The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Vulnerability Identified in Medtronic MiniMed 600 Series Insulin Pumps

Posted By on Sep 26, 2022

The Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued a warning about a recently discovered vulnerability that affects certain Medtronic insulin pumps. The flaw could be exploited by a malicious actor to manipulate patients’ insulin doses, resulting in too much or too little insulin being delivered.

The vulnerability affects the following Medtronic NGP 600 Series Insulin Pumps and their accessory components:

  • MiniMed 620G: MMT-1710
  • MiniMed 630G: MMT-1715, MMT-1754, MMT-1755
  • MiniMed 640G: MMT-1711, MMT-1712, MMT-1751, MMT-1752
  • MiniMed 670G: MMT-1740, MMT-1741, MMT-1742, MMT-1760, MMT-1762, MMT-1762, MMT-1780, MMT-1781, MMT-1782

The flaw exists in the communication protocol used by the pump system to pair with other system components. Successful exploitation of the flaw would allow a threat actor to slow or stop insulin delivery or trigger an unintended insulin bolus. The vulnerability cannot be exploited remotely by a threat actor over the Internet but could be exploited within wireless signal proximity to the patient and device. The vulnerability is tracked as CVE-2022-32537 and has a CVSS severity score of 4.8 out of 10 (medium severity).

Advanced technical knowledge is required to exploit the vulnerability, the flaw can only be exploited when the pump is being paired with other system components, and the attacker must be in close proximity to the pump, which limits the potential for exploitation. The FDA says it is unaware of any cases where the vulnerability has been exploited.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Medtronic has issued an urgent medical device correction warning about the vulnerability and has urged all users of the affected insulin pumps to take action to prevent exploitation of the flaw. In their default configuration, all of the above Medtronic NGP 600 Series Insulin Pumps are affected.

To prevent exploitation, Medtronic advises all users to turn off the Remote Bolus feature on the pump if it is turned on, and users should not conduct any connection linking of devices in public places. Users are advised to keep their pumps and connected system components within their control at all times, to be attentive to pump notifications, alarms, and alerts, to disconnect the USB device from the computer when it is not being used to download pump data, and never to confirm remote connection requests or any other remote actions unless they are personally initiated or have been initiated by their care partner.

Further information on mitigations can be found in Medtronic’s urgent medical device correction notice.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist