US FDA warns of cybersecurity risk to certain Medtronic insulin pumps

Henrietta Brewer
June 30, 2019

Specifically, the manufacturer is recalling its MiniMed 508 and Paradigm insulin pumps, along with the CareLink USB control hub and some blood glucose monitoring devices used with the at-risk gear.

In its warning, the FDA noted that these devices pose the risk of someone other than a patient, caregiver or health care provider could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump's settings.

Abbott subsequently developed a software patch that could be uploaded to the device in the physician's office, but the FDA says Medtronic "is unable to adequately update the MiniMed 508 and Paradigm insulin pumps with any software or patch to address the devices' vulnerabilities".

The company is providing alternative insulin pumps to patients that have enhanced built-in cybersecurity features, according to the FDA.

The worst case scenario is that an attacker orders the device to either deliver additional insulin or stop administering the drug, causing the patient to suffer from low or high blood sugar, respectively.

"While we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm if such a vulnerability were left unaddressed is significant", she said in part.

According to Medtronic spokesperson, In India, Medtronic is proactively informing the regulators and other relevant stakeholders and in the process of working with researchers, doctors and patients to address any questions or concerns that they may have.

Medtronic thinks there's no evidence that anyone using the pumps has been affected in this way, but says it has made a decision to recall the MiniMed 508 and MiniMed Paradigm series as a precaution and allow patients to switch to models with greater cybersecurity.

Medtronic is recalling some of its MiniMed insulin pumps because of the issue.

Pamela Reese, a communication director at Medtronic, said that the devices listed in the FDA safety notification "were first brought to market in 2012 or earlier" and that most Medtronic costumers are not now using them. FDA has yet to confirm a report of patient harm related to this recall. In a statement on Thursday, the FDA said Medtronic is now not able to "adequately update" the pumps to patch the risks. MiniMed™ 508 had been discontinued in India since 2011.

Thus far, Medtronic has identified 4,000 patient users (in the US) who are vulnerable to this issue. According to the company, some of these MiniMed pumps have a critical cybersecurity issue that can not be patched, leaving them permanently vulnerable to hackers who wirelessly access them.

Other reports by iNewsToday