Hacking: Another year, another insulin pump maker outed on stage

Hacking: Another year, another insulin pump maker outed on stage

Johnson & Johnson (NYSE:JNJ) and its Animas subsidiary found themselves in the spotlight yesterday during 1 of the world’s largest cybersecurity conferences, when well-known medical device hacker Jay Radcliffe demonstrated, live on stage, a "feature" of the Animas Ping insulin pump that Radcliffe says could harm or kill unsuspecting patients.

Before an audience of security experts, each of whom paid between $1,800 and $2,200 apiece to attend the Las Vegas conference, Radcliffe showed how the Ping insulin pump "forgets" its recent insulin dosing history when its battery is swapped.

Radcliffe, a senior security analyst for InGuardians, described the issue as a problem, but Johnson & Johnson has maintained that it’s a safety feature. Animas officials were supposed to be in attendance for a joint press conference with Radcliffe, but had to back out at the last minute due to a scheduling conflict, Radcliffe said.

The feature/flaw in question occurs every time the Ping’s battery is disconnected for any amount of time, such as during routine changing. Radcliffe showed on screen that his Ping pump had calculated, based on an earlier injection, that he had about 5.5 units of insulin in his body at the time he was giving his presentation. He had let his blood sugar levels rise dangerously high for the purpose of the demonstration, showing that his blood sugar was 342 mg/dL, when it should have been around 110 mg/dL.

The pump recommended, based on Radcliffe’s insulin and glucose levels, that he needs about 8 units of insulin to get back on track, recommending a 2.5 unit dose to complement the 5.5 units already in his body.

Less than 60 seconds later, after Radcliffe popped the battery out and back in, the Ping pump had retained the time and date information and still had Radcliffe’s basic stats, but had wiped his pre-swap insulin levels, now showing 0 instead of 5.5. When Radcliffe entered the same 342 blood glucose level, the post-swap Ping system recommended 8 units of insulin, a potentially deadly overdose.

Radcliffe, who has had experiences with medical device reporting in the past, took to the FDA’s MAUDE adverse event reporting database to submit his concerns, receiving what he described as a very friendly response from Animas representatives, who insisted that Radcliffe’s so-called flaw was anything but.

"We have been in direct communication with Jay Radcliffe and thank him for bringing his concern to our attention," Johnson & Johnson said in a statement sent to MassDevice.com. "It’s important to clarify that his concern with our product is not a software flaw but a deliberate pump design decision. The product is operating as intended and as described in our Instructions for Use Manual, and as explained to patients during training."

During his presentation, Radcliffe laughed about the "read the manual" reaction, so common a retort to technology complaints that it has become something of an inside joke among engineers. Radcliffe ceded that the manual does indeed explain that the body insulin meter wipes clean when the power goes out, but insisted that, if not an issue, it’s at least a poor design feature and 1 that many other devices don’t share.

Radcliffe tested 2 different Medtronic (NYSE:MDT) insulin pumps, a Smiths Medical Cozmo pump and Insulet‘s (NSDQ:PODD) OmniPod in search of similar battery-related data dumping, but said only the Ping pump behaved that way.

It’s not the 1st time that Radcliffe has pushed a medical device into the cybersecurity spotlight. In 2011 he hacked his own insulin pump, then a Medtronic device, live on stage during a Black Hat presentation, and earlier this month he issued new warnings on his Animas Ping pump ahead of his presentation.

Medical device hacking in general appears to be an ever-growing part of the cybersecurity community’s focus, with 2 separate panels slated for this year’s Black Hat conference. The 2nd presentation was supposed to be given today by high-profile hacker Barnaby Jack, who died suddenly last week, leaving in his wake a raft of mourners and memorials and no shortage of conspiracy theories.

The medical device industry hasn’t gotten quite that cozy with hackers, but they may be heading in that direction. When Radcliffe 1st publicized his hacking in 2011, he said he was largely snubbed and accused Medtronic of ignoring his warnings, which the company flatly denied.

Just a year later Radcliffe sat beside Medtronic officials during a panel discussion in Washington, exploring medical device cybersecurity. Now Radcliffe’s made some connections at Johnson & Johnson, even though the company says the "flaw" he uncovered is anything but.

"We value Mr. Radcliffe’s input and we will consider it, as we do feedback from our other customers, as we continue to develop new products and enhancements to existing products," Johnson & Johnson told MassDevice.com earlier this month.

RSS From Medical Design & Outsourcing

  • Athermal laser machining cuts bioabsorbable polymers and more
    A the recent MD&M East trade show in New York, Norman Noble, discussed the capability of athermal laser manufacturer. The company has developed the Noble S.T.E.A.L.T.H. (System To Enable Ablation Laser Technology Haz-free). The athermal laser machining process was developed to create precise features in any material, including bioabsorbable polymers, shape memory metals and other […]
  • Exciting possibilities for metallic glass in the medical device world
    Researchers are exploring the potential of metallic glass as a versatile, pliable material that is stronger than steel, with a bevy of possible medical device applications. Yale University engineers have discovered a unique method for designing metallic glass nanostructures across a wide range of chemicals, a technique that could have applications for everything from watch […]
  • Strong Precision Technologies’ medical divisions to unify under MedTorque brand
    Strong Precision Technologies announced on July 2, 2015, that its two medical divisions will now go to market under a single brand, MedTorque. The move reflects the increasing integration of the division formerly known as Inland Midwest with MedTorque, its sister division in Kenosha, WI. “We will continue providing our customers with the personalized level of service […]
  • Olympus offers next-day product replacement guarantee for medical devices
    Olympus, a medical and surgical procedures solutions company, announced that it is guaranteeing next-day replacements for surgical equipment at no additional charge. Olympus is the first surgical product manufacturer to offer this type of guarantee. The service became available to customers with an Olympus Full Service Agreement earlier this year. “Canceled procedures can be costly for healthcare facilities […]
  • More accurate prediction on prognosis in multiple myeloma from SkylineDx
    SkylineDx, a biotechnology company specializing in the development and commercialization of genetic tests, is launching its MMprofiler assay. This test enables clinicians to more accurately predict the prognosis of patients with multiple myeloma (bone marrow cancer) than traditional methods. The MMprofiler measures the activity of 92 genes which are directly or indirectly related to the […]
  • Flint Mobile swaps card reader for camera, accept mobile payments anywhere
    Flint Mobile, the swipe-free mobile payments app, has significantly expanded its payment management and loyalty capabilities for small, service-centric businesses, like the ones run by on-the-go medical equipment professionals. The toggle-free mobile technology makes the process quite simple for both parties, as all transactions are conducted through the mobile device’s camera without the need of any external […]
  • Should scientists be allowed to genetically alter human embryos?
    Scientists have at their disposal, a way to explore the possible prevention of genetic diseases before birth. But should they? Currently, the most promising path forward involves editing the genes of human embryos, a procedure threaded with controversy. An article in “Chemical & Engineering News” (C&EN), the weekly newsmagazine of the American Chemical Society (ACS), parses […]
  • Tackling chronic sinusitis by addressing underlying factors
    The stuffy noses and sinus pressure of head colds are uncomfortable, but for most people, they go away within days. For those with chronic sinusitis, however, those symptoms and others drag on for weeks. Now scientists are onto a potential new therapy that could address one of the underlying factors associated with the condition. They […]
  • Implantable “artificial pancreas” could help diabetes patients control their blood sugar
    Living with Type 1 diabetes requires constant monitoring of blood sugar levels and injecting insulin daily. Now scientists are reporting in the American Chemical Society (ACS) journal, “Industrial & Engineering Chemistry Research,” the development of an implantable “artificial pancreas” that continuously measures a person’s blood sugar or glucose level and can automatically release insulin as […]
  • Drug Deactivation program roll out to all facilities for safe disposal of unused prescription medications
    Verde Technologies announced that New Brighton-based Meridian Behavioral Health, the largest for-profit substance abuse and addiction treatment group in Minnesota, has become its most recent partner in the deactivation and safe disposal of prescription medications including methadone. Meridian is the first behavioral health group to roll out the Deterra Drug Deactivation System to all 17 […]
  • Lophius Biosciences introduces T-activated ImmunoScan Cocktail
    Lophius Biosciences announced the commercial launch of T-Track ImmunoScan and T-activated ImmunoScan Cocktail. Based on a proprietary and very specific cocktail of stimulants in combination with the Company’s T-activation technology, T-Track ImmunoScan and T-activated ImmunoScan Cocktail specifically target different cell types involved in both the adaptive and innate immune system. T-Track ImmunoScan and the T-activated […]

Leave a Reply