Johnson & Johnson (NYSE:JNJ) and its Animas subsidiary found themselves in the spotlight yesterday during 1 of the world’s largest cybersecurity conferences, when well-known medical device hacker Jay Radcliffe demonstrated, live on stage, a "feature" of the Animas Ping insulin pump that Radcliffe says could harm or kill unsuspecting patients.
Before an audience of security experts, each of whom paid between $1,800 and $2,200 apiece to attend the Las Vegas conference, Radcliffe showed how the Ping insulin pump "forgets" its recent insulin dosing history when its battery is swapped.
Radcliffe, a senior security analyst for InGuardians, described the issue as a problem, but Johnson & Johnson has maintained that it’s a safety feature. Animas officials were supposed to be in attendance for a joint press conference with Radcliffe, but had to back out at the last minute due to a scheduling conflict, Radcliffe said.
The feature/flaw in question occurs every time the Ping’s battery is disconnected for any amount of time, such as during routine changing. Radcliffe showed on screen that his Ping pump had calculated, based on an earlier injection, that he had about 5.5 units of insulin in his body at the time he was giving his presentation. He had let his blood sugar levels rise dangerously high for the purpose of the demonstration, showing that his blood sugar was 342 mg/dL, when it should have been around 110 mg/dL.
The pump recommended, based on Radcliffe’s insulin and glucose levels, that he needs about 8 units of insulin to get back on track, recommending a 2.5 unit dose to complement the 5.5 units already in his body.
Less than 60 seconds later, after Radcliffe popped the battery out and back in, the Ping pump had retained the time and date information and still had Radcliffe’s basic stats, but had wiped his pre-swap insulin levels, now showing 0 instead of 5.5. When Radcliffe entered the same 342 blood glucose level, the post-swap Ping system recommended 8 units of insulin, a potentially deadly overdose.
Radcliffe, who has had experiences with medical device reporting in the past, took to the FDA’s MAUDE adverse event reporting database to submit his concerns, receiving what he described as a very friendly response from Animas representatives, who insisted that Radcliffe’s so-called flaw was anything but.
"We have been in direct communication with Jay Radcliffe and thank him for bringing his concern to our attention," Johnson & Johnson said in a statement sent to MassDevice.com. "It’s important to clarify that his concern with our product is not a software flaw but a deliberate pump design decision. The product is operating as intended and as described in our Instructions for Use Manual, and as explained to patients during training."
During his presentation, Radcliffe laughed about the "read the manual" reaction, so common a retort to technology complaints that it has become something of an inside joke among engineers. Radcliffe ceded that the manual does indeed explain that the body insulin meter wipes clean when the power goes out, but insisted that, if not an issue, it’s at least a poor design feature and 1 that many other devices don’t share.
Radcliffe tested 2 different Medtronic (NYSE:MDT) insulin pumps, a Smiths Medical Cozmo pump and Insulet‘s (NSDQ:PODD) OmniPod in search of similar battery-related data dumping, but said only the Ping pump behaved that way.
It’s not the 1st time that Radcliffe has pushed a medical device into the cybersecurity spotlight. In 2011 he hacked his own insulin pump, then a Medtronic device, live on stage during a Black Hat presentation, and earlier this month he issued new warnings on his Animas Ping pump ahead of his presentation.
Medical device hacking in general appears to be an ever-growing part of the cybersecurity community’s focus, with 2 separate panels slated for this year’s Black Hat conference. The 2nd presentation was supposed to be given today by high-profile hacker Barnaby Jack, who died suddenly last week, leaving in his wake a raft of mourners and memorials and no shortage of conspiracy theories.
The medical device industry hasn’t gotten quite that cozy with hackers, but they may be heading in that direction. When Radcliffe 1st publicized his hacking in 2011, he said he was largely snubbed and accused Medtronic of ignoring his warnings, which the company flatly denied.
Just a year later Radcliffe sat beside Medtronic officials during a panel discussion in Washington, exploring medical device cybersecurity. Now Radcliffe’s made some connections at Johnson & Johnson, even though the company says the "flaw" he uncovered is anything but.
"We value Mr. Radcliffe’s input and we will consider it, as we do feedback from our other customers, as we continue to develop new products and enhancements to existing products," Johnson & Johnson told MassDevice.com earlier this month.