Hacking: Another year, another insulin pump maker outed on stage

Hacking: Another year, another insulin pump maker outed on stage

Johnson & Johnson (NYSE:JNJ) and its Animas subsidiary found themselves in the spotlight yesterday during 1 of the world’s largest cybersecurity conferences, when well-known medical device hacker Jay Radcliffe demonstrated, live on stage, a "feature" of the Animas Ping insulin pump that Radcliffe says could harm or kill unsuspecting patients.

Before an audience of security experts, each of whom paid between $1,800 and $2,200 apiece to attend the Las Vegas conference, Radcliffe showed how the Ping insulin pump "forgets" its recent insulin dosing history when its battery is swapped.

Radcliffe, a senior security analyst for InGuardians, described the issue as a problem, but Johnson & Johnson has maintained that it’s a safety feature. Animas officials were supposed to be in attendance for a joint press conference with Radcliffe, but had to back out at the last minute due to a scheduling conflict, Radcliffe said.

The feature/flaw in question occurs every time the Ping’s battery is disconnected for any amount of time, such as during routine changing. Radcliffe showed on screen that his Ping pump had calculated, based on an earlier injection, that he had about 5.5 units of insulin in his body at the time he was giving his presentation. He had let his blood sugar levels rise dangerously high for the purpose of the demonstration, showing that his blood sugar was 342 mg/dL, when it should have been around 110 mg/dL.

The pump recommended, based on Radcliffe’s insulin and glucose levels, that he needs about 8 units of insulin to get back on track, recommending a 2.5 unit dose to complement the 5.5 units already in his body.

Less than 60 seconds later, after Radcliffe popped the battery out and back in, the Ping pump had retained the time and date information and still had Radcliffe’s basic stats, but had wiped his pre-swap insulin levels, now showing 0 instead of 5.5. When Radcliffe entered the same 342 blood glucose level, the post-swap Ping system recommended 8 units of insulin, a potentially deadly overdose.

Radcliffe, who has had experiences with medical device reporting in the past, took to the FDA’s MAUDE adverse event reporting database to submit his concerns, receiving what he described as a very friendly response from Animas representatives, who insisted that Radcliffe’s so-called flaw was anything but.

"We have been in direct communication with Jay Radcliffe and thank him for bringing his concern to our attention," Johnson & Johnson said in a statement sent to MassDevice.com. "It’s important to clarify that his concern with our product is not a software flaw but a deliberate pump design decision. The product is operating as intended and as described in our Instructions for Use Manual, and as explained to patients during training."

During his presentation, Radcliffe laughed about the "read the manual" reaction, so common a retort to technology complaints that it has become something of an inside joke among engineers. Radcliffe ceded that the manual does indeed explain that the body insulin meter wipes clean when the power goes out, but insisted that, if not an issue, it’s at least a poor design feature and 1 that many other devices don’t share.

Radcliffe tested 2 different Medtronic (NYSE:MDT) insulin pumps, a Smiths Medical Cozmo pump and Insulet‘s (NSDQ:PODD) OmniPod in search of similar battery-related data dumping, but said only the Ping pump behaved that way.

It’s not the 1st time that Radcliffe has pushed a medical device into the cybersecurity spotlight. In 2011 he hacked his own insulin pump, then a Medtronic device, live on stage during a Black Hat presentation, and earlier this month he issued new warnings on his Animas Ping pump ahead of his presentation.

Medical device hacking in general appears to be an ever-growing part of the cybersecurity community’s focus, with 2 separate panels slated for this year’s Black Hat conference. The 2nd presentation was supposed to be given today by high-profile hacker Barnaby Jack, who died suddenly last week, leaving in his wake a raft of mourners and memorials and no shortage of conspiracy theories.

The medical device industry hasn’t gotten quite that cozy with hackers, but they may be heading in that direction. When Radcliffe 1st publicized his hacking in 2011, he said he was largely snubbed and accused Medtronic of ignoring his warnings, which the company flatly denied.

Just a year later Radcliffe sat beside Medtronic officials during a panel discussion in Washington, exploring medical device cybersecurity. Now Radcliffe’s made some connections at Johnson & Johnson, even though the company says the "flaw" he uncovered is anything but.

"We value Mr. Radcliffe’s input and we will consider it, as we do feedback from our other customers, as we continue to develop new products and enhancements to existing products," Johnson & Johnson told MassDevice.com earlier this month.

RSS From Medical Design & Outsourcing

  • 3-phase current transducer from PEM delivers all-in-one convenience
    The new RCTrms 3-ph current transducer from Power Electronic Measurements (PEM) delivers a convenient, safe and accurate solution for measuring current in three phases. It features a thin, clip-around, flexible sensor coil and provides accurate true rms measurement with 4-20 mA or 0-5 V output, enabling simple installation with PLC’s, SCADA systems or automation equipment. […]
  • Safety alert: Recall on two IV solutions from Baxter
    Baxter International announced it is voluntarily recalling two lots of intravenous (IV) solutions to the hospital and user level due to the potential presence of particulate matter. The particulate matter in each case was determined to be an insect and was identified as a result of a customer complaint. The matter was identified prior to […]
  • TSO3 begins shipment of STERIZONE VP4 Sterilizers to U.S.
    TSO3, a developer in sterilization technology for medical devices in healthcare settings, announced that the company has received purchase orders for multiple devices from the U.S. The orders are the result of the collaborative relationship between Getinge Infection Control, its sales and service provider, and TSO3. “Finally,” said R.M. Rumble, president and CEO of TSO3. “Our Vision is […]
  • Turkish medical company is seeking reseller and OEM partners in the U.S.
    UZUMCU Medical Equipment, one of Turkey’s first and largest manufacturers of medical devices, is seeking reseller and OEM partners in the U.S. The company has an array of FDA-certified OR tables, surgical lights, surgical suction units, electro devices and other medical equipment. “We want to bring our experience with distributors throughout Europe and the Middle […]
  • QImaging introduces new CCD cameras for microscopy with modern software to streamline image capture
    QImaging, a manufacturer of scientific cameras for life science and OEM applications, introduces a new series of Retiga CCD cameras, accompanied by QImaging’s new acquisition software to deliver high-performance tools for microscopy and imaging to researchers at an affordable price. The new QImaging Retiga R1, Retiga R3 and Retiga R6 cameras offer valuable technical features […]
  • Sigma-Aldrich announces a new certification to aid IVD customers
    Sigma-Aldrich, a life science and high technology company, announced the company has received ISO 13485 certification for expanded quality assurance capabilities at its Dekalb and Barton facilities located in St. Louis. The certification extends Sigma-Aldrich’s ability to manufacture and offer critical raw materials, such as enzymes, proteins and antibodies used in diagnostic assays, and supplies in vitro […]
  • Prescribing the right power supply: Important considerations for using batteries to power medical devices
    Sol Jacobs, VP and General Manager, Tadiran Batteries Medical technology is advancing rapidly, requiring increasingly sophisticated power management solutions, especially when then the device needs to be self-powered. Battery-powered medical devices encompass a wide range of applications, including surgical drills, power tools, automatic external defibrillators (AEDs), infusion pumps, bone growth stimulators and other wearable devices, […]
  • Qosina announces the launch of its e-commerce website
    Qosina is pleased to announce the launch of its e-commerce website, making it easier to purchase thousands of medical device components from stock inventory. Visitors coming to the new Qosina.com will discover a new look and feel and improvements with every click including: · Easy navigation: A new category structure that mirrors the print catalog […]
  • Athermal laser machining for medical implants is the topic of Norman Noble’s latest whitepaper
    Thermal lasers have achieved extraordinary results in microprecision manufacturing of medical implants and devices the past 20 years. Devices we take for granted today, such as vascular stents, could not be produced without the technology; however, there are still significant limitations on what medical implant and device manufactures can produce using thermal lasers. One major issue […]
  • Sealevel announces the SeaISO family of USB isolators
    Sealevel announces the SeaISO family of USB isolators with 4 kV of medical-grade optical isolation between the host computer and connected USB equipment. SeaISO USB isolators are UL Recognized, in accordance with EN60601-1 3rd Edition, and protect both the power and data lines of connected USB devices from harmful ground loops, damaging transients and surges […]
  • The 21st Century Cures Discussion document recently released to the public
    It has been reported that among the 10,000 known diseases, 7,000 of which are considered rare, there are treatments for only 500. According to Dr. Francis Collins, Director of the National Institutes of Health (NIH), it now takes “around 14 years and $2 billion or more” to develop a new drug and “more than 95% […]

Leave a Reply