Federal health officials indicate that certain Medtronic insulin pumps may contain cybersecurity flaws, which could allow hackers to gain access and change settings, exposing patients to a serious risk of injury or death.
The U.S. Food and Drug Administration (FDA) announced a Medtronic MiniMed insulin pump recall on June 27, after it was discovered that the wireless communication system used to control insulin doses lack proper security protocols.
The recalled insulin pumps are small, computerized devices that deliver insulin to a patient throughout the day, via a catheter implanted under the skin. The devices are wirelessly connected to both the patient’s blood glucose meter and monitoring system to track glucose levels. The pumps connect to a CareLink USB thumb-sized wireless device that can be used to deliver insulin doses and download data about the patient’s glucose levels to monitor progress.
The FDA warns that the design of the Medtronic MiniMed 508 pump and MiniMed Paradigm series insulin pumps could allow someone other than the patient or healthcare provider to change insulin delivery settings and alter glucose level data.
The threat of a hacker changing these settings could be life threatening for a patient. If a diabetic patient is given too much insulin it could result in the development of severe hypoglycemia. If a patient does not receives an under dose of insulin is could lead to high blood sugar and diabetic ketoacidosis.
The FDA is instructing patients to talk with their healthcare provider about a prescription to switch to different insulin pump model with better cybersecurity protocols. Patients are being directed not to switch insulin delivery systems without first consulting with their doctor first.
Until patients are prescribed a new insulin delivery system, FDA officials are warning patients to be attentive to pump notifications, alarm and alerts and to never share the serial number of the device. Patients should only connect their Medtronic insulin pump to other Medtronic devices and software and disconnect the CareLink USB device from the computer when you are not using it to download data from the pump.
Medtronic announced they will be offering an alternative insulin pump to approximately 4,000 patients who are currently using the recalled models across the U.S. According to the recall, a fast and effective software upgrade to add proper cybersecurity to the impacted devices is not readily available.
This is not the first time Medtronic implants were linked to cybersecurity concerns. Earlier this year in March, the FDA issued a safety communication about vulnerabilities with Medtronic ICDs or cardiac resynchronization therapy defibrillators (CRT-Ds), after discovering the wireless telemetry system used to communicate and alter the implanted devices could be hacked due to a lack of security protocols.
Late last year in October 2018, Medtronic issued an Urgent Medical Device Correction to physicians, notifying them that more than 34,000 implantable pacemakers were vulnerable to hacking. Medtronic disconnected the devices from internet access for software updates as a result.