Medtronic, the maker of the popular line of insulin pumps and their controllers, has issued yet another recall of its devices. The company claims its own products are at risk of hackers or cyberattacks.
Anyone who bought an insulin pump or controller belonging to the ‘MiniMed Paradigm’ family of products between August 1999 and July 2018, should return the same to Medtronic due to “severe cybersecurity risks”.
Thousands of pumps and controllers managing insulin delivery could be at risk of a malicious cyberattack despite no recorded incidents yet:
Medtronic is insisting that some of its insulin pumps and the controllers that govern the calculated delivery of insulin are vulnerable to severe cybersecurity risks.
Millions of diabetic Americans rely on Medtronic’s products to regulate their insulin. Insulin pumps, and more importantly, their controllers, deliver measured doses of insulin.
The remote controller wirelessly communicates with the insulin pump. It essentially instructs the pump to start, stop, or change the amount of insulin.
— The Verge (@verge) October 6, 2021
Needless to mention, the timing of insulin delivery, the amount of insulin, and such other parameters are critical. Medtronic insists that an unauthorized person could manipulate these very parameters remotely.
Essentially, the company is warning about a connected controller sending commands directly to the insulin pump with no user-initiated action.
RECALL ALERT: Medtronic recalls more than 463K MiniMed 600 series insulin pumps for a defect that could lead to incorrect dosing. What you should do if you have one: https://t.co/8kilmYZCry
— 7News DC (@7NewsDC) October 6, 2021
Medtronic claims an unauthorized person could intentionally “over-deliver or stop the delivery of insulin to the patient”. Needless to mention, for certain types of patients, this could be life-threatening.
The company has sent letters with specific instructions for users’ recalled models. However, there are several patients who have bought these pumps in the resell market. Such users should heed the instructions of the ‘Urgent Medical Device Recall’ notice, stresses Medtronic.
Medtronic and diabetic patients have been fighting a battle for a long time over “hacking” the insulin pump controllers:
Medtronic repeatedly stresses the potential for a man-in-the-middle attack. The company claims malicious hackers could also exploit the pump’s connection with other medical devices such as blood glucose meters and flow monitoring systems. Many diabetic patients routinely use these devices in addition to the insulin pumps.
Medtronic Diabetes is proactively replacing all #MiniMed600 series clear retainer ring pumps with the same pump with a black ring, regardless of warranty status, free of charge. This updates the Nov. '19 recall and is not a new issue. More at https://t.co/GzoIiBF8xN. pic.twitter.com/pB4MymSXLt
— Medtronic Diabetes (@MDT_Diabetes) October 5, 2021
It is, however, important to note that Medtronic has also indicated that there have been no confirmed or recorded incidents of an unauthorized person manipulating an insulin pump controller to cause harm to a diabetic patient.
Simply put, there are no confirmed reports of anyone maliciously hacking an insulin pump controller with the intention of causing harm. However, there are several hundred patients who have “hacked” their own insulin pumps to better regulate insulin delivery.
Many diabetic patients have claimed that custom firmware has helped them better manage insulin, especially while sleeping. The firmware or software is obviously unauthorized.
In the wrong hands, such manipulations could certainly be harmful, as Medtronic repeatedly insists. Incidentally, the company has launched new devices with updated firmware that mimic the custom firmware.