3rd Party Risk Management , Endpoint Security , Governance & Risk Management

Medtronic Insulin Pump Devices Recalled Due to Serious Risks

FDA Warns Exploitation of Security Flaw Could Cause Death
Medtronic Insulin Pump Devices Recalled Due to Serious Risks
Medtronic is recalling remote controllers used with its MiniMed 508 insulin pump and MiniMed Paradigm family of insulin pumps due to dangerous security flaws.

The Food and Drug Administration on Tuesday issued a warning notifying patients that medical device maker Medtronic has expanded a recall of remote controllers for certain wireless insulin pumps.

See Also: Industry Cyber-Exposure Report: Deutsche Börse Prime Standard 320

The FDA has classified the recall as "Class I" - the most serious type -because of issues that could result in serious injury or death, the agency warns.

The recalled remote controllers are used with either the Medtronic's MiniMed 508 insulin pump or the MiniMed Paradigm family of insulin pumps, due to potential cybersecurity risks, the FDA says.

In a security bulletin also issued Tuesday about the recall, Medtronic says an external security researcher identified a potential vulnerability related to the MiniMed Paradigm family of insulin pumps and corresponding remote controller.

"When used together, the Paradigm insulin pump and remote controller - similar to a key fob - allow a diabetes patient to easily self-deliver a bolus - a dose of insulin given by a pump - without physically accessing their insulin pump," Medtronic says.

"This enables users to discretely deliver a bolus around meals to help keep their blood glucose in range," the company says.

The researcher found, however, that an unauthorized individual in the same vicinity as the insulin pump user could potentially copy the wireless radio frequency signals emitted by the remote controller - while delivering a remote bolus - and play those back later to deliver a malicious dose of insulin to the pump user, the company says.

Exploiting the vulnerability "could instruct the pump to either over-deliver insulin to a patient, leading to low blood sugar - hypoglycemia - or stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis, even death," the FDA warned.

The FDA says those affected by the recall include any person who uses the remote controller feature with either the MiniMed 508 insulin pump or the MiniMed Paradigm family of insulin pumps.

Also affected are healthcare providers and caregivers who treat people with diabetes who use remote controllers associated with either the MiniMed 508 insulin pump or the MiniMed Paradigm family of insulin pumps, the FDA says.

"The remote controllers impacted by this issue are older models that use previous-generation technology," the FDA says. As of July 2018, Medtronic was no longer manufacturing or distributing these remote controllers, the agency notes.

DHS Warning

The Department of Homeland Security's Cybersecurity Infrastructure and Security Agency also issued an updated advisory Tuesday about the Medtronic products vulnerabilities.

DHS says the vulnerabilities include cleartext transmission of sensitive information and authentication bypass by capture-replay.

Researchers Billy Rios, Jesse Young, and Jonathan Butts of Whitescope LLC reported the vulnerabilities to CISA, the advisory notes.

Previous Recall

The Medtronic pumps were the subject of a previous recall due to a security issue (see: Certain Insulin Pumps Recalled Due to Cybersecurity Issues).

"Upon further review, Medtronic is now expanding the notification to all users who Medtronic believes may still be using the MiniMed 508 insulin pump or the MiniMed Paradigm family of insulin pumps and have purchased a remote controller, due to the potential, associated risks," Medtronic says.

"Users should immediately stop using and disconnect the remote controller, disable the remote feature, and return the remote controller to Medtronic," the manufacturer warns.

To date, the FDA says, it is not aware of any reports of patient harm related to these potential cybersecurity risks.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing devicesecurity.io, you agree to our use of cookies.