The United States Food and Drug Administration (FDA) has warned the healthcare sector of cybersecurity risks associated with the Medtronic MiniMed 600 Series Insulin Pump System. A malicious actor could exploit an issue in the pump system’s communication protocol which may lead to unauthorized access to the device. With access to the device, the actor can manipulate the amount of insulin provided to deliver too much or too little. An attack of this nature can result in a seizure, come, hyperglycemia, and death.
The MiniMed 600 series pump system is made up of wirelessly communicating components including the pump, continuous glucose monitoring (CGM) transmitter, blood glucose meter, and CareLink USB device. Through internal testing, Medtronic has discovered a possible problem wherein, under some situations, unauthorized access might jeopardize the connection between the pump system’s components. For unauthorized to occur, a nearby person would be required to access the pump at the same time that the pump is being paired with other system components.
The FDA notes that no incidents involving the exploitation of the issue have occurred. However, Medtronic has issued an Urgent Medical Device Correction informing device users of a number of mitigations to reduce the risk of danger. The mitigations include ensuring the pump is connected to system components within user control at all times, remaining attentive to pump notifications, alarms and alerts, promptly canceling any boluses that were not initiated by the user, disconnecting the USB device from your computer when using it to download pump information, and never conforming remote connection requests or any other remote action on the pump screen. Other recommendations include requesting medical assistance when experiencing symptoms of severe hypoglycemia, never accepting blood glucose readings that are not initiated by the user, never using software which has not been authorized by Medtronic, and to permanently switch off the Remote Bolus feature on the pump. Medtronic has requested users to report any adverse reactions experienced when using the device to the FDA’s MedWatch Adverse Event Reporting program.