Vulnerability Identified in Medtronic MiniMed 600 Series Insulin Pumps

By | September 26, 2022

The Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued a warning about a recently discovered vulnerability that affects certain Medtronic insulin pumps. The flaw could be exploited by a malicious actor to manipulate patients’ insulin doses, resulting in too much or too little insulin being delivered.

The vulnerability affects the following Medtronic NGP 600 Series Insulin Pumps and their accessory components:

  • MiniMed 620G: MMT-1710
  • MiniMed 630G: MMT-1715, MMT-1754, MMT-1755
  • MiniMed 640G: MMT-1711, MMT-1712, MMT-1751, MMT-1752
  • MiniMed 670G: MMT-1740, MMT-1741, MMT-1742, MMT-1760, MMT-1762, MMT-1762, MMT-1780, MMT-1781, MMT-1782

The flaw exists in the communication protocol used by the pump system to pair with other system components. Successful exploitation of the flaw would allow a threat actor to slow or stop insulin delivery or trigger an unintended insulin bolus. The vulnerability cannot be exploited remotely by a threat actor over the Internet but could be exploited within wireless signal proximity to the patient and device. The vulnerability is tracked as CVE-2022-32537 and has a CVSS severity score of 4.8 out of 10 (medium severity).

Advanced technical knowledge is required to exploit the vulnerability, the flaw can only be exploited when the pump is being paired with other system components, and the attacker must be in close proximity to the pump, which limits the potential for exploitation. The FDA says it is unaware of any cases where the vulnerability has been exploited.

Medtronic has issued an urgent medical device correction warning about the vulnerability and has urged all users of the affected insulin pumps to take action to prevent exploitation of the flaw. In their default configuration, all of the above Medtronic NGP 600 Series Insulin Pumps are affected.

To prevent exploitation, Medtronic advises all users to turn off the Remote Bolus feature on the pump if it is turned on, and users should not conduct any connection linking of devices in public places. Users are advised to keep their pumps and connected system components within their control at all times, to be attentive to pump notifications, alarms, and alerts, to disconnect the USB device from the computer when it is not being used to download pump data, and never to confirm remote connection requests or any other remote actions unless they are personally initiated or have been initiated by their care partner.

Further information on mitigations can be found in Medtronic’s urgent medical device correction notice.

The post Vulnerability Identified in Medtronic MiniMed 600 Series Insulin Pumps appeared first on HIPAA Journal.