Cyberattacks target more than companies and governments. Millions of Americans using high-tech medical devices are also vulnerable to hackers.
We got a reminder of that deadly possibility this week as the federal government announced the recall of a device used by people with a chronic illness that can be hacked. This isn’t the first time such a recall has occurred.
Fortunately, there have been no reports of deaths due to cyberattacks. We’ll tell you what product was recalled and what steps are being taken to prevent deadly hacks.
Hacked insulin pumps could turn deadly
The Federal Drug Administration (FDA) announced it is recalling certain Medtronic MiniMed insulin pumps due to potential cybersecurity risks. In the U.S. alone, Medtronic has identified 4,000 patients who are potentially using insulin pumps that can be hacked.
The small computerized pumps deliver insulin to a diabetic patient throughout the day using a catheter implanted under the skin. They are an alternative to injections. People with Type 1 or Type 2 diabetes may need an insulin pump when they require insulin to maintain acceptable blood glucose levels.
The affected Medtronic devices wirelessly connect to the patients’ blood glucose meter and a continuous glucose monitoring system. Using a remote control, patients send insulin dosing commands to the pumps. Patients also can use a CareLink USB to download data from the insulin pump to monitor their own progress.
Cybersecurity vulnerabilities identified in the MiniMed insulin pumps have the FDA concerned that someone other than a patient, caregiver or health care provider could connect wirelessly to a nearby pump and change the settings.
This could allow hackers to over deliver insulin to a patient, leading to low blood sugar. Hackers could also stop insulin delivery, leading to high blood sugar and a buildup of acids in the blood.
The FDA says it is not aware of any patients being harmed by the Medtronic MiniMed insulin pumps due to hacking. But the agency warns patients and health care providers to remain vigilant against any medical device hacks.
“Any medical device connected to a communications network, like Wi-Fi or public or home internet, may have cybersecurity vulnerabilities that could be exploited by unauthorized users,” said Dr. Suzanne Schwartz with the FDA. “However, at the same time, it’s important to remember that the increased use of wireless technology and software in medical devices can also offer safer, more convenient and timely health care delivery.”
The recalled pumps are Medtronic’s MiniMed 508 and MiniMed Paradigm series insulin pumps. The FDA says Medtronic is providing alternative insulin pumps with enhanced built-in cybersecurity capabilities. Medtronic also is working with its distributor to identify patients using the affected pumps.
Medtronic is unable to effectively update the recalled models of insulin pumps with any software or patch to address the devices’ vulnerabilities. The FDA is working with Medtronic to address the cybersecurity issues. The agency also is helping patients with the affected pumps switch to newer models with better security.
The following is a list of the recalled pumps:
- MiniMed 508 (all versions)
- MiniMed Paradigm 511 (all versions)
- MiniMed Paradigm 512/712 (all versions)
- MiniMed Paradigm 515/715 (all versions)
- MiniMed Paradigm 522/722 (all versions)
- MiniMed Paradigm 522K/722K (all versions)
- MiniMed Paradigm 523/723 (version 2.4A or lower)
- MiniMed Paradigm 523K/723K (version 2.4A or lower)
- MiniMed Paradigm 712E* (all versions)
- MiniMed Paradigm Veo 554CM/754CM* (version 2.7A or lower)
- MiniMed Paradigm Veo 554/754* (version 2.6A or lower)
The FDA is urging all patients with the affected pumps to call Medtronic at 1-866-222-2584 for information on replacement devices.
Related: Shocking number of medical device malfunctions reports hidden from public
Hacking a constant threat
The insulin pumps are only the latest electronic medical devices the federal government has recalled or issued warnings about due to cybersecurity flaws. In April, a new study by the Department of Homeland Security found a critical vulnerability in a common health care device that thousands of people depend on each day.
Homeland Security found a host of flaws and holes in a range of implantable cardioverter defibrillators (ICD) also made by Medtronic. The devices protect the patient after being implanted near their heart. The device’s onboard computer keeps track of heart rate and performance while relaying this data wirelessly to an internet connected device.
Because of this sensitivity, Homeland Security posted a medical advisory warning of security vulnerabilities in a range of defibrillator products made by Medtronic.
These devices have wireless antennas that don’t encrypt data when broadcasting, allowing hackers to inject custom code into the ICD with a wireless device of their own. Best-case scenario, the hackers grab private medical data. Worst-case scenario, a patient’s life is put at risk.
In 2017, 460,000 pacemakers were recalled due to serious security flaws. That same year, 8,000 bugs made pacemakers hackable.
Over the past few years, the FDA has expanded its initiatives to keep medical devices hacker free.
You can protect yourself by staying informed with the latest cybersecurity news and alerts with Kim Komando’s free newsletters. Subscribers get frequent updates on new data breaches, security tips and tricks, as well as trusted device recommendations for a safer digital lifestyle.