Feds Also Warn the Issue Could Affect the Dose of Insulin Delivered to a Patient
Federal authorities have issued urgent advisories – and Medtronic a voluntary product recall – concerning a cybersecurity vulnerability identified in a line of the medical device maker’s insulin pumps.
See Also: C-Suite Round-up: Connecting the Dots Between OT and Identity
If exploited, the flaw could result in patients receiving too little or too much insulin, which in extreme cases could result in death.
Diabetic patients with hypoglycemia – low blood sugar – can experience seizures, coma or death. Too little insulin could result in hyperglycemia – high blood sugar – which can potentially lead to diabetic ketoacidosis.
Medtronic says that it has seen no evidence of anyone exploiting the insulin pump vulnerability, which exists in its entire line of MiniMed 600 Series Insulin Pumps.
The Food and Drug Administration and the Cybersecurity and Infrastructure Security Agency each issued their own related advisories on Tuesday about the problem, as did Medtronic.
Medtronic’s recall does not ask that customers return the devices or discontinue their use but rather that they take certain steps to mitigate the problem.
The FDA in a statement to Information Security Media Group clarifies that “device corrections and removals” are both considered recalls. The FDA as of Wednesday had not yet added the Medtronic MiniMed Series 600 to the agency’s website listing recent manufacturer voluntary recalls.
Medtronic declined ISMG’s request for the estimated number of affected devices in use in the U.S. and globally. But a Medtronic spokeswoman tells ISMG that the company is notifying all affected customers.
The FDA and Medtronic describe the insulin pump problem as involving “a communication protocol issue,” which Medtronic says it identified and reported to federal authorities. The vulnerability is not exploitable over the internet, the manufacturer says.
The MiniMed 600 series includes a pump, a continuous glucose monitoring transmitter, a blood glucose meter and a USB device. “Medtronic has recently identified a potential issue through internal testing whereby, under specific circumstances, the communication between the components of the pump system could be compromised through unauthorized access,” Medtronic says.
“For unauthorized access to occur, a nearby person other than you or your care partner would need to gain access to your pump at the same time that the pump is being paired with other system components,” the company says.
CISA in its alert described the vulnerability as a “protection mechanism failure,” which requires nearby wireless signal proximity with the patient and the device, as well as “advanced technical knowledge,” to exploit, CISA says. The vulnerability has a CVSS v3 base score of 4.8.
Last October, Medtronic recalled remote controllers used with several other pump products – its Paradigm and 508 MiniMed insulin pumps – due to a cybersecurity vulnerability.
If exploited, that flaw would have allowed unauthorized individuals to instruct the affected pumps to either under-deliver or over-deliver insulin (see: Medtronic Insulin Pump Devices Recalled Due to Serious Risks).
Daniel dos Santos, who heads security research at security firm Forescout Technologies, says the vulnerability identified in the Medtronic MiniMed 600 Series pump product is serious enough to warrant an FDA warning, but there are several mitigating factors to help reduce the risk posed.
“One is that the attack requires physical presence. Another is that it affects a proprietary wireless protocol, which requires specialized knowledge from a potential attacker,” including radiofrequency characteristics of the protocol involved, he says.
Also, the latest vulnerability appears to allow an attacker “to hijack a connection but not to record and replay traffic or intercept and modify it,” as was the case in the October 2021 product recall involving the Paradigm and 508 MiniMed insulin pumps, he says.
Dos Santos says that there have been other examples of similar problems in the communication protocols of various medical devices, also creating certain risks, as well as vulnerabilities on standard wireless communication protocols, such as Bluetooth, that can affect medical device performance.
Overall, dos Santos says there are positive and negative aspects in the latest Medtronic device problem. “The positive is that the issue was found and communicated by the manufacturer itself, which means that there was no need for an external security researcher to find it and disclose it,” he says.
“This also means that Medtronic takes security seriously and is open to reporting existing issues on their devices even if they have not been exploited. The negative is that now the manufacturer is asking patients to turn off a feature that is on by default.”
Vidya Murthy, chief operating officer at medical device security firm MedCrypt, says the latest alerts from the FDA and Medtronic are continuing a trend that she sees in terms of maturing by regulators and medical device manufacturers in general when it comes to cybersecurity.
“Understanding software inherently is different than regulating or developing a pill – it’s critical to understanding how the ecosystem is changing,” she says. “This is underlined by collaboration and coordination across the community in sharing vulnerabilities, potential impact and strategies to mitigate.”
To mitigate its latest cybersecurity problem, Medtronic recommends that MiniMed 600 Series users turn off the “remote bolus” feature on the pump and only connect or link devices in nonpublic areas.
Medtronic also says that the “remote bolus” capability is on by default, so users should turn off the feature even if they have never used that functionality.
Medtronic also recommends that users take the following precautions:
- Ensure that the pump and connected system components are always controlled by an authorized user.
- Be attentive to pump notifications, alarms and alerts.
- Immediately cancel any boluses not initiated by authorized personnel and monitor blood glucose levels.
- Disconnect the USB device from the computer when not downloading pump data.
- Never confirm remote connection requests or any other remote action on the pump screen unless it is initiated by the individual or another authorized user.
- Do not connect or allow any third-party devices to connect to the pump.