FDA issues cybersecurity warning about Medtronic insulin pumps

The Food and Drug Administration on Thursday warned patients and providers to be aware that certain Medtronic MiniMed insulin pumps are being recalled because of potential cybersecurity risks.

According to the regulatory agency, the recalled pumps include Medtronic’s MiniMed 508 insulin pump and MiniMed Paradigm series insulin pumps, which wirelessly connect to patients’ blood glucose meters and continuous glucose monitoring systems.

“The FDA has become aware that an unauthorized person (someone other than a patient, patient caregiver or healthcare provider) could potentially connect wirelessly to a nearby MiniMed insulin pump with cybersecurity vulnerabilities,” states the agency’s safety communication. “This person could change the pump’s settings to either over-deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis.”

As a result, the FDA is recommending that patients with diabetes using MiniMed insulin pump models switch to devices that are better equipped to protect against these potential risks.

FDA-building-CROP (2).jpg

Also See: FDA issues warning about use of diabetes management devices

“The FDA urges manufacturers everywhere to remain vigilant about their medical products—to monitor and assess cybersecurity vulnerability risk, and to be proactive about disclosing vulnerabilities and mitigations to address them,” said Suzanne Schwartz, MD, deputy director of the Office of Strategic Partnerships and Technology Innovation and acting division director for All Hazards Response, Science and Strategic Partnerships in the FDA’s Center for Devices and Radiological Health.

“Any medical device connected to a communications network, like Wi-Fi, or public or home Internet, may have cybersecurity vulnerabilities that could be exploited by unauthorized users,” added Schwartz.

While the FDA says it is not aware of any confirmed reports of patient harm related to these potential cybersecurity risks, the agency notes that Medtronic is “unable to adequately update” the insulin pumps with any software or patch to address the vulnerabilities.

“Medtronic is providing alternative insulin pumps to patients with enhanced built-in cybersecurity capabilities,” according to the FDA’s announcement. “In the U.S., Medtronic has identified 4,000 patients who are potentially using insulin pumps that are vulnerable to this issue. In addition, Medtronic is working with distributor partners to identify additional patients potentially using these pumps.”

For reprint and licensing requests for this article, click here.