Threat to Johnson & Johnson’s cyber-security could lead to insulin overdose

Another hacking scandal comes from beneath the murky waters of the World Wide Web.

This time, it’s Johnson & Johnson.

The pharmaceutical manufacturers are warning patients of a cyber-attack where a hacker is thought to have access to the medical pumps that could administer more insulin than necessary, causing diabetic patients to overdose.

It goes without saying, this is a potentially serious issue.

The potential security threat was initially discovered by Senior Security Consultant, Jay Radcliffe, who found that the hackers could gain access because communication on the OneTouch Ping system was not encrypted. If the data had been encrypted then it makes it harder for an unauthorised person to access the information. In short, it turns sensitive information into possibly unintelligible data.

Without getting too technical, the OneTouch Ping system allows patients to use a wireless remote control to pump in their required dose of insulin. By not having the protection of an encrypted form of communication, a hacker could trick the remote control and trigger unauthorised insulin injections. The increased injections could potentially harm users, causing them to have a hypoglycemic reaction.

As far as we’re aware,  no one has suffered as a result of the problem so far; and hopefully no one will!

Playing it down

The company recently released a statement to combat any potential wild theories saying:

“…the probability of unauthorised access to the OneTouch Ping system is extremely low.”

They continue to say that it’s not a cause for panic, and that it’s safe and reliable to use. But people can minimise the risk of an attack by not using the remote control, and by programming the pump to limit the maximum dosage.

This may not stop thousands of users from panicking though.

114,000 patients informed

Moving forward, the standard encryption with a unique key pair could solve these issues and worries of any future cyber-attack. In the meantime, J&J has sent out letters to doctors and around 114,000 patients to warn them of the cyber-attack and the safety precautions they can take.

First time for a medical device hack?

This may be the first time that a medical device manufacturer has announced a potential cyber-security problem affecting a product. The announcement may have been made to ensure protection against any potential risk, so it can be seen as possibly commendable that the manufacturer took such pre-emptive actions.

Then again, we can never be too careful when it comes to cyber security and people’s health.

In another similar case, pacemaker manufacturer St Jude Medical was accused of having a security flaw, but they subsequently sued the company that released the rumours, which were later found to be untrue. If companies and organisations are open and transparent with their customers, this may enhance their credibility as a company. J&J’s shares almost stayed the same post-revelation which could be because they kept their customers well-informed.

As technology expands, there is always going to be inevitable and greater security risks. Companies like J&J should keep their customers well-informed of any security vulnerabilities, even if its a small one. When you compare this with Yahoo, who allegedly took up to two years to release the information that 500 million of their customers’ accounts had been hacked, we see two very different stances.

Moral of the story: keep your customers happy by keeping them in the know.

“Data breach fines that could dismantle a company” – The Payment Card Industry Security Standards Council imposes a new EU regulation that could impose £122 billion worth of data breach fines on U.K. companies, taking effect in 2018

“Did Weebly do enough to fend off the hackers?” – Weebly and Foursquare in a potential breach of their customers’ personal information