Johnson & Johnson's diabetes unit warned patients this week that the Animas Onetouch Ping insulin pumps may be vulnerable to a cyberattack, but the probability of one of the devices actually being hacked is "extremely low," the company said.

The pump could potentially be accessed through its unencrypted radio frequency communication system, but such an attack would require technical expertise, sophisticated equipment and proximity to the device, according to a letter the West Chester, Pa.-based Animas Corp. sent to patients on Monday. The company noted that the Onetouch Ping system is not connected to the Internet or any external network.

Patients do have the option of turning the pump's radio frequency feature off to prevent unauthorized access, Animas said, but that would also block communication between the pump and meter and blood glucose readings would need to be entered manually on the pump.

Another option would be to program the pump to limit the amount of bolus insulin that can be delivered, using one of several customizable settings, such as the maximum bolus amount setting, the two-hour amount, and the total daily dose setting. If a hacker attempted to exceed or override these settings, Animas said, the attack would trigger a pump alarm and prevent bolus insulin delivery.

The company also recommended patients use the system's vibrating alert feature so that if a bolus dose of insulin is initiated remotely they would have the option of canceling the delivery.

Both of these safety measures – the bolus delivery alert and the customizable limits – can only be enabled on the pump itself, Animas said, and cannot be altered by the meter remotely. The system is also designed to record any insulin delivery and its source (pump or meter remote) for the patient to review.

Animas assured patients in the letter that it has worked with regulatory authorities and security experts to address the issue and that the Onetouch Ping system continues to be safe and effective for managing diabetes. Still, the warning comes at a time when the device industry is particularly vulnerable to cybersecurity concerns.

Last month St. Jude Medical Inc. filed a lawsuit against short-selling firm Muddy Waters Capital LLC, Medsec Holdings Ltd., and their affiliates over a report claiming St. Jude's implantable heart devices were vulnerable to cyberattack. The St. Paul, Minn.-based company said it filed the suit to hold the firms and individuals accountable for their "false and misleading tactics," and to "set the record straight" about the security of St. Jude devices. Shortly after the claims were made, the company's stock (NYSE; STJ), which had been trading around $82 a share before the Muddy Waters report, dropped about 5 percent. The stock has fluctuated between $79.55 and $80.71 over the past month, and closed Tuesday at $79.82. (See Medical Device Daily, Aug. 30 and Sept. 8, 2016.)

Johnson & Johnson's stock (NYSE; JNJ) held steady Tuesday after news of the Animas letter, closing at $118.82, a 0.01 percent increase over the day's opening.

Past problems abound

Cybersecurity issues are not new to the device industry, but it has been a growing concern over the past couple of years. In 2015 the FDA made an unprecedented move by telling hospitals not to use the Symbiq infusion pump from Lake Forest, Ill.-based Hospira Inc., now owned by Pfizer Inc., because of specific cybersecurity vulnerabilities associated with the device. The company later issued guidance on the topic to clarify how existing quality regulations apply to cybersecurity maintenance activities. The topic has also gained attention at industry events over the past year, including the annual meeting of the Advanced Medical Technology Association (Advamed). (See Medical Device Daily, Oct. 7, 2015.)

At a heavily-attended Advamed panel last year, Scott Rea, vice president of government and education relations at Digicert Inc., said device companies would be better off putting a plan in place for when a cybersecurity issue does happen, rather than focusing all the attention on preventing an attack. There is "no such thing" as a perfect solution that will solve all the industry's cybersecurity problems, Rea said.

It may be difficult to understand the motivation behind a cyberattack on an individual infusion pump, or other device, but cybersecurity firm Trapx suggested in a 2015 report that hackers may be trying to hijack medical data, which has become more valuable to cybercriminals than stolen credit card numbers. (See Medical Device Daily, June 10, 2015.)

Medtronic plc dealt with a similar issue with one of its infusion pumps back in 2011 after security software manufacturer Mcafee alerted the company to a flaw in some models of the Paradigm insulin pumps. Mcafee said at the time that such problems could exist with other drug pumps as well, given the devices' increasing use of wireless technology and software.