Medtronic is warning thousands of users of its older insulin pumps worldwide that the devices may contain a serious cybersecurity vulnerability allowing a malicious hacker to change drug-delivery settings and send the patient into a diabetic emergency.
The warning applies to Medtronic insulin pumps that were introduced to the market before 2013, including the MiniMed 508 pump and various models of MiniMed Paradigm pumps. It does not affect the MiniMed 530G, nor any 600-series MiniMed pump (including the 640G and 670G), which are widely used in the U.S. The Homeland Security Department published an advisory about the issue Thursday.
Insulin is a powerful, self-administered drug that can be acutely harmful if given in too large a dose. An insulin pump is a central component of an overall system used to deliver regular doses of manufactured insulin in patients whose bodies don't naturally produce enough of the hormone to break down sugars in their blood. Such pumps can communicate wirelessly with external devices to get real-time glucose measurements or transmit patient data.
The cyber-vulnerability disclosed on Thursday for older Medtronic insulin pumps would allow a malicious computer hacker to potentially hijack those communications systems and send commands that would cause the device to deliver too much or too little insulin, both of which can be harmful in different ways. A sudden dose of too much insulin can lead to seizures or a diabetic coma.
The vulnerability stems from weaknesses in how the pumps "authenticate" commands from external devices.
"This wireless RF (radio-frequency) communication protocol does not properly implement authentication or authorization," a summary of the problem from the Homeland Security Department says. "An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify and/or intercept data."
Medtronic, which is run from offices in Fridley, estimates that at least 4,000 people in the United States and an unknown number internationally are still using the older devices.
The Medtronic pumps affected by the alert are: the MiniMed 508; MiniMed Paradigm models 511, 512/712, 712E, 515/715, 522/722, 522K/722K; plus Paradigm 523/723 and 523K/723K pumps with software versions 2.4A or lower; Paradigm Veo 554/754 pumps with software version 2.6A or lower; and Paradigm Veo 554CM/754CM pumps with software version 2.7A or lower.
Jay Radcliffe, a medical technology security researcher and type 1 diabetic in Idaho, said he thinks the benefits of the insulin pumps outweigh the risks of the device being attacked, and he would not hesitate to have family members use these pumps.
"The risk is very low of something bad happening, and I think that's important because there's a lot of parents who read these stories," said Radcliffe, who is not a Medtronic employee and who published some of the earliest vulnerability information about Medtronic insulin pumps, in 2011. "It's a very scary situation to be either a patient, or a parent of a child on one of these devices. I wanted to make sure that even though we are publishing something about it, people still need to feel that they are getting good treatment from these devices ... but there are some risks."
Medtronic recommends patients talk to their doctor about getting a prescription for a newer device, if possible. For those who can't or don't want to switch, Medtronic recommends steps like keeping the pump and related devices under physical control, keeping pump serial numbers private, disconnecting the devices from the CareLink remote-transmission system when not being used to transmit data, staying alert to alarms on the pump, and canceling an unintended doses of insulin.
"At this time, we have received no confirmed reports of unauthorized persons changing setting or controlling insulin delivery," Medtronic wrote in a letter to customers dated June 27.
The Food and Drug Administration and the Department of Homeland Security each issued alerts about the cyber vulnerabilities on Thursday, as did Medtronic. Homeland Security assigned the vulnerability a CVSS score of 7.1 out of 10, with higher numbers representing more serious risks.
Patients still using the affected devices may not be shocked to learn of cybersecurity vulnerabilities.
In fact, some older Medtronic pumps are specifically sought out by "do it yourself" diabetic enthusiasts who link them to other devices in unauthorized ways to automate insulin delivery, which is possible because of the security vulnerabilities that were highlighted in Thursday's warning. An article in The Atlantic spotlighted this practice in April, prompting an official warning from the FDA the following month discouraging the practice.
Other patients may still be using the older devices because newer models are not yet available in their home countries, or just because they're attached to the older devices.
"You become very sentimental and very trusting of the device," Radcliffe said. "A lot of people give their insulin pumps names. And they really see it as a part of them."
Medtronic is offering a temporary program for users of out-of-warranty insulin pumps affected by Thursday's cybersecurity alert. Under certain conditions, a refurbished Medtronic MiniMed 670G pump will be available for an upfront fee of $399 (no warranty provided) with the exchange of the older pump, or for $3,200 for people who don't return their older pump. Details are available at https://info.medtronicdiabetes.com/legacy-exchange.
