Note. Naked Security cannot provide medical advice nor answer questions about specific Medtronic devices. If you’re concerned please contact your health professional or Medtronic directly on (US) 855-275-2717.
US medical equipment giant Medtronic has announced the immediate recall of all MiniMed 508 and Paradigm series insulin pumps after researchers uncovered serious security flaws which can’t be patched.
The news emerged last week when the company started sending recall letters to all US users of the device, a warning echoed by a public alert issued by the US Food and Drug Administration (FDA).
According to the FDA, Medtronic has identified around 4,000 US patients using affected models although an unknown number of others (including patients in other countries) will have received them through third parties.
This is still a relatively small number, which is perhaps explained by the fact that both pumps are older models dating back to 2012 that were withdrawn from sale in October 2018.
The pumps
The job of a pump is to deliver insulin to a patient throughout the day via a catheter implanted under the skin, which removes the need for regular injections to maintain stable blood glucose levels.
However, to do this, the pumps need to connect to a separate continuous glucose monitor (CGM) sensor which for a decade or so has been implemented wirelessly using Bluetooth.
The final element of the system is the CareLink USB, which plugs into a computer and gives patients a way to send the pump dosing commands wirelessly while sharing data with health providers.
The flaws
Neither Medtronic nor the FDA has revealed much about the flaws – nor who discovered them – but the alert states that the weaknesses lie in the way the wireless part of the system was implemented.
That’s significant because in March 2019, Medtronic issued a separate alert after Dutch researchers uncovered security vulnerabilities in the Conexus wireless protocol used by a wide range of the company’s implantable heart monitoring products.
While Conexus doesn’t appear to be involved in this latest alert, these incidents draw attention to the way wireless security, or the lack of it, was implemented in this generation of systems. The FDA said this could mean:
Someone other than a patient, caregiver or healthcare provider could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump’s settings.
Bluntly, a hacker could tamper with the system to over or under deliver insulin to the patient with dangerous health consequences.
The good news is that Medtronic and the FDA are not aware of any attacks exploiting the flaws, which would also require an attacker to target a patient from their immediate vicinity.
This means the chances of any one patient being attacked are slim. Unfortunately, that’s little comfort because the pumps can’t be patched, hence the need for them to be replaced “with better cybersecurity controls,” said the FDA.
Medtronic has history when it comes to insulin pump flaws, falling prey in 2011 to security researcher Barnaby Jack’s discovery of separate wireless vulnerability in now-defunct models. That researchers are still discovering similar flaws in more recent equipment is pretty disappointing.
The wider issue is the difficulties companies have in finding and patching or replacing vulnerable equipment. This points to the lack of a system to track equipment once it has reached patients, a dangerous and unsatisfactory state of affairs for medical equipment.
What to do
It’s a simple recall – all affected models (see below) are being recalled and replaced with more recent equivalents. According to Medtronic, in some countries outside the US, a newer model might not be available, in which case users will be forced to continue using their pumps by taking a number of “cybersecurity precautions”.
If a pump is one of the following models (software versions can be determined by following Medtronic’s instructions) it will need to be replaced:
- MiniMed 508
- MiniMed Paradigm 511
- MiniMed Paradigm 512/712
- MiniMed Paradigm 515/715
- MiniMed Paradigm 522/722
- MiniMed Paradigm 522K/722K
- MiniMed Paradigm 523/723
- MiniMed Paradigm 523K/723K
Non-US models:
- MiniMed Paradigm 712E
- MiniMed Paradigm Veo 554CM/754CM
- MiniMed Paradigm Veo 554/754
To avoid confusion regarding the MiniMed brand name, the following pump models are NOT affected:
- MiniMed 620g
- MiniMed 630g
- MiniMed 640g
- MiniMed 670g
More information on the exchange programme can be found on the company’s website.
anonymous coward
This has been a plot device in at least two TV dramas involving a murder, both several years ago. How this escaped the attention of the device manufacturer, until now, truly escapes me.
Lisa Vaas
Cynics in the diabetic community don’t believe that it *has* escaped Medtronic’s attention. Many in the looping community—the open-source DIYers who are hacking these old pumps to create a closed loop system that enables communication between insulin pumps and continuous glucose monitoring systems so that an algorithm (with settings that users can specify, as opposed to those determined by the FDA and pump manufacturers to be safe) can automate insulin delivery—believe that Medtronic is just moving to prevent clinicians from handing over hackable pumps to Loopers. Medtronic can’t grab the pumps that users are hacking, but it can get them back from clinics, thus limiting the spread of the looping phenomenon.
A small selection of comments from the Looped group on Facebook:
“This recall is forcing them to hand over any and all Loopable pumps. The headlines focus on 508 but devil is in the detail. 522/722 523/723 is there as well. This will constrain the older pumps that they (pump trainers) can hand over to Loopers. Yes this is old news for us Loopers. What’s different about this is that it is forcing healthcare professionals to hand them over.”
“But this isn’t a new thing. It’s not news that the old Medtronic pumps are hackable. They just don’t want people on them anymore because they’re being hacked to loop with and they love their precious 670g”
“They just want to sell new product. One thing they can’t/don’t do yet, is planned obsolescence, that is making stuff so it will break early, like the car manufacturers do. At least their stuff seems to last once it’s built. This whole new push to wrangle old loopable pumps , makes me question their sincerity in working with the DIY community, like they have recently said they would. The almighty dollar is always the first and last concern for them.”
anonymous coward
Thanks for sharing that information, which is possibly the most ridiculous conspiracy theory I’ve heard in weeks. Recalls are costly and terrible for a brand’s image. There is no upside for Medtronic here, except preventing injuries or deaths. They will absolutely lose money long-term over this, both in missed sales, litigation, managing the recall, shipping, recycling parts into new devices, and customer support.
These “looper” theorists are crazy.
Lisa Vaas
What missed sales? They’re recalling pumps that haven’t been sold for years and that are out of warranty.
What litigation? Nobody’s been harmed. Do you have details of impending or in-process litigation? If so, please share.
As far as managing the recall goes/shipping/recycling parts into new devices, I don’t have details about that, so if you do, again, please share. Regardless, I don’t imagine there are many pumps out there. We’re talking old products that are few in number, going by how valued the out of warranty pumps are in the looping community.
This is not a massive recall: this is Medtronic getting old pumps back from clinicians. Maybe they’ll lose money long-term, maybe not. You haven’t provided any actual proof that the company will indeed lose money, so perhaps the notion that the company will be harmed by, say, litigation (that hasn’t yet happened) (has it?) is a theory. Perhaps a crazy theory, perhaps not; I’ll refrain from judging until I see actual proof one way or the other.
Paul Ducklin
I assume what the OP meant by ‘missed sales’ is the effect that any product recall has on a brand’s reputation and people’s willingness to stick with it in the future. Faced with two similar products from two similar companies, one with a recall of earlier products to its name, and the other recall-free, which would you be more inclined to choose?
You could argue that a small-scale recall of out-of-warranty devices is even worse for a brand’s reputation than a much bigger recall in which current models are swapped out for updated equivalents, because it advertises the brand’s problems to everyone, but doesn’t offer a ‘better’ solution to current users.
If someone told me my bicycle frame might crack and I should take it in for a new one for free, I think I’d actually be more comfortable with that outcome than hearing that the previous year’s model needed returning right away… but my version wasn’t eligible for replacement, even though it was substantially similar.
anonymous coward
Paul,
You hit the nail on the head. Recalls cause reputational damage, a marketing and risk management term that typically includes loss of future sales, for exactly the reason you gave.
There is even a category of insurance sold for just this scenario, whether a company’s reputation sours because of a spokesperson scandal, a manufacturing recall, or publicity surrounding customer injuries.
“A good name is more valuable than good oil.” (Ecclesiastes)
As for litigation, every recall produces litigation or is a symptom of litigation. Previous Medtronic insulin pump recalls have resulted in litigation. This one will, too.
Recalls always cost money. Google “costs associated with recalls.” First result brings up an article that explains it more clearly than I could.
It doesn’t matter the industry or the size of the recall. It’s always a net loss for the company doing the recall. That’s why they always resist recalls and regulators always have to twist arms to get a recall initiated.
Recalls cost so much money that some companies have hidden risks and let people die, rather than initiate recalls.
Elena
Just called the local Medtronic helpline, only to find out that nobody “rushes” (or even cares, for that matter) to recall these devices in our country “because no actual attacks on them have been registered”. So someone must suffer serious damage or die for Medtronic to recall their potentially dangerous products here.
Paul Ducklin
That seems to put a bit of a dent in the looper theory that it’s all a trick to get hackable devices out of circulation…