Security Flaws Compromise Animas Remote Glucose Meter
By Christine Kern, contributing writer
Cyber security research firm Rapid7 identifies three security vulnerabilities in meter.
Cybersecurity is on everyone’s radar these days and healthcare organizations are giving it more and more attention. Hospitals, insurers, and device-makers have all been victimized by cyberattacks in the past year and the FDA and HHS are both concerned with increasing security not only of patient records, but also in healthcare devices and wearables.
Now, Rapid7, a cyber security research firm, has announced it identified three separate security vulnerabilities in the Animas OneTouch Ping Insulin Pump that may leave patients in danger. The pump has a blood glucose meter that works as a remote control via RF communication. Although Rapid7 says the relative risk of wide scale exploitation of these vulnerabilities remains relatively low, they do encourage users of the devices to think twice about adopting their use.
According to the vendor’s website, The OneTouch Ping is a “two-part system” that “communicates wirelessly to deliver insulin” to the patient. The two devices use a proprietary management protocol to communicate over a 900 MHz band.
Rapid7 researcher Jay Radcliffe studied the pump and found it uses cleartext communications instead of encrypted communications, allowing a remote attack to spoof the Meter Remote and trigger unauthorized insulin injections. Such action would allow a malevolent actor to remotely harm users of the systems and potentially cause a hypoglycemic reaction in the patient. Rapid7 notified the vendor, Animas Corporation, CERT/CC, the FDA, and DHS of these findings, and Animas has begun proactive notification of device users to recommend mitigations for the potential risks.
In the notification letter, Animas writes, “We also want to assure you that the probability of unauthorized access to the OneTouch Ping System is extremely low. It would require technical expertise, sophisticated equipment, and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network. In addition, the system has multiple safeguards to protect its integrity and prevent unauthorized action.” The letter then outlined the specific mitigation options available.
The potential dangers of medical devices being hacked is of increasing concern, as evidenced by the allegations Health IT Outcomes reported last month that St. Jude Medical’s cardiac devices are vulnerable to cyberattacks. St. Jude has categorically denied the accusations, stating, “The allegations are absolutely untrue. There are several layers of security measures in place.”
However, it does raise questions about how safe is safe enough when it comes to devices that are used on or in a patient’s body. In 2013, Health IT Outcomes reported growing concern over securing medical devices led the Department of Homeland Security (DHS) National Cybersecurity & Communications Integration Center to issue an “unclassified — for official use only — document calling attention to the potential impact of cyber threats on the multi-trillion dollar healthcare industry.” In it, providers are warned that “failure to implement a robust security program will impact the organization's ability to protect patients and their medical information from intentional and unintentional loss or damage.”
The final takeaway from these issues is that while preventative measures may be costly, the idea of culpability in the case of a security breach means that they are ultimately a necessary expense.