HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Medtronic Recalls Insulin Pumps Due to Cybersecurity Risk

The United States Computer Emergency Readiness Team (US-CERT) and the Food and Drug Administration (FDA) have issued alerts about cybersecurity flaws in certain Medtronic insulin pumps.

The affected insulin pumps connect with other devices such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices using wireless RF. Vulnerabilities have been identified in certain MiniMed 508 and MiniMed Paradigm insulin pumps which could allow an attacker with adjacent access to an affected product to intercept, modify, or interfere with the RF communications to or from the product.

Consequently, it would be possible to read data sent to and from the device, alter the settings of the insulin pump, and take control of insulin delivery. An attack could therefore result in hypoglycemia, diabetic ketoacidosis, or death.

The flaw – CVE-2019-10964 – is due to the communications protocol not properly implementing authentication or authorization and has been assigned a CVSS v3 base score of 7.1 out of 10.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The flaw was uncovered by security researchers Nathanael Paul, Jay Radcliffe, and Barnaby Jack, Billy Rios, Jonathan Butts, and Jesse Young, with assistance provided by Medtronic.

The following devices are vulnerable:

  • MiniMed 508 pump – All versions
  • MiniMed Paradigm (511 pump, 512/712 pumps, 712E pump, 515/715 pumps, 522/722 pumps, 522K/722K pumps.
  • MiniMed 523/723 and 523K/723K pumps – Software versions 2.4A or lower
  • MiniMed Paradigm Veo 554/754 pumps – Software versions 2.6A or lower
  • MiniMed Paradigm Veo 554CM and 754CM models only – Software versions 2.7A or lower

FDA deputy director of strategic partnerships and technology innovation Suzanne Schwartz said, “The risk of patient harm if such a vulnerability were left unaddressed is significant.” At this stage, no one is known to have exploited the flaw in a real-world attack.

While there are mitigations that can help to reduce the risk of exploitation of the vulnerability, Medtronic has been unable to develop a patch or software update that can correct the flaw. Consequently, the decision was taken to recall all affected insulin pumps and replace them with devices with more robust cybersecurity protections.

Medtronic says there are around 4,000 patients using the vulnerable insulin pumps in the United States. All have been asked to contact their care providers as soon as possible to arrange for their insulin pump to be replaced.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.