Medtronic’s Insulin Pump Controllers Are Vulnerable to Hackers

Medtronic’s Insulin Pump Controllers Are Vulnerable to Hackers
Medtronic devices comprise an estimated 60% of the insulin pump market. (Screenshot: YouTube/Medtronic Diabetes)

Medical device maker Medtronic has expanded its recall of remote controllers for its MiniMed 508 and MiniMed Paradigm insulin pumps. The reason? The devices are a potential cybersecurity risk. According to the Food and Drug Administration, unauthorised people could hijack the devices to alter how much insulin is delivered to a patient.

The FDA says this is a Class 1 recall. This is the most serious and urgent kind, as these devices “may cause serious injuries or death.” The remote controls affected are the MMT-500 and MMT-503. Both are older models that use last-generation tech and work with the MiniMed 508 and the MiniMed Paradigm family of insulin pumps. The company says anyone who still uses a recalled remote should immediately stop, follow instructions to disconnect the controller, and then return it to Medtronic. (You can view more detailed instructions here and here.)

The issue is that bad actors could record and replay the wireless radio frequency that the remote uses to communicate with the insulin pumps. The remote itself works as a means to program the amount of insulin a person would need, without needing to press any of the pump’s buttons. In short, a hacker could purposefully tamper with the amount of insulin given to a diabetes patient, potentially causing death.

Technically, this is not the first time Medtronic has issued a recall regarding these devices. The first recall was issued back in August 2018 and instructed users on how to disable the remote programming feature when not in use. However, only customers with pumps under warranty were notified. The difference is the recall now extends to anyone who might be using these devices and purchased a remote controller. In its statement, Medtronic also says that the “potential risks associated with the MiniMed remote controller outweigh the benefits of its continued use.” This is huge, because Medtronic devices comprise an estimated 60% of the insulin pump market.

While thankfully neither Medtronic nor the FDA has received reports of this occurring in the wild, this is a serious problem that’s not about to go away anytime soon. Cyberattacks against hospitals have spiked during the covid-19 pandemic, according to research from Check Point. Unfortunately, this also puts connected medical devices at risk of outages — and the threat isn’t hypothetical. A recent Wall Street Journal report detailed a 2019 ransomware attack in an Alabama hospital that allegedly hampered nurses’ access to fetal heartbeat monitors. The situation led to staff missing warning signs that a foetus was in distress, leading to severe brain damage when the baby was born and, eventually, death. Another problem is the number of legacy medical devices still in use today that aren’t equipped to stand against modern cybersecurity risks.

For what it’s worth, the FDA is aware of just how vulnerable medical devices can be. In 2019, the agency issued a warning about 11 software vulnerabilities that could allow unauthorised people to take control of medical devices and hospital networks. A peep at the FDA’s cybersecurity page is a sobering read into just how serious the problem is, and in 2018, they proposed updated recommendations to help manufacturers protect their products from threats.