USA -The FDA has alerted medical device users about a cybersecurity risk for the Medtronic MiniMed 600 Series Insulin Pump System, including MiniMed 630G and MiniMed 670G.
There is a potential issue associated with the communication protocol for the pump system that could allow unauthorized access to the pump system.
If unauthorized access occurs, the pump’s communication protocol could be compromised, which may cause the pump to deliver too much or too little insulin.
The agency issued a cybersecurity risk alert for the Medtronic MiniMed 600 series insulin pump system, which has several components including an insulin pump and a blood glucose meter that communicate wirelessly.
The MiniMed 600 series pump system has components that communicate wirelessly, such as the insulin pump, continuous glucose monitoring (CGM) transmitter, blood glucose meter, and CareLink USB device.
The FDA said an unauthorized person could gain access to a pump while it was pairing with other system components.
But so far, the FDA is not aware of any reports related to this cybersecurity vulnerability.
Medtronic also warned users about the risks and made recommendations including asking them to permanently turn off the “Remote Bolus” feature on the pump, not share the device’s serial number with unauthorized personnel or conduct any connection linking of devices in a public place.
The company however said, hackers, cannot gain access to the device through the internet.
The FDA is working with Medtronic to identify, communicate, and prevent adverse events related to this cybersecurity vulnerability.
The FDA will keep the public informed if significant new information becomes available.
Baxter’s Sigma pumps at risk of hacking
In other news, Baxter’s Sigma pumps are at risk for hacking, and data leaks. The flaws were discovered in April by cybersecurity consultants Rapid7, who reported them to Baxter later that month. Baxter is currently working on a software patch for the pumps.
The issues pertain to a particular firmware version of the pumps and several versions of its associated Wi-Fi battery, said the US Cybersecurity and Infrastructure Security Agency on September 8, in an advisory.
Since the battery units store Wi-Fi credentials, if a hospital disposes of a device but fails to overwrite the stored data, anyone who acquires the pump on the secondary market could access critical Wi-Fi credentials for the organization.
Another vulnerability could result in service being denied, making the device unavailable.
Baxter has enabled authentication to address one vulnerability, which risks creating data leaks or manipulation.
It has also updated its instructions to ensure that people who acquire batteries on the secondary market will not be able to access hospital Wi-Fi credentials.
Baxter is developing a software update for the denial-of-service flaw and a third vulnerability. It says users should restrict access to parts of their networks containing infusion pumps and monitor traffic for unauthorized communication.
The vulnerabilities do not directly affect any hardware or software components, but a hack of the battery could cause “a delay or interruption of therapy,” according to Baxter.
Cybersecurity concerns in the pumps were flagged in 2015 and 2020. Last year, Baxter issued a Class I recall of its Sigma pumps in response to reports of 51 serious injuries and three deaths over five years.