfect, but nothing is," Radcliffe wrote in an email to DiabetesMine. "If any of my children became diabetic and the medical staff recommended putting them on a pump, I would not hesitate to put them on a OneTouch Ping."
For the future, he hopes his discovery and consequential work with the vendor highlights why it's important for PWDs to be patient while manufacturers, regulators and researchers fully explore these highly complex devices.
"We all want the best technology right away, but done in a reckless, haphazard way puts the whole process back for everyone," he told us.
It's been fascinating to watch the conversation turn to open-source aspects of diabetes devices as it relates to this Animas cybersecurity risk.
Some opined that this was a veiled attempt by Animas to discredit open-source projects like Nightscout and #OpenAPS as risky endeavors based on unencrypted communication. Others wondered if it was more a ploy by Animas to seemingly throw up its hands and say, "Hey, D-device hackers and OpenAPS creators -- you can use our pumps and not just those from Medtronic!"
Still others in the open-source world pointed out that this ability to use the remote bolusing feature through unencrypted communication is a well-known issue that exposes little danger, but in fact opens up all kinds of possibilities for new D-tech innovations.
"Headlines about 'vulnerabilities' can be scary, but the reality is that being able to read data and control pumps has fostered an incredible ecosystem of innovation," says D-Dad Howard Look, CEO of the non-profit Tidepool that's creating an open platform for diabetes data and apps.
"We should be looking for ways to do more of this. And this innovation has made therapy more safe and effective. Device makers can make their data-control protocols available in safe, secure ways that do not stifle innovation. Those are not mutually exclusive goals."
Look says this isn't about open source, but rather about balancing of the risk of open data and control protocols with the benefit of allowing innovation from the community -- or from outside the walls of specific device-makers.
Some in the patient and open-source community are concerned that these scary headlines could push device makers and regulators to think the only way to secure devices is to take control protocols away. But that shouldn't be the case.
"Yes, make them secure in your future devices, but even open communications protocols (that are very hard to exploit, like these are) are better than none," Look says. "They enable a vibrant ecosystem of innovation that we should catalyze and encourage."
Evaluating Medical Device Cybersecurity
Of course, cybersecurity in medical devices is an ever-hotter topic being explored by many experts and organizations.
In May 2016, the California-based Diabetes Technology Society announced its DTSec (DTS Cybersecurity Standard for Connected Diabetes Devices project), created with the support of FDA, NIH, Dept. of Homeland Security, NASA, US Air Force and the National Institute of Standards and Technology! That had been in the works for about a year, and is now underway.
DTS leader Dr. David Klonoff, a California endocrinologist and Medical Director of the Diabetes Research Institute at the Mills-Peninsula Health Services facility, says the organization is now recruiting device manufacturers to adopt and have their products evaluated using the new DTSec standard. He says the group's in discussions with "several industry players," and they expect to see manufacturers signing on very soon.
So far, Animas hasn't acknowledged any interest in supporting the new DTS cybersecurity standard. Instead, the company has opted to take its issue on internally in conjunction with the FDA.
But with FDA regulators behind the new standard, it does seem only a matter of time before companies will be compelled to comply.
Klonoff thinks they will be, based on three key factors:
- DTS worked with the FDA on creating the DTSec standard, giving it true regulatory credibility
- Companies will feel it's a competitive advantage to show they have good cybersecurity. This allows them to document that...
- Those companies that hold out could eventually be potentially liable, either for regulatory fines or potential litigation if there’s ever a cybersecurity case against them; if they're not following this DTSec standard, it could be more difficult to make a claim that they didn’t do anything wrong.
“I do expect it to catch on, and while we’re talking to several U.S. device makers, we are also working to make this international,” Klonoff says.
As to the specific Animas cybersecurity issue, Klonoff says he believes it’s a case study on how these potential problems should be handled from every side. He praised J&J for "handling this responsibly" by working with FDA and Radcliffe, and by offering remedies that can address the issue.
“This is how it should be done, instead of creating fear without any fixes for the patient community or blowing it out of proportion,” Klonoff said. “This is how FDA wants these cybersecurity problems to be handled. Everyone did the right reporting and analysis here, and it shows there is hope for cybersecurity. This is a cybersecurity story that has a pretty good ending.”
We sure hope so.