Medtronic issues yet another recall citing ‘severe cybersecurity risks’ despite no confirmed reports of intentional harm to a diabetic patient since 1999

Medtronic Insulin Pump Remote Controller Recall Hack
Insulin Pumps are vulnerable to hacks, and must be sent back, insists Medtronic, again. Pic credit: VCU Capital News Service/Flickr

Medtronic, the maker of the popular line of insulin pumps and their controllers, has issued yet another recall of its devices. The company claims its own products are at risk of hackers or cyberattacks.

Anyone who bought an insulin pump or controller belonging to the ‘MiniMed Paradigm’ family of products between August 1999 and July 2018, should return the same to Medtronic due to “severe cybersecurity risks”.

Thousands of pumps and controllers managing insulin delivery could be at risk of a malicious cyberattack despite no recorded incidents yet:

Medtronic is insisting that some of its insulin pumps and the controllers that govern the calculated delivery of insulin are vulnerable to severe cybersecurity risks.

Millions of diabetic Americans rely on Medtronic’s products to regulate their insulin. Insulin pumps, and more importantly, their controllers, deliver measured doses of insulin.

The remote controller wirelessly communicates with the insulin pump. It essentially instructs the pump to start, stop, or change the amount of insulin.

Needless to mention, the timing of insulin delivery, the amount of insulin, and such other parameters are critical. Medtronic insists that an unauthorized person could manipulate these very parameters remotely.

Essentially, the company is warning about a connected controller sending commands directly to the insulin pump with no user-initiated action.

Medtronic claims an unauthorized person could intentionally “over-deliver or stop the delivery of insulin to the patient”. Needless to mention, for certain types of patients, this could be life-threatening.

The company has sent letters with specific instructions for users’ recalled models. However, there are several patients who have bought these pumps in the resell market. Such users should heed the instructions of the ‘Urgent Medical Device Recall’ notice, stresses Medtronic.

Medtronic and diabetic patients have been fighting a battle for a long time over “hacking” the insulin pump controllers:

Medtronic repeatedly stresses the potential for a man-in-the-middle attack. The company claims malicious hackers could also exploit the pump’s connection with other medical devices such as blood glucose meters and flow monitoring systems. Many diabetic patients routinely use these devices in addition to the insulin pumps.

It is, however, important to note that Medtronic has also indicated that there have been no confirmed or recorded incidents of an unauthorized person manipulating an insulin pump controller to cause harm to a diabetic patient.

Simply put, there are no confirmed reports of anyone maliciously hacking an insulin pump controller with the intention of causing harm. However, there are several hundred patients who have “hacked” their own insulin pumps to better regulate insulin delivery.

Many diabetic patients have claimed that custom firmware has helped them better manage insulin, especially while sleeping. The firmware or software is obviously unauthorized.

In the wrong hands, such manipulations could certainly be harmful, as Medtronic repeatedly insists. Incidentally, the company has launched new devices with updated firmware that mimic the custom firmware.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x