Medtronic has had similar cybersecurity issues with remotes and external programmers on other implanted medical devices, including certain models of its pacemakers. The attack resembles those made against car key fobs—but the stakes are obviously much higher.

Primed For Disruption

Both Medtronic and regulators acknowledge that there is no way to patch the flaws on the affected insulin pump models, or to completely disable the remote feature. At first, the groups simply advised that patients manually turn off remote access if they wanted more protection. But that would mean forgoing the helpful, even potentially lifesaving, ability to let caregivers dispense treatment with a remote. Besides which, not every patient would hear about the security issues or remember to turn the feature off anyway.

Rios says the research group demonstrated its proof of concept app to FDA officials in mid-June of this year; Medtronic announced its voluntary recall program a week later. Suzanne Schwartz, the deputy director and acting office director of the FDA's Office of Strategic Partnerships & Technology Innovation, told WIRED that the eventual recall was the result of extensive risk assessment and analysis by Medtronic and the FDA considering findings from multiple researchers, including Rios and Butts, and weighing the public health risks of initiating a large-scale replacement action versus the risks of simply leaving the devices in the field. Medtronic readily offers that it has known about these vulnerabilities in its MiniMed pumps for years, even long before Rios and Butts' findings.

"Medtronic was first made aware of potential concerns in late 2011, and we began to implement security upgrades to our pumps at that time. Since then, we have released newer pump models which communicate in completely different ways," Medtronic said in a statement to WIRED. "Most of our current customer base are already using insulin pumps that are not impacted by this cybersecurity concern. Of the small number on these older pumps, it is difficult to predict how many may want to exchange for a new one." Medtronic has said that roughly 4,000 vulnerable pumps are currently being used in the United States.

The FDA's Schwartz says, though, that while the relevant models of MiniMed pump are not widely used in the US anymore, they have "a lot of usage worldwide." Part of the reason it took time to announce the voluntary recall, she says, was the difficulty of coordinating with regulatory agencies around the world to coordinate the voluntary recall on an international level. Medtronic did note in its statement to WIRED that, "in some countries, Medtronic will have programs in place to exchange one of these older pumps for a newer model."

Medtronic also disputes the use of the word "recall" in discussing its initiative to offer pump replacements to patients with a vulnerable model. "This was a safety notification only," the company says. "Impacted pumps are not required to be returned because of this notification." When asked whether it was accurate to describe the action as a "voluntary recall," Schwartz said the term was correct, and that the FDA is currently in the process of classifying the MiniMed recall, and will post the classification to its website in the coming months.

In the Loop

A full ban of the vulnerable pumps would have been impractical and even counterproductive, Schwartz says, because of their specific importance to a group of diabetes patients known as "loopers." Old MiniMed pump models are coveted precisely for their vulnerable, hackable nature. Loopers use the flaws in older MiniMed pumps to connect the devices with continuous glucose monitors implanted under their skin. When the two devices can talk to each other (completing the feedback loop) they can be programmed to automatically calculate how much insulin a person needs and deliver the dose automatically—essentially creating an artificial pancreas that does digitally what the organ usually does biologically.

"We’ve essentially just created a universal remote for every one of these insulin pumps in the world." Billy Rios, QED Security Solutions

This biohack is not officially approved by the FDA, but the agency has been working with manufacturers like Medtronic to bring formally approved "closed-loop" systems to market. Schwartz says that the FDA was cognizant of ensuring that any recall did not ban or outlaw a device that many patients specifically rely on, even knowing the risks.