Medical device company Medtronic issued an urgent recall of the remote controller for certain insulin pumps because they’re vulnerable to hacks. It’s possible for someone to copy the signals sent from the controllers to the pumps and deliver or block a dose of insulin, which could be dangerous for diabetic patients using the pumps.
In the recall statement, Medtronic said that it wasn’t aware of any situations where this type of hack has occurred. The company was first made aware of the issue in 2018 after an independent cybersecurity researcher found the vulnerability and told users about the problem. That initial alert told users how to disable the remote control feature when they weren’t using it.
Now, the company says people shouldn’t use the remotes. “After further review, Medtronic has determined that the potential risks associated with the MiniMed remote controller outweigh the benefits of its continued use,” it said in the recall alert.
Medtronic also put out a safety notice in 2019 warning about the risk of hacks in the same set of insulin pumps, the MiniMed 508 insulin pump and the MiniMed Paradigm family of insulin pumps. The Food and Drug Administration also got involved and put out a statement saying that the agency was concerned about the potential for someone to hack into the pumps and change the dose of insulin delivered to patients.
Experts have worried about the cybersecurity risks of insulin pumps for nearly a decade, since security researcher Jay Radcliffe broke into his own Medtronic pump onstage at a conference.
As more and more medical devices are connected to the internet and healthcare becomes a bigger target for ransomware attacks, worries about things like insulin pumps, pacemakers, and other products have only grown. “There hasn’t been a really high-profile case of a patient being killed or seriously harmed, but it’s just a matter of time,” Mike Johnson, a securities technologies expert at the University of Minnesota’s Technological Leadership Institute, told The Verge in September.