The Cybersecurity and Infrastructure Security Agency alerted to a medium-severity vulnerability found in Medtronic’s MiniMed 600 Series Insulin Pumps. Though it’s only exploitable from an adjacent network, healthcare entities are being warned to turn off the “remote bolus” feature to protect patient safety.
All MiniMed medical devices are affected by a protection mechanism failure, which would allow an unauthorized user on an adjacent network to deliver too much or too little insulin by interfering with the insulin bolus to slow or stop the flow.
However, exploitation would require the attacker to be within wireless signal proximity to the patient and the device “while the pump is being paired with other system components” and “advanced technical knowledge is required for exploitation.”
Despite the highly specific attack scenario, the severity of a possible attack prompted Medtronic to issue a notice to its healthcare clients as an “urgent medical device correction.” The FDA has listed the product under a “voluntary recall.”
To clarify, SC Media reached out to the vendor and a spokesperson explained the reference “does not always mean that you stop using the product or return it to the company. A recall sometimes means that the medical device needs to be checked, adjusted, or fixed.”
“In this case, we’re asking for customers who have one of these insulin pumps to turn off the remote bolus feature to eliminate their individual risk of unintended delivery of insulin and to avoid pairing the pump in public,” according to the spokesperson. “There’s no need to return any pump.”
Entities should “immediately cancel any boluses not initiated by authorized personnel, monitor blood glucose levels closely, and reach out to” to the Medtronic technical support team to report the bolus.
The vulnerability in question has been ranked a base score of 4.8, likely due to the complexity of the attack scenario. The notice is designed to warn providers to shut off the remote bolus function due to the severity of a successful exploit, where an attacker could learn the functions of the communication protocol used to pair system components.
Medtronic’s internal testing indicated a “remote likelihood of this issue occurring” because it would require an actor to be physically close to both the pump’s communication signal and have the technical know-how to achieve the hack. An exploit is not possible through the internet.
The FDA recall reflects the patient safety impacts and is notable given that Medtronic found the flaw through internal testing and voluntarily disclosed it, despite the limited likelihood of a successful exploit. As the FDA works to strengthen cybersecurity regulatory requirements for device manufacturers, the disclosure should serve as a model for finding and disclosing flaws to support providers with protecting patients.
Healthcare entities are urged to turn off the remote bolus feature on the pump and to only connect or link devices in a private place. The CISA alert explains that “turning off the remote bolus feature will ensure no remote bolus is possible.”
Medtronic also recommends ensuring the pump and connected components are always controlled by an authorized user and to be cognizant of pump notifications, alarms, and alerts. And providers should never share pump or device serial numbers with anyone outside of trusted partners.
The USB devices should also be disconnected from the computer when it’s not downloading the pump data, and “users should not confirm remote connection requests or any other remote action on the pump screen unless it is initiated by authorized care personnel.”
The CISA alert contains further remedial actions and all providers are being urged to reach out to the Medtronic support team if any suspicious activity is suspected on the impacted devices.