hen Johnson & Johnson was alerted to a security vulnerability in the Animas OneTouch Ping® insulin pump last year, the risk to patients was low. But that didn’t stop the company from hitting the "go" button on a large-scale cybersecurity response.
After the researcher showed Johnson & Johnson that it was possible to hack into the device and theoretically allow someone to control it remotely by interfering with its wireless communications signal, the company quickly sent a letter to patients and doctors, warning them about the issue and offering specific steps to take to protect themselves. No one ever took advantage of the vulnerability—but Johnson & Johnson wasn’t taking any chances.
It is believed to be the first-ever such proactive communication from a medical device manufacturer to customers, and it represented hours of behind-the-scenes work with the cybersecurity firm that had alerted the company to the vulnerability, the U.S. Food & Drug Administration (FDA) and the Department of Homeland Security.
This story exemplifies Johnson & Johnson's two-pronged approach to cybersecurity: protecting products before they reach the shelves, and then reinforcing that protection when doctors and patients use them—especially as cyberattackers become increasingly interested in healthcare data.
Consulting firm Accenture has estimated that, by 2019, one in 13 patients in the U.S. will have their medical or personal information stolen from their healthcare provider’s digital records. And as healthcare devices increasingly rely more on connectivity in order to provide such services as real-time alerts to doctors and patients, the need to secure them is also increasing.
For National Cyber Security Awareness Month, we spoke to top security experts at Johnson & Johnson to learn more about four key proactive measures the company is taking to keep patients safe.
At the beginning of 2016, Johnson & Johnson moved from a distributed model—in which separate teams focused on different aspects of cybersecurity and compliance—into a single, centralized function under, Worldwide Vice President of Information Security and Chief Information Security Officer.
Today, a single team handles a range of cybersecurity tasks, including research and development for product cybersecurity.
As, Director of R&D and Product Security, explains it, the team is tasked with ensuring that security is designed into products early on, during early development conversations, rather than bolting it in as an afterthought.
“We work with the R&D teams building the products and the product quality teams managing the process to ensure that the solutions have security built in,” he says.
Another remit of Johnson & Johnson’s security team is managing the digital supply chain.
Product safety depends on a watertight approach to security that protects not just the product, but all the components and processes that help produce it. Without a secure supply chain, attackers intent on compromising a medical device could potentially exploit loopholes in the manufacturing systems used to produce them.
The company leads the way for the industry by inviting researchers—that is, third parties who identify security bugs in products—to tell them about any flaws in security or to submit information about vulnerabilities that they may find in its products.
This has led the company to scrutinize third-party vendors and service providers, as well as conduct security assessments of everything from its robotics systems to its 3-D printing processes.
The company also keeps protecting its products even after they’re in customers’ hands.
“Our products need to be built to easily receive cybersecurity routine updates and patches to protect against growing threats and the increasingly rapid release of new vulnerabilities,” Morgan explains.
New bugs and vulnerabilities emerge every day, so the security team regularly attends cybersecurity conferences with the specific goal of seeking out presentations on vulnerabilities and attack techniques that could directly affect Johnson & Johnson products and services.
The company leads the way for the industry by inviting researchers—that is, third parties who identify security bugs in products—to tell them about any flaws in security or to submit information about vulnerabilities that they may find in its products. The company even created a site expressly for this purpose: Product Vulnerability Disclosure Reporting.
“Researchers are working on technology because they’re interested in it,” Morgan says. “They want to work with manufacturers and notify them of these flaws to help with the safety of the products.”
Regulators are aware of the cybersecurity threats facing the healthcare sector, and Johnson & Johnson is eager to work with them to create common best practices.
“We’re taking the lessons we have learned to work with the healthcare community and get better as an industry,” Morgan says.
This includes close collaboration with government agencies in the U.S. and beyond, such as leading education sessions for regulators in Japan, partnering with the FDA on guidelines for managing medical device security and working with the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) on bug disclosure processes.
“We’re trying to ensure that we have harmonized security processes, rather than each country having its own requirements, which then makes it harder for business to figure out best practices,” Morgan says.
Cybersecurity vulnerabilities will always be a way of life, but Johnson & Johnson’s collaborative approach is helping to ensure that the company stays one step ahead of cyberthieves to keep patients protected.