FDA issues new alert on Medtronic insulin pump security

The agency warns that older MiniMed devices – which have been recalled by Medtronic – could be hacked and remotely controlled, adding to the list of cyber concerns for IoT devices.
By Benjamin Harris
02:24 PM

Dr. Suzanne Schwartz, FDA's deputy director of the Office of Strategic Partnerships and Technology Innovation, says all device manufacturers should "monitor and assess cybersecurity vulnerability risk, and to be proactive about disclosing vulnerabilities."

The list of connected devices susceptible to attacks has now expanded once again, as the U.S. Food and Drug Administration issued an alert on June 27 warning that some insulin pumps from Medtronic are vulnerable to hackers, who could remotely gain access to and control them.

WHY IT MATTERS
In the alert, FDA notes that Medtronic’s MiniMed 508 and MiniMed Paradigm series insulin pumps, which have been recalled by the companies, are susceptible to remote access.

The company "has identified 4,000 patients who are potentially using insulin pumps that are vulnerable to this issue," according to the FDA, and is "working with distributor partners to identify additional patients potentially using these pumps."

The risks have to do with wireless communication between the MiniMed pumps and other devices such as blood glucose meters, continuous glucose monitoring systems and other medical devices, according to the agency.

"The FDA is concerned that, due to cybersecurity vulnerabilities identified in the device, someone other than a patient, caregiver or health care provider could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump’s settings," according to the alert. "This could allow a person to over deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or to stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis (a buildup of acids in the blood)."

The agency – which says it hasn't seen any confirmed reports of patient harm connected with this vulnerability – recommended that patients who know they use these models switch their pump "to other models that are better equipped to protect against these potential risks."

Medtronic is "providing alternative insulin pumps to patients with enhanced built-in cybersecurity capabilities," said the FDA alert.

THE LARGER TREND
Connected IoT devices already outnumber PCs and smartphones globally, according to some counts. This overwhelming ratio is the same in many healthcare settings which means they are as vulnerable as any other industry. Hackers do not discriminate against devices when it comes to exploitable weaknesses: if there is an opportunity to profit from it, consider an unsecured IoT device open game.

Guarding against these intrusions means finding the soft points in an IoT network before someone with malicious intent does. Having an outside consultant perform a test to find vulnerabilities, or participating in an open hack day where researchers have an opportunity to find - and report - flaws, are positive steps to take in plugging gaps in security before a hack occurs.

Insulin pumps are part of a growing number of IoT devices found susceptible to hacking. This weakness has made hospitals a rich target for ransomware attacks from cyber criminals. The reality of more devices in a healthcare setting means for more network connections to secure and threats to respond to. As the dangers mount, many hospitals are still not fully prepared. Galloway stresses that complacency, never a smart strategy, is beginning to stray into deadly territory.

"The potential attack vectors in medical IoT devices are restricted only by the imagination of hackers and security researchers," says Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, in a statement. "Criminals have zeroed in on this new target, which they see as an inexhaustible source of money. The main motivation for hacking these types of devices is money.

"A popular position among small medical device vendors is that if there are no attacks in the wild, there's nothing to worry about, which relies on what's known as 'security through obscurity' – agreed upon by cybersecurity professionals as a bad approach," she added.

ON THE RECORD
"The FDA urges manufacturers everywhere to remain vigilant about their medical products – to monitor and assess cybersecurity vulnerability risk, and to be proactive about disclosing vulnerabilities and mitigations to address them," said Dr. Suzanne Schwartz, FDA's deputy director of the Office of Strategic Partnerships and Technology Innovation, in a statement.

"Any medical device connected to a communications network, like Wi-Fi, or public or home Internet, may have cybersecurity vulnerabilities that could be exploited by unauthorized users," said Schwartz. "However, at the same time it’s important to remember that the increased use of wireless technology and software in medical devices can also offer safer, more convenient, and timely health care delivery."

Benjamin Harris is a Maine-based freelance writer and former new media producer for HIMSS Media.
Twitter: @BenzoHarris.