Medtronic is warning thousands of users of its older insulin pumps worldwide that the devices may contain a serious cybersecurity vulnerability allowing a malicious hacker to change drug-delivery settings and send the patient into a diabetic emergency.
"At this time, we have received no confirmed reports of unauthorized persons changing settings or controlling insulin delivery," Medtronic noted in a letter to customers dated June 27.
Medtronic, which is run from offices in Fridley, estimates that at least 4,000 people in the United States and an unknown number internationally are still using the older devices.
Insulin is a self-administered drug that can be acutely harmful if given in too large a dose. An insulin pump is a central component of an overall system used to deliver regular doses of manufactured insulin in patients whose bodies don't naturally produce enough of the hormone to break down sugars in their blood. Such pumps can communicate wirelessly with external devices to get real-time glucose measurements or transmit patient data.
The vulnerability disclosed Thursday for older Medtronic insulin pumps could allow a malicious computer hacker to potentially hijack those communications systems and send commands that would cause the device to deliver too much or too little insulin, both of which can be harmful. A sudden dose of too much insulin can lead to seizures or a diabetic coma.
The vulnerability stems from weaknesses in how the pumps "authenticate" commands from external devices.
"This wireless RF [radio-frequency] communication protocol does not properly implement authentication or authorization," a summary of the problem from the Homeland Security Department says. "An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify and/or intercept data."
The Medtronic pumps affected by the alert are: the MiniMed 508; MiniMed Paradigm models 511, 512/712, 712E, 515/715, 522/722, 522K/722K; plus Paradigm 523/723 and 523K/723K pumps with software versions 2.4A or lower; Paradigm Veo 554/754 pumps with software version 2.6A or lower; and Paradigm Veo 554CM/754CM pumps with software version 2.7A or lower.
It does not affect the MiniMed 530G, nor any 600-series MiniMed pump (including the 630G and 670G), which are widely used in the U.S.
Jay Radcliffe, a medical technology security researcher and type 1 diabetic in Idaho, said he thinks the benefits of the insulin pumps outweigh the risks of the device being attacked, and he said he would not hesitate to have family members use these pumps.
"The risk is very low of something bad happening, and I think that's important because there's a lot of parents who read these stories," said Radcliffe, who in 2011 published some of the earliest vulnerability information about Medtronic insulin pumps. "It's a very scary situation to be either a patient, or a parent of a child on one of these devices. … Even though we are publishing something about it, people still need to feel that they are getting good treatment from these devices … but there are some risks."
Medtronic recommends patients talk to their doctor about getting a prescription for a newer device, if possible. For those who can't or don't want to switch, Medtronic recommends steps like keeping the pump and related devices under physical control, keeping pump serial numbers private, disconnecting devices from the CareLink remote-transmission system when not being used to transmit data, staying alert to alarms on the pump, and canceling any unintended doses of insulin.
The Food and Drug Administration and the Department of Homeland Security each issued alerts about the cyber-vulnerabilities on Thursday, as did Medtronic. Homeland Security assigned the vulnerability a CVSS score of 7.1 out of 10, with higher numbers representing more serious risks.
Patients still using the affected devices may not be shocked to learn of cybersecurity vulnerabilities.
In fact, some older Medtronic pumps are specifically sought out by "do it yourself" diabetic enthusiasts who link them to other devices in unauthorized ways to automate insulin delivery, which is possible because of the security vulnerabilities that were highlighted in Thursday's warning. An article in the Atlantic spotlighted this practice in April, prompting an official warning from the FDA the following month discouraging the practice.
Other patients may still be using the older devices because newer models are not yet available in their home countries, or just because they're attached to the older devices.
"You become very sentimental and very trusting of the device," Radcliffe said. "A lot of people give their insulin pumps names. And they really see it as a part of them."
Radcliffe is one of several independent security researchers credited with exposing the vulnerabilities and bringing them to Medtronic's attention. In a sign of how long security issues have been associated with older insulin pumps, Medtronic's publication Thursday also credited the work of noted computer hacker Barnaby Jack, who died of a drug overdose in 2013.
"Cybersecurity protection is constantly evolving, and technology continues to rapidly improve. And connected devices need to keep up with that pace. With the growing attention to cybersecurity in the industry, we felt like it was important for our customers to understand the issues and risks in greater detail," said Carolyn Schmitz, vice president of software engineering for Medtronic Diabetes.
Medtronic is offering a temporary program for users of out-of-warranty insulin pumps affected by Thursday's alert. Under certain conditions, a refurbished Medtronic MiniMed 670G pump will be available for an upfront fee of $399 (no warranty) with the exchange of the older pump, or for $3,200 if the older pump is not returned.