Medtronic insulin pumps can be hacked to overdose patients

Connected medical devices are starting to pose real dangers to people relying o them to keep their health in check. The latest evidence comes from medical device vendor MedTronic, who is recalling a number of insulin pumps after discovering they are prone to hacker attacks.

Electronic insulin pumps are designed to automatically adjust the patient’s basal (background) insulin every five minutes based on periodic readings, helping patients avoid lows and rebound highs. However, some models sold by Medtronic can be hacked remotely by a sufficiently motivated attacker. Hacks can result in either over-delivery of insulin to a patient, leading to low blood sugar (hypoglycemia), or stopping insulin delivery, leading to high blood sugar (hyperglycemia) and diabetic ketoacidosis.

According to the advisory issued by the vendor, the settings can only be altered by an unauthorized person if they know the pump’s serial number, if they connect wirelessly nearby, and if they have the necessary technical skills and the correct radio frequency equipment. Nevertheless, Medtronic is recalling affected models in a bid to eliminate all risk for patients relying on its products. A list of affected models is included in the advisory. These include the popular MiniMed 508 and MiniMed Paradigm Series insulin pumps.

The discovery was made by external researchers and subsequently confirmed by Medtronic’s own team of experts. Medtronic maintains that, as of the date of the notice, there were no confirmed reports of unauthorized persons changing settings or controlling insulin delivery because of the vulnerability in question.

“Due to this potential cybersecurity issue, Medtronic recommends that patients who are currently using the affected products speak with their healthcare provider about changing to a newer model insulin pump with increased cybersecurity protection, such as the MiniMed™ 670G insulin pump,” according to the advisory.

Several other recommendations are offered in the notice. Users are advised to consult the document and take the appropriate steps if they are using one of the affected models.

This is not the first time Medtronic makes headlines for a potential security issue found in its connected medical devices. Earlier this year, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent notice saying researchers had found critical vulnerabilities in Medtronic cardio defibrillators that, if exploited, could put lives at risk.