News

Medtronic Reports Cybersecurity Flaw in Insulin Pumps

The flaw could make the devices vulnerable to hackers, according to the company.

Medtronic Reports Cybersecurity Flaw in Insulin Pumps
The company's MiniMed Paradigm 511 pump was among the affected devices. (Photo from medtronicdiabetes.com)

Medtronic on Thursday reported a cybersecurity flaw in its older-model insulin pumps.

The company has notified customers that the flaw could make the devices vulnerable to hackers. If someone were to wirelessly connect to a nearby pump, they could change settings and control insulin delivery, which could lead to serious health problems.

In a June 27 letter to customers, Medtronic said it hasn’t received any reports of unauthorized users hacking the devices.

The product warning applies to a range of MiniMed Paradigm devices. The company has urged users to upgrade to newer models. About 4,000 patients use the older-model pumps.

“Due to this potential cybersecurity issue, we recommend that you speak with your healthcare provider about changing to a newer model insulin pump with increased cybersecurity protection,” Medtronic said.

The U.S. Department of Homeland Security on Thursday issued a medical advisory about the cybersecurity risks. In the advisory, the department said the devices don’t “properly implement authentication or authorization.”

Medtronic looked into the issue after external researchers identified the flaw. Billy Rios, co-founder of QED Secure Solutions, in late 2018 spoke to CBS News about cybersecurity flaws with Medtronic’s pumps.

“There’s nothing stopping us from … taking them apart and hacking them,” Rios told the news station. “Anyone that has this device, that has one of these controllers, we can take it over.”

When reached for comment Thursday afternoon, Rios told TCB he began looking into the issue after other medical researchers first identified flaws in the devices.

“We couldn’t find a lot of technical details of what they found, so we decided to dive into it ourselves,” Rios said.

He confirmed that the devices had “very, very poor” authentication processes.

“What we can do is basically put out signals that activate any pump we want,” Rios said. “Even if you’re not sophisticated, you just run the program and it takes over pumps that are near you.”

Rios and his team of researchers have studied vulnerabilities in other medical devices, including pacemakers.

Newsletter Sign Up