WASHINGTON — The US Food and Drug Administration issued a warning on Thursday about possible risk of hacking for some diabetes patients’ insulin pumps. Certain insulin pumps from Medtronic MiniMed have been recalled due to potential cybersecurity risks and it’s recommended for people who use those insulin pumps to switch to different models, according to the FDA.
In its warning, the FDA noted that these devices pose the risk of someone nearby connecting wirelessly and then potentially hacking into the devices.
Insulin pumps are small computerized devices that can deliver insulin therapy to diabetes patients in continuous doses or as a surge around mealtime to help them control blood glucose levels. According to the FDA, the hacker could possibly change the pump’s settings to either over-deliver insulin to a patient, which could lead to low blood sugar, or to stop insulin delivery altogether, which could lead to high blood sugar and a life-threatening complication called diabetic ketoacidosis.
In the United States, Medtronic has identified about 4,000 patients who are potentially using insulin pumps that are vulnerable to this issue and the company is working with distributor partners to identify additional patients potentially using these pumps, according to the FDA.
“The FDA urges manufacturers everywhere to remain vigilant about their medical products — to monitor and assess cybersecurity vulnerability risk, and to be proactive about disclosing vulnerabilities and mitigations to address them,” Dr. Suzanne Schwartz, deputy director of the Office of Strategic Partnerships and Technology Innovation and acting division director for All Hazards Response, Science and Strategic Partnerships in the FDA’s Center for Devices and Radiological Health, said in a written statement.
“While we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm if such a vulnerability were left unaddressed is significant,” she said in part. “Any medical device connected to a communications network, like Wi-Fi, or public or home Internet, may have cybersecurity vulnerabilities that could be exploited by unauthorized users. However, at the same time it’s important to remember that the increased use of wireless technology and software in medical devices can also offer safer, more convenient, and timely health care delivery.”
As listed on the FDA’s website, Medtronic is recalling the following insulin pumps:
- MiniMed 508 (with all software versions)
- MiniMed Paradigm 511 (with all software versions)
- MiniMed Paradigm 512/712 (with all software versions)
- MiniMed Paradigm 515/715 (with all software versions)
- MiniMed Paradigm 522/722 (with all software versions)
- MiniMed Paradigm 522K/722K (with all software versions)
- MiniMed Paradigm 523/723 (with software version 2.4A or lower)
- MiniMed Paradigm 523K/723K (with software version 2.4A or lower)
- MiniMed Paradigm 712E (with all software versions)
- MiniMed Paradigm Veo 554CM/754CM (with software version 2.7A or lower)
- MiniMed Paradigm Veo 554/754 (with software version 2.6A or lower)
A patient letter on Medtronic’s website details how to identify an insulin pump’s software.
Medtronic is providing alternative insulin pumps to patients with enhanced built-in cybersecurity capabilities, according to the FDA.
Patients who have questions about replacing their pump can call Medtronic at 1-866-222-2584 or visit Medtronic’s website.
The FDA noted that to minimize the potential risk of a cybersecurity attack while waiting on a replacement insulin pump, patients should:
- Keep their insulin pumps and the devices that are connected to their pumps within their control at all times whenever possible.
- Not share their pump serial number.
- Be attentive to pump notifications, alarms and alerts.
- Monitor their blood glucose levels closely and act appropriately.
- Immediately cancel any unintended boluses.
- Connect their Medtronic insulin pump to other Medtronic devices and software only.
- Disconnect the USB device from their computers when they are not using it to download data from their pump.