How an obsolete medical device with a security flaw became a must-have for some patients with type 1 diabetes.
One day last June, Doug Boss pulled into a police-station parking lot to meet a stranger from Craigslist. His purpose: to buy used insulin pumps. Boss has type 1 diabetes, and he relies on a small pump attached to his body to deliver continuous doses of insulin that keep him alive.
To be clear, he didn’t need to buy used medical equipment on Craigslist. Boss, who is 55 and works in IT in Texas, has health insurance. He even has a new, in-warranty pump sitting at home. But he was thrilled to find on Craigslist a coveted old model that was made by the medical-device company Medtronic and discontinued years ago. What makes these outdated Medtronic pumps so desirable is, ironically, a security flaw. Boss was looking for a pump or two he could hack.
He’s not the only one. In 2014, a few hackers realized that the security flaw in certain Medtronic pumps could be exploited for a DIY revolution. Type 1 diabetes is a disease where the pancreas is unable to produce insulin to control blood sugar. For years, Boss had counted, down to the gram, the carbohydrates in every meal and told his pump how much insulin to dispense. Every cup of coffee (more insulin), every brisk walk (less insulin) turned into a math problem with serious consequences: Extremely high or low blood sugar can be fatal. The healthy pancreas does these “calculations” to adjust insulin automatically, and for decades researchers have worked toward creating an artificial pancreas that can do the same.
By 2014, the hardware components of a DIY artificial pancreas—a small insulin pump that attaches via thin disposable tubing to the body and a continuous sensor for glucose, or sugar, that slips just under the skin—were available, but it was impossible to connect the two. That’s where the security flaw came in. The hackers realized they could use it to override old Medtronic pumps with their own algorithm that automatically calculates insulin doses based on real-time glucose data. It closed the feedback loop.
They shared this code online as OpenAPS, and “looping,” as it’s called, began to catch on. Instead of micromanaging their blood sugar, people with diabetes could offload that work to an algorithm. In addition to OpenAPS, another system called Loop is now available. Dozens, then hundreds, and now thousands of people are experimenting with DIY artificial-pancreas systems—none of which the Food and Drug Administration has officially approved. And they’ve had to track down discontinued Medtronic pumps. It can sometimes take months to find one.
Obviously, you can’t just call up Medtronic to order a discontinued pump with a security flaw. “It’s eBay, Craigslist, Facebook. It’s like this underground market for these pumps,” says Aaron Kowalski, a DIY looper and also CEO of JDRF, a nonprofit that funds type 1 diabetes research. This is not exactly how a market for lifesaving medical devices is supposed to work. And yet, this is the only way it can work—for now.
By the time Boss decided to try looping, he had not gotten a good night’s sleep in a decade. Every night, the alarm on his glucose monitor would go off when his blood sugar dipped too low or climbed too high. He’d wake up, do math with a sleep-fogged brain, and either eat a snack or give himself extra insulin. Like many patients with type 1 diabetes, he was sacrificing sleep to stay alive.
OpenAPS changed that. To start looping with OpenAPS, Boss did also need to buy a mini computer called an Edison. The Edison receives data wirelessly from his continuous glucose monitor, runs an algorithm to predict future blood sugar, and tells the insulin pump how much to dispense every five minutes to prevent highs and lows. Boss could choose to monitor everything through his phone. But at night, he simply slept. “The sheer idea that I have a chance to sleep through the night ... ” he marveled to me. So many other loopers I spoke with echoed the sentiment. Jeremy Pettus, another looper, used to keep apple juice by his bed to guard against perilously low blood sugar. “One day my wife was like, ‘We haven’t bought you apple juice in a long time,’” he says. “That burden of having a dangerous low in the middle of my night completely disappeared.”
The looping algorithm makes these corrections throughout the day too. Laura Nally, another looper, described to me how she had always planned out her life hours in advance: Would she be walking a lot at work that day? Eating a meal in a couple hours? Taking a hot shower that could affect insulin absorption? “You’re always thinking, ‘What is the next thing I’m going to be doing?’” she says. With Loop, she still uses an app on her phone to tell the algorithm when she’s eating. (Same with OpenAPS, which is why both systems are technically “hybrid” closed systems rather than fully closed.) But if she is off by a few grams of carbohydrates or walks a little bit more than she expects, Loop can easily make real-time corrections. “Every decision we make, we’re trying to hit a bull’s-eye. With Loop, all I’m trying to do is get the dart on the board,” explains Erik Douds, who also uses Loop to manage his type 1 diabetes.
Loop and OpenAPS users tend to be a pretty self-selecting bunch, as the systems require buying your own equipment out of pocket and following detailed setup instructions. They also come with a bit of a learning curve. But according to one small study and many, many anecdotes, looping is, when done properly, both safe and better than a human brain at managing blood sugar. As the good word about looping has spread, demand for the few compatible models of Medtronic pumps has swelled.
Early on, loopers were often able to find old, compatible Medtronic pumps sitting unused in their own closets or a friend’s. Boss had actually gotten his first Medtronic pump from a cousin’s daughter before upgrading to a bigger version he found on Craigslist. Pettus, himself an endocrinologist, got his from a young woman who was his patient. “I have a cute little purple pump,” he says. Douds got his from a friend and looping evangelist whom he stayed with while traveling across the country. But when Nally wanted to start looping last year, she was living in the Bay Area, full of tech-savvy early adopters, and everyone she knew with a compatible Medtronic pump was already a looper. She was wary of buying one from a stranger online. Luckily, she ended up winning one of the periodic raffles for a loopable Medtronic pump in an online diabetes group. That’s how coveted the pumps have become.
An underlying security flaw is still the reason looping is possible with Medtronic pumps. (Would-be loopers are even told to watch out for old pumps whose software has been upgraded to fix the flaw.) The security issue doesn’t bother Boss, whose day job is in IT. There’s a tiny, theoretical risk that someone who knows his pump’s serial number and gets physically close can take over. But, he says, “if I drink coffee in the morning and forget to enter it into my phone, my blood sugar is going to be higher than normal.” The everyday risk of making such a mistake outweighs the remote risk of someone else hacking his pump.
A spokesperson for Medtronic wrote in a statement, “Patient safety is our first priority, and intentional device modifications can adversely impact device performance and put patient safety at risk. Medtronic strongly discourages intentional device modification of our insulin-pump systems.”
In the absence of official customer support, loopers have come to rely on one another. Rebecca Vitale told me the only reason she hasn’t quit Facebook is because she uses a group for Loop tech help. (Vitale is also friends with my partner.) From the group, she learned to cover her Medtronic pump in packing tape. The compatible Medtronic pumps, unlike newer models, are not waterproof, and their buttons are especially finicky around moisture. The packing tape keeps the pump just a bit more sweat-proof and waterproof. It’s a hack around a hack.
The looping community is so tight-knit that the person who wrote the code is sometimes the person answering questions. Hilary Koch, whose son loops, remembers spending two hours on the phone with one of the creators of OpenAPS. She tries to do her part too. “How you give back is, if you see somebody ask a question you know you can answer, you answer it,” she says. Boss also scours eBay for Edisons, which have been discontinued, and has given a few to people who want to loop, in return for a small donation to Nightscout, another open-source project used with OpenAPS to remotely access glucose data.
When the creators of OpenAPS, Dana Lewis and Scott Leibrand, shared their code back in 2015, they did so for free. They weren’t in it for money, and that ethos is still very much alive in the looping community today. And so, despite all the people clamoring for loopable Medtronic pumps, attempts to sell one to the highest bidder are met with swift backlash in the online community. The going price is usually about $500. “You’ll see posts for $1,000 to $3,000—and community members are like, ‘Haha, no,’” says Lewis. (The sticker price of new Medtronic pumps runs over $7,000.)
Since OpenAPS first became available, looping options have slowly expanded. Another group developed Loop for iPhone, which is more user-friendly in some ways but still requires an extra piece of hardware called a RileyLink.
A couple of other new options don’t even require Medtronic pumps—but they are currently limited in other ways. AndroidAPS, for example, runs on Accu-Chek or Dana pumps, which are approved in Europe and elsewhere, but not yet in the United States. The system also goes straight to an Android phone, eliminating the need for an extra device such as a RileyLink or an Edison. The manufacturer of Dana pumps consulted with the DIY looping community in developing its latest version.
Erica Potter liked the fact that her eight-year-old daughter would not need to carry around another part with AndroidAPS. But her family lives in the U.S., where no compatible pumps are sold. Through a contact in the diabetes community, Potter managed to find a medical-supply company in North Africa that would ship a Dana pump overseas. It came out to $2,000 with supplies and shipping. The setup has worked so well that Potter has ordered a second pump for her 6-year-old, who was recently diagnosed with type 1 diabetes. “I’m aiming for perfection because these are my kid’s organs,” she says. She is waiting for that second pump to ship right now.
More recently, loopers have started testing a hacked version of another pump called Omnipod, which is available in-warranty and tubeless. (Think about the convenience of AirPods versus regular earbuds, except for something that goes under your skin.) Public testing of the Loop-Omnipod system began just last week. Kate Farnsworth, who runs a Facebook group about looping and whose own daughter loops, saw her group gain 1,000 new members in just a few days, buoyed by interest in Omnipod. “I think we’ll have a lot of new loopers,” she says.
Even with these new options, DIY looping is still on the margins of the official health-care system: It means going overseas to buy pumps not yet approved in the United States. It means testing an experimental version with Omnipod. And in most cases in the United States, it’s meant finding old, out-of-warranty Medtronic pumps. Loopers with Medtronic pumps told me they worried their decade-old devices might break, and they’d have no way to fix them. Boss has a couple of backup pumps stockpiled. Kowalski, of the nonprofit JDRF, told me he once saw his brother, who also loops, watching soldering videos on YouTube when something broke. “People are doing wacky stuff,” he says. “We don’t want wacky. We want them to use things like they normally would.” JDRF, which is a major funder of artificial-pancreas research, has been working to make the technology mainstream.
In fact, the FDA approved a looping system from Medtronic called the Minimed 670G in 2016, after the first people started using OpenAPS. The DIY loopers I spoke with had various reasons for sticking with their DIY setup, though: It gave them more flexibility in setting their target blood sugar. It allowed them to use their preferred glucose monitor rather than Medtronic’s.
A nonprofit called Tidepool is now collaborating on a clinical trial to get Loop approved by the FDA. It’s also partnered with the company behind Omnipod to make the next version of its pods officially Loop-compatible—a more formalized version of the DIY Loop-Omnipod system that hackers just made available for public testing.
JDRF, which is a funder of Tidepool, has put forth a vision of a “plug and play” artificial pancreas. Currently, Medtronic’s MiniMed 670G locks the patient into a Medtronic pump, a Medtronic glucose sensor, and Medtronic software. The idea, says Kowalski, is to have multiple compatible pumps, glucose sensors, and algorithms, so that patients can mix and match what they prefer. Looping, in whatever form, is almost certainly the future for type 1 diabetes. It might be all that kids today ever know.
Koch’s son is almost 13 now, old enough to start learning how to manage diabetes on his own. She reflected on the years of interrupted sleep, of weighing the carbs in every meal he brought to school, of ticking off minutes for his blood sugar to drop before he could eat a snack. He’s been looping for more than two years now, and some of those memories are starting to fade. “He will never know it like we did,” she says. “And I think that’s a wonderful thing.”