Earlier this week, the US Food and Drug Administration issued an advisory that warns the patients about the risk of the Medtronic insulin pump devices used for wireless insulin pumps. The FDA also initiated an expanded recall of the remote-controlled pumps.
The FDA identified the situation as a “Class I” recall due to the severity of the incident. It is placed on Class I mainly because of the potential that it might result in a severe injury or death in extreme cases.
The recalled remote controllers are utilized by either the MiniMed Paradigm family of insulin pumps or Medtronic’s MiniMed 508 insulin pumps. Due to the dangerous potential of cybersecurity exploitation, these products were recalled according to the FDA. A researcher identified a vulnerability related to the MiniMed Paradigm and another corresponding remote controller.
How compromised is the Medtronic Pump?
Medtronic elaborated that if the MiniMed Paradigm family of insulin pumps and the remote controller are used together, it allows a diabetic patient to self-deliver a bolus without physically operating their insulin pump. A bolus is a dose of insulin provided by a pump.
The company also added that it enables the patient or any authorized person to efficiently deliver a bolus to help keep their blood glucose in range.
Though the device’s purpose is to better the patients, the researcher found a vulnerability that people with bad intentions can exploit. The pump can be accessed remotely, so an attacker can use it by copying the wireless radiofrequency. If the frequency is imitated, the threat actor can potentially deliver a malicious amount of insulin that can be fatal to the patients.
To explain further, an unauthorized individual can control the pump as to their own will. It can be instructed to limit the delivery of insulin, which can lead to high blood sugar or over-deliver it to a patient, resulting in low blood sugar. Either way, it can be lethal to patients and may even cause death if not given any proper action.
Healthcare providers and caregivers who attend to people with diabetes are also affected if they are currently using the MiniMed 508 insulin pump or the MiniMed Paradigm family of insulin pumps.
The FDA specified that the affected remote controllers are the older models that use previous-generation technology. They also added that Medtronic is no longer manufacturing and distributing these controllers.
