According to the advisory, the affected insulin pumps are designed to communicate using a wireless RF with Insulet’s personal diabetes manager device, but the RF communication protocol does not properly implement authentication or authorization.
Because of this vulnerability, an attacker with access to one of the affected pump models may be able to intercept and/or modify data, while also being able to change pump settings and control insulin delivery.
The affected versions of the Omnipod insulin management system had the product ID/recorder number 19191 and 40160 with the UDI/Model/NDC number ZXP425 (10-pack) and ZXR425 (10-pack, Canada).
Insulet recommends that patients using the affected products talk to their healthcare provider about the risks of continued use, plus the possibility of changing to the latest model that includes increased cybersecurity protection.
The company also suggests patients do not connect devices to any third-party devices or use software that isn’t authorized by Insulet. Users should also be attentive to pump notifications, alarms and alerts, immediately cancel any unintended boluses, monitor blood glucose levels closely and get medical help when experiencing symptoms of severe hypoglycemia or diabetic ketoacidosis if settings or delivery has changed unexpectedly.