I totally agree @Terry4 - I think MDT is using this to target Loop and OpenAPS users.
This way, MDT can say, “Hey, we totally support what you’re doing here. Look we even signed onto the Tidepool Open protocol concept. It’s the FDA that’s forcing us to recall these dangerous pumps.”
My concern is will Medicare allow me to fill scripts for pumps that are on the list?
When I became Medicare-eligible in April, Edgepark was required (by Medicare) to get my pump model (522) and s/n.
As an aside, I keep hoping that ordering my supplies will get easier and more understandable as I get more experienced with being on Medicare, but I don’t have a warm and fuzzy feeling yet.
Most, if not all, of the pumps impacted are out of warranty. Most who had them got newer medtronic pump or switched to different brand. Old pump is either saved as backup, discarded, or potentially sold or given to looper.
If medtronic contacts me regarding my old 522 Pump, they would not replace it due to recall, since it is out of warranty, and I have a current in warranty pump, not recalled. And if they ask, I tell them I have no idea where my 2010 522 pump is.
I think Medtronic will do a “recall”, but few if any pumps would be returned. (Unless they offer cash for out of warranty pump).
Or reverted to when much ballyhooed new hybrid closed-loop pump turned out to suck and the old pager style thing was actually less aggravating to use as a manual pump than the bells-and-whistles version, yeah. Now if only there were a way to revert to the loop-able software version…
This is clearly the one and only motive and reason behind the Med “urgent field safety notification”. The number of people using DIY systems has grown to the point when DIY systems can no longer be ignored by Med, FDA or other players. But, they do not want to have anything to do with DIY systems, and the super-old-turned-urgent notification is just a convenient way for Medtronic to mitigate any legal responsibilities.
I do not know about you, but I am seriously concerned by the cybersecurity issues 
More seriously, the “cybersecurity” term in the title of the notification is absurdly misleading, and is just meant to catch attention of the public, health-care providers, and news media.
Don’t you know these systems are ALREADY BEING HACKED!?!?
Y’know, by DIY loopers like yourself. I suspect that’s the hacking they’re most concerned with, yup. Still, panic is our only option! Get rid of that thing and buy yourself a shiny new 670G before it’s too late!!!
Not many security details were revealed.
My trust is less than I can spit a watermelon seed when there appear to be ulterior motives all “In The Name Of Security”.
I would question if there is ANY security risk AT ALL if the serial number of your pump is simply kept private and only shared with Tech Support. I suspect NOT.
IMHO ******** like this makes REAL security issues to be mostly ignored. The whole “Cry Wolf” thing…
I’m surprised that the FDA used the “cybersecurity” term. It seems hyperbolic to me, especially since these pumps are not connected to the internet. It would make more sense if Medtronic mentioned this in their press release, but they did not. I would think that a regulator, like the FDA, would be try to restrain itself in its communication. I agree that the use of this loaded term is misleading.
I think we should encourage FDA to read Medtronic’s own statements from about 8 years ago about the exact same vulnerability. Mind you, these comments by Medtronic Editorial Team were posted on August 9, 2011, and the exact same issue is now regurgitated as an urgent (!??) cybersecurity (!??) risk almost 8 years later. I’ll just copy here the first question and answer for easy reference:
A. No. After reviewing the research presented last week, we believe the risk of deliberate, malicious, or unauthorized manipulation of medical devices is extremely low. Therefore, we do not see a reason to believe that this is an issue of concern for Medtronic customers.
Its too bad they don’t offer replacement of the 670g. Everybody’s stuck with that one until warantee expires.
Threat vulnerability score is 7.1 - So, considered high compared to previous ones. Medtronic : Security vulnerabilities
Is this one against a new model or have they found a new vulnerability? I’m not seeing it.
I do LOVE that post, @Tony24. Always makes me laugh.
It doesn’t seem like this should be a new warning at all, but an update to the previously disclosed ones. Looks like it has only just been submitted and NIST hasn’t looked at it yet.
Yes I agree this is laughable from every aspect. Medtronic trying so hard to save it’s sinking ship while other companies are making REAL progress to make managing diabetes easier, more affordable, and find a cure.
Also confirms my suspicions Medtronic has a “friend” in the FDA…
I find it SO interesting that this urgent recall happens very shortly after there has been a great deal of media reporting in several main stream, well respected magazines about how DIY Loopers are using these old Medtronic pumps because they can hack into them and install new software that turns it into a looping system when paired with a Dexcom CGM. I am more concerned about Medtronic trying to protect their corner of the market for as long as they can for the flawed 670G from a reportedly much more reliable and effective piece of software employed by the DIY Looping community. Their answer to this obviously isn’t to improve their own software but to try and interfere with the competitions access to the equipment that they use.
Good evening to all. In 2015, I retired, but I spent the last 12 years (out of 50) of my career as a cybersecurity engineer doing that work for all four military branches as well as for other organizations. I keep up my credentials just out of interest.
I’m no fan of Medtronic, but I have to agree with them in the sense that the cybersecurity risk to their pumps is EXTREMELY low, if I have my facts right.
My understanding is that in order to hack the pump you need a transmitter/receiver on the same frequency as Med uses to talk between the meter and the pump. The pump has a pretty low transmit range. That makes the real risk in the realm of a hit man with a contract to do in a specific pump user. That would make the cyber situation one of the lowest-level worries if I used a Medtronic pump.
What I don’t care for is Medtronic’s reaction to it all. Instead of fixing the problem, they chose to ignore it for a bunch of years. It’s not that hard to include encryption in your software.
Of course that’s all aside from the DIY issue. As far as I’m concerned, that’s in the realm of use outside of the intended use of the device. Great, as long as you accept responsibility. I keep a PC on an isolated Internet line for the sole purpose of getting it infected by viruses, just so I can develop safeguards for them. Not in the intended use of the PC, but that’s my responsibility.
This is the complete list of Medtronic pumps that the FDA warned against using due to the possibility of hacking . As many have said this has been a known issue for sometime so no real news here. But according to the Washington post this is the list. I was struck by the number of pumps on the list.
Note: I am a Medtronic ambassador. My opinions are my own. They did not pay me to say nice things about Medtronic devices or the company. OK, they sent me a shirt and a cup but even I am more expensive than that.
@Rob5, Medtronic reported this vulnerability, I believe, and raised the risk assessment score considerably. “…Medtronic performed additional variant analysis and reported this vulnerability to NCCIC.” See section 3.4, titled “Researcher.”
What I don’t understand is why isn’t it connected to the previous filings? Is that because they typically just post an immediate report and let NIST look at it. Then, they file it as amendments under the initial report, and that just takes some time?
It might be time for us to stop talking about this stuff too in-depth online.
I’m interested…it makes the officials look like pawns, and maybe Medtronic is kinda using them and being manipulative. But, maybe the process is that they just post all public alerts - make of them what you will. Then they come back with better analysis after some time.
It makes me uncomfortable that they cite Rios and Butts in this context. Didn’t they try to sue the ■■■■ outta Rios and Butts? I can’t recall. There was quite the ta-do. A New Pacemaker Hack Puts Malware Directly On the Device | WIRED
This strikes me as highly manipulative and sitting somewhere between grossly unethical and illegal. I might think less of Dexcom for doing business with Medtronic.
This is not what DIY systems are doing. No one is hacking into pumps or installing any new software into the pumps at all. Widely used DIY systems are using pumps as insulin delivery devices without making absolutely any alterations to the pumps themselves. Instead, DIY systems are making use of the pump existing remote control capabilities, as originally designed by the respective manufacturers, that’s all. The word “hacking” should never be used in conjunction with widely used DIY systems (Loop, OpenAPS and AndroidAPS). This may all sound like nitpicking (sorry about that), but it is important to be precise because the word “hacking” commonly raises associations with malicious or dangerous acts, breaches of security, increased risks, or such. In the context of DIY closed-loop systems, nothing could be further from the truth.
I agree with that statement. I am making a policy change moving forward and will watch my language.
