Hacking: Another year, another insulin pump maker outed on stage

Hacking: Another year, another insulin pump maker outed on stage

Johnson & Johnson (NYSE:JNJ) and its Animas subsidiary found themselves in the spotlight yesterday during 1 of the world’s largest cybersecurity conferences, when well-known medical device hacker Jay Radcliffe demonstrated, live on stage, a "feature" of the Animas Ping insulin pump that Radcliffe says could harm or kill unsuspecting patients.

Before an audience of security experts, each of whom paid between $1,800 and $2,200 apiece to attend the Las Vegas conference, Radcliffe showed how the Ping insulin pump "forgets" its recent insulin dosing history when its battery is swapped.

Radcliffe, a senior security analyst for InGuardians, described the issue as a problem, but Johnson & Johnson has maintained that it’s a safety feature. Animas officials were supposed to be in attendance for a joint press conference with Radcliffe, but had to back out at the last minute due to a scheduling conflict, Radcliffe said.

The feature/flaw in question occurs every time the Ping’s battery is disconnected for any amount of time, such as during routine changing. Radcliffe showed on screen that his Ping pump had calculated, based on an earlier injection, that he had about 5.5 units of insulin in his body at the time he was giving his presentation. He had let his blood sugar levels rise dangerously high for the purpose of the demonstration, showing that his blood sugar was 342 mg/dL, when it should have been around 110 mg/dL.

The pump recommended, based on Radcliffe’s insulin and glucose levels, that he needs about 8 units of insulin to get back on track, recommending a 2.5 unit dose to complement the 5.5 units already in his body.

Less than 60 seconds later, after Radcliffe popped the battery out and back in, the Ping pump had retained the time and date information and still had Radcliffe’s basic stats, but had wiped his pre-swap insulin levels, now showing 0 instead of 5.5. When Radcliffe entered the same 342 blood glucose level, the post-swap Ping system recommended 8 units of insulin, a potentially deadly overdose.

Radcliffe, who has had experiences with medical device reporting in the past, took to the FDA’s MAUDE adverse event reporting database to submit his concerns, receiving what he described as a very friendly response from Animas representatives, who insisted that Radcliffe’s so-called flaw was anything but.

"We have been in direct communication with Jay Radcliffe and thank him for bringing his concern to our attention," Johnson & Johnson said in a statement sent to MassDevice.com. "It’s important to clarify that his concern with our product is not a software flaw but a deliberate pump design decision. The product is operating as intended and as described in our Instructions for Use Manual, and as explained to patients during training."

During his presentation, Radcliffe laughed about the "read the manual" reaction, so common a retort to technology complaints that it has become something of an inside joke among engineers. Radcliffe ceded that the manual does indeed explain that the body insulin meter wipes clean when the power goes out, but insisted that, if not an issue, it’s at least a poor design feature and 1 that many other devices don’t share.

Radcliffe tested 2 different Medtronic (NYSE:MDT) insulin pumps, a Smiths Medical Cozmo pump and Insulet‘s (NSDQ:PODD) OmniPod in search of similar battery-related data dumping, but said only the Ping pump behaved that way.

It’s not the 1st time that Radcliffe has pushed a medical device into the cybersecurity spotlight. In 2011 he hacked his own insulin pump, then a Medtronic device, live on stage during a Black Hat presentation, and earlier this month he issued new warnings on his Animas Ping pump ahead of his presentation.

Medical device hacking in general appears to be an ever-growing part of the cybersecurity community’s focus, with 2 separate panels slated for this year’s Black Hat conference. The 2nd presentation was supposed to be given today by high-profile hacker Barnaby Jack, who died suddenly last week, leaving in his wake a raft of mourners and memorials and no shortage of conspiracy theories.

The medical device industry hasn’t gotten quite that cozy with hackers, but they may be heading in that direction. When Radcliffe 1st publicized his hacking in 2011, he said he was largely snubbed and accused Medtronic of ignoring his warnings, which the company flatly denied.

Just a year later Radcliffe sat beside Medtronic officials during a panel discussion in Washington, exploring medical device cybersecurity. Now Radcliffe’s made some connections at Johnson & Johnson, even though the company says the "flaw" he uncovered is anything but.

"We value Mr. Radcliffe’s input and we will consider it, as we do feedback from our other customers, as we continue to develop new products and enhancements to existing products," Johnson & Johnson told MassDevice.com earlier this month.

RSS From Medical Design & Outsourcing

  • Molex delivers ISO 13485-compliant, medical-grade surgical cables from its class 100,000 clean room facility
    Molex, LLC operates a fully ISO 146441-1:1999 Class 8-certified clean room, satisfying strict particulate contamination levels specified by ISO-compliant requirements. Located in Thailand, the facility has less than 100,000 particulates (≥0.5µm) per cubic foot of air and manufactures a variety of ISO 13485-compliant medical cables and surgical cables used in operating theatres, hospitals, laboratories and […]
  • Swept-Source OCT: Patent license agreement between Massachusetts General Hospital and Heidelberg Engineering
    Heidelberg Engineering has entered into a patent license agreement with Massachusetts General Hospital (MGH) in Boston. The agreement grants global and exclusive rights to 77 basic patents and patent applications which relate to swept-source OCT technology and its application in ophthalmology. Spectral domain OCT has become indispensable to eye care professionals worldwide to diagnose and […]
  • MIT’s MultiFab presents a stark challenge to incumbent 3D Printer manufacturers’ hardware, software, and business Models
    MIT’s Computational Fabrication Group recently announced the MultiFab, a low-cost 3D printer that can combine up to 10 different resins in one part and also includes a 3D scanning system to identify and fix errors during production. According to Lux Research, these capabilities are rare in commercial 3D printers today due to the manufacturers’ need […]
  • AVX releases Accu-P MP medical grade film chip capacitors for medical devices
    AVX Corporation, a leading manufacturer of passive components and interconnect solutions, has released a new series of thin film chip capacitors specifically designed to meet the demanding performance specifications for implantable medical devices. Delivering extremely tight capacitive tolerances, exceptionally repeatable performance, and remarkably low ESR and high Q at high frequencies—including VHF, UHF, and RF […]
  • RIVANNA commences manufacturing of its Accuro device
    Rivanna Medical announced that it has begun manufacturing its FDA-cleared Accuro device, a handheld and untethered smart-phone-sized device that is designed to guide spinal anesthesia with automated 3D navigation technology in addition to ultrasound imaging of abdominal, musculoskeletal, cardiac and peripheral vascular anatomies. The product will be launched at the ASA annual meeting in San […]
  • FDA seeks public input on Quality Metrics guidance
    by Oliver Wolf, Senior Product Manager, MasterControl In line with the general shift towards risk-driven approaches in the quality management world, FDA is now taking steps towards applying those same principles to its own auditing schedule. At the end of July, the Center for Drug Evaluation and Research (CDER) and the Center for Biologics Evaluation […]
  • First ‘Ear Wear’ for Active Adults Debuts with MDHearingAid FIT
    If you’ve burned out your ears with earbuds, headphones or decades of other audio abuse but aren’t ready for your grandmother’s hearing aids, not to worry! The new MDHearingAid FIT gets you back in the game with a tiny, FDA-registered, one-size-fits-most solution that doesn’t block your ear canal like old-fashioned in-the-ear hearing aids. The FIT feels […]
  • CardioGenics enters into manufacturing agreement with Ontario-based Plasticap
    CardioGenics Holdings, developer for the In-Vitro-Diagnostics (“IVD”) testing market, announced that it has entered into a manufacturing agreement with Plasticap of Ontario, Canada, pursuant to which Plasticap will manufacture CardioGenics’ proprietary self-metering cartridges for its QL Care analyzer. The term of the agreement is three years and the purchase price for each cartridge shall be […]
  • MTD Micro Molding releases micro materials menu
    MTD Micro Molding, a long-time leader in micro-injection molding, has released an updated “Materials Menu” of materials that can be successfully micromolded to help guide engineers at medical device companies. Material selection is a crucial step in product manufacturability. The correct material drives tolerance, dimension, strength, usabality, speed-to-market, design, critical features, and cost. Through MTD’s […]
  • MedTech Chat: Elastic technology for drug delivery
    Dr. Zhen Gu and Dr. Yong Zhu from North Carolina State University are both co-senior authors of a research paper describing their recent work. Dr. Gu, Dr. Zhu and other researchers from North Carolina State University and the University of North Carolina at Chapel Hill have developed a drug delivery technology that consists of an […]
  • B. Braun’s OEM Division offers large bore normally closed low-pressure check valves
    Infusion therapy and pain management device manufacturer B. Braun said today it is offering normally closed large-bore low-pressure check valves through its valve-focused contract manufacturing OEM division. The valves, offered by Bethlehem, Pa.-based B. Braun, are designed for the intermittent injection of fluids during medical treatment and open automatically when pressure is applied. The newly […]

Leave a Reply