by John R. Fischer
, Senior Reporter | July 01, 2019
Users of certain Medtronic MiniMed insulin pumps may want to consult their providers about switching to a new model, following the revelation of potential cybersecurity risks.
The Dublin-based healthcare giant is recalling its MiniMed 508 insulin pump and MiniMed Paradigm series insulin pumps for vulnerabilities that they have identified as affecting 4,000 patients across the U.S. No confirmed reports, however, of patient harm related to the risks have been made to date.
“Medtronic is working closely with industry regulators and researchers to anticipate and respond to potential risks,” Pamela Reese, director of global communications and corporate marketing for Medtronic Diabetes Group, told HCB News. “In addition to our ongoing work with the security community, we have already made several important changes to enhance device security with our newer devices. We will continue to collaborate with industry researchers and regulators to improve device security approaches.”
Discovered in 2011, the issues relate to the wireless communication between Medtronic’s MiniMed insulin pumps and other devices such as blood glucose meters, continuous glucose monitoring systems, the remote controller and CareLink USB device used with these pumps. No software or patch to address these vulnerabilities is available.
Such vulnerabilities could enable people other than the patient, caregiver or health care provider to potentially connect wirelessly to a nearby pump and change its settings to overdose a patient with insulin, leading patients to experience hypoglycemia, or stop insulin delivery, and their experiencing high blood sugar and diabetic ketoacidosis.
In response, the company is offering a program for eligible people to upgrade to a newer insulin pump model or obtain a lower-cost product exchange, and is providing alternative insulin pumps to patients with built-in cybersecurity capabilities. It also has issued letters to patients about the incident and is working with distributor partners and the FDA to identify additional patients potentially using vulnerable pumps.
“As hospitals become increasingly connected, their network-security professionals should keep track of different attack surfaces in their network bounds which, today, include internet communicating machines, internal Ethernet networks and lately, Wi-Fi connected medical devices,” Leon Lerman, CEO and co-founder of security firm Cynerio, said in a statement to HCB News. “Given attackers only need one opening to get in, defenders should deploy solutions that facilitate full control over the whole network. Hospitals also need to make sure they have an up-to-date inventory of all connected devices and models they have on their network.”
Back to HCB News