A vulnerability in an insulin pump made by medical device vendor Medtronic could allow a hacker to change the pump’s settings and control the delivery of the hormone, the Food and Drug Administration warned Thursday.
After security researchers demonstrated how an attacker could abuse a radio frequency protocol, which the pump uses to communicate with other devices, to inject and intercept data, the FDA told patients to switch to pump models with better cybersecurity protections. The advisory is the latest example of a health care company struggling to secure medical technology, which often is expensive and difficult to replace.
Norman “Ned” Sharpless, acting head of the FDA, said the agency wasn’t aware of any patient harm stemming from the software vulnerability.
While we are not aware of any patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm if such a vulnerability were left unaddressed is significant.
— Dr. Ned Sharpless (@FDACommissioner) June 27, 2019
Minneapolis-based Medtronic said it is recalling the affected “MiniMed” pump model, which was produced in 2012 and before. Medtronic, in a letter, advised patients to consult with their physicians before switching to another model of insulin pumps with stronger cybersecurity protections. Medtronic heart defibrillators were the subject of a separate advisory in March from the U.S. Department of Homeland Security, which said hackers could have changed setting in those devices.
In this case, Medtronic spokeswoman Pamela Reese told CyberScoop that roughly 4,000 “direct customers” in the United States could be using the affected pumps, and that the company is working with distributors to identify anyone else who might be using vulnerable equipment. “Most of our current customer base [is] already using insulin pumps that are not impacted by this cybersecurity concern,” Reese said.
Medtronic said it hadn’t received any “confirmed” reports of unauthorized tampering with the affected pumps. Asked if there were “unconfirmed” reports of tampering, Reese told CyberScoop: “On occasion, we’ve been alerted to a suspected tampering incident which we investigate thoroughly. But none of those investigations have ever confirmed an incident of this nature.”
The Department of Homeland Security also released an advisory about the vulnerability on Thursday which said that no known exploits specifically target the protocol flaw.
Cybersecurity experts have credited medical device makers for being more willing to embrace vulnerability disclosure programs for their equipment, but have also said more of the industry should follow suit.