Medtronic, an insulin pump company, notified its users of a potential risk of attack due to a flaw in its pump’s communication protocol.
The US FDA (Food and Drug Administration) has warned users of Medtronic’s MiniMed 600 Series Insulin Pump System—specifically, models for MiniMed 630G and MiniMed 670G—that their medical devices have a cybersecurity issue with its communication protocol. If compromised, attackers could gain unauthorized access to the pump system itself, and alter it to deliver too much or too little insulin to the patient.
Because the MiniMed 600 series devices have components (the insulin pump, the blood glucose meter, the continuous glucose monitoring transmitter, and the CareLink USB device) that communicate wirelessly, nearby attackers could gain unauthorized access to them when the pump is paired with these components. Medtronic clearly stated that such an attack could not be done over the internet.
“Medtronic has no evidence to date that such an issue has occurred,” the company’s Urgent Medical Device Correction notification page states. “However, in the unlikely event that unauthorized access would be successful, the access could be used to deliver too much or too little insulin through delivery of an unintended insulin bolus or because insulin delivery is slowed or stopped. Too much insulin could result in hypoglycemia (low blood sugar) which can potentially lead to seizure, coma or death. Too little insulin could result in hyperglycemia (high blood sugar) which can potentially lead to diabetic ketoacidosis.”
The FDA continues to work with Medtronic to identify, communicate, and prevent the devices’ vulnerability effects. Medtronic advises taking action and the necessary precautions to avoid being at risk. First, the company advises users to turn off the “Remote Bolus” feature of the pump, which is on by default.
The company also reminded users to keep their insulin pump and its components within their control at all times, never confirm connection requests on the pump screen unless initiated by them or their care partner, and not share their insulin pump’s or device’s serial numbers with anyone but their healthcare provider, distributor, and Medtronic. A detailed list of precautions can be found on this page.