Johnson & Johnson (NYSE:JNJ) is warning customers that its Animas OneTouch Ping Insulin pump can be hacked—a cybersecurity vulnerability that could be deadly. And while the FDA says it knows of zero medical device hacking attempts to date, the subject is one of growing concern. In fact, St. Jude Medical (NYSE:STJ) was accused of ignoring serious cybersecurity vulnerabilities in its own medical devices just last month.
So can medical devices be hacked? Absolutely.
With the Animas OneTouch Ping Insulin pump, for example, hackers may tamper with unencrypted communications between a wireless remote and the pump itself, triggering a potential insulin overdose in users.
And while Johnson & Johnson says the threat is minimal—the hacker would need significant technical knowledge and be standing no more than 25 feet away—the mere possibility of an attack on patients has caused the company to take rapid action.
After verifying the vulnerabilities, first discovered by Rapid7’s Jay Radcliffe, and consulting with the FDA, Johnson & Johnson sent a letter to 114,000 users in North America explaining the security issue and how it could be resolved.
The company recommends discontinuing use of the wireless remote or setting a maximum dose limit on the device itself, steps that Radcliffe deemed sufficient: as he told Fortune, “They can give peace of mind to to the patient or parent of a child using the device.”
But the solution isn’t always so simple. St. Jude Medical, for example, was accused of multiple vulnerabilities in its products—ones so severe that the devices would all need to be recalled. “There is a strong possibility that close to half of STJ’s revenue is about to disappear for approximately two years,” the report from Muddy Waters Research claimed.
No wonder that medical device manufacturers, as well as the FDA, are starting to reexamine the question of cybersecurity.
By sending that letter to customers, Johnson & Johnson became the first medical device manufacturer to ever warn customers about a hacking threat—but they probably won’t be the last. In fact, the FDA is betting on it.
The regulatory body is currently formulating guidelines for medical manufacturers on how they should respond to reports on their products’ cybersecurity—such as those that came out of Muddy Waters Research or Rapid7 in recent months. That suggests they see this as ongoing issue going forward—and therefore, it’s something investors should pay attention to.
A cybersecurity scandal, verified or not, has the potential to derail a company. Just look at St. Jude Medical: the company says accusations against their products are unfounded, and yet the stock still dropped four percent as a result.
Proactive measures would seem to be a company’s best defense. Johnson & Johnson, for example, informed customers of the cybersecurity vulnerability on September 26, 2016, before Rapid7 published their report. In the days since, the company’s stock has been minimally affected: in fact, it actually gained .01 percent between September 26 and October 4.
Don’t forget to follow us @INN_LifeScience for real-time news updates.
Securities Disclosure: I, Chelsea Pratt, hold no direct investment interest in any company mentioned in this article.