Medtronic Insulin Pumps Investigated for Hacking Risk

Medtronic has launched an investigation into the cybersecurity of its insulin pumps after acknowledging concerns that the pumps could be hacked and programmed to remotely overdose diabetes patients. 

The flaw lies in some models of Medtronic’s Paradigm insulin pumps and was revealed by McAfee, a security software manufacturer.

McAfee officials said such problems could exist in other drug pumps as well. More and more medical devices are beginning to rely on wireless technology and software that could be vulnerable to cyber attacks, McAfee warns.

Medtronic announced this week that it is asking software security experts to look into the problem, but there have been no known incidents of insulin pump hacking. About 200,000 patients currently use various Medtronic insulin pumps.

The problem first came to light in August at the Black Hat security conference in Las Vegas when Jerome Radcliffe showed an audience how easy it was to hack into an insulin pump and change the dosage from a distance. He did not acknowledge that it was a Medtronic pump until he felt that the company was downplaying the problem by releasing a press release in late August saying that the security threat was not a concern.

Since August, Radcliffe has worked with the Department of Homeland Security and the Computer Emergency Response Team (CERT) to push insulin pump vendors to address the problem seriously. Medtronic’s announcement of an investigation came after it received letters from both CERT and after Congress requested a Government Accountability Office (GAO) investigation into the issue.

Infusion pumps are small medical devices that deliver drugs into the body. They are increasingly worn by Type 1 diabetics as an alternative to daily injections of insulin by syringe or an insulin pen. However, hospitals also use infusion pumps to deliver a wide variety of drugs, such as antibiotics, chemotherapy and anesthesia drugs.

The Paradigm insulin pump and a number of other infusion sets by other manufacturers have had numerous problems in recent years. In April 2010 the FDA launched an infusion pump safety initiative that requires manufacturers to undergo more risk assessments before gaining approval for new or modified devices.

In 2009, a recall was issued for Medtronic Paradigm insulin pump Quick Sets after the company determined that about 60,000 infusion sets used with the pumps were defective and could give too much insulin to users due to an air pressure problem.

A number of Medtronic insulin pump lawsuits have been filed over diabetic-related injuries resulting from the defective infusion sets. The FDA issued a warning letter to the company over its manufacturing processes, noting that it had quality assurance problems and that the on-site medical professional hired to determine if there was a medical problem with the devices had only a high school diploma.

FDA reviewers found that the most common cause of death and injury from the use of either defective insulin pumps or from using them incorrectly was hypoglycemia; lower than normal blood glucose. However, the FDA also has identified a growing number of insulin pump-related automobile accidents.

Between 2006 and 2009, there were at least 29 adverse event reports of motor vehicle accidents associated with insulin pumps. In some cases, drivers wearing insulin pumps and suffering from low glucose levels lost consciousness or died while driving and crashed into other vehicles, drove off the road, into lakes, and even slammed into buildings at high speed.