Omnipod® Improper Access Control

March 19, 2020

 

Cybersecurity Vulnerability Summary

Consumer safety is our number one priority. Insulet has industry leading and comprehensive security controls, procedures, and cybersecurity capabilities in place to ensure the safety of our consumers and products. We continuously monitor the lifecycle of our products for potential risks. After extensive testing and research in conjunction with an independent third-party firm, a potential security vulnerability has been discovered in the Omnipod® Insulin Management System that we want to bring to your attention.

This vulnerability may allow an unauthorized user to gain access to the Pod to intercept, modify, or interfere with the wireless RF (radio frequency) communications to or from the Personal Diabetes Manager (PDM). This may allow an unauthorized user to control insulin delivery.

It is important to note that Insulet has received no confirmed reports of unauthorized persons controlling insulin delivery using this vulnerability.

This vulnerability may allow a person to control the Pod with a device other than the PDM. Insulet is aware of a specific group of people with diabetes who have been able to duplicate the Pod communication protocol using a smartphone and a bridge, which in turn allows the Pod to be controlled using an unauthorized device. This practice is commonly referred to as Do-It-Yourself (DIY) and is not the intended use for the Omnipod Insulin Management System. Insulet has not provided the DIY community with any type of information or input on the product, nor has Insulet been provided with any information proving that this form of off-label use is a safe use of the system.

This vulnerability does NOT exist in the Omnipod DASH® Insulin Management System.

 

Mitigations

The Omnipod Insulin Management System is safe to use as intended with a prescription.  However, Insulet recommends that customers who are currently using the affected product and have questions relating to this matter, contact Insulet Customer Care or talk to their healthcare provider about the risks of continued use of the affected product.

Additionally, Insulet recommends all patients take the cybersecurity precautions indicated below:

  • Do not connect to or allow any third-party devices to be connected to or use any software not authorized by Insulet.
  • Be attentive to pump notifications, alarms, and alerts. 
  • Immediately cancel any unintended boluses (a single dose of insulin administered all at once).
  • Monitor blood glucose levels closely and act as appropriate.
  • Get medical help immediately when experiencing symptoms of severe hypoglycemia or diabetic ketoacidosis, or if insulin delivery has changed unexpectedly.

The complete advisory issued by ICS-CERT can be found here.

 

Affected Products

The following pump model is vulnerable to this potential issue:

  • Omnipod® Insulin Management System

Product ID/Reorder number: 19191 and 40160

UDI/Model/NDC number: ZXP425 (10-Pack) and ZXR425 (10-Pack Canada)

 

Additional Resources

US: Please call the Insulet Customer Care Team:

Available 24 Hours At: 800-591-3455

 

International: Please Call your country specific Customer Care Team

Available 24/7 at: