Certain insulin pumps at risk for hacking

July 12, 2019

Certain models of the MiniMed insulin pump were recalled by its manufacturer Medtronic due to potential cybersecurity risks related to the pumps’ wireless communication with other devices, such as glucose meters and monitoring systems.

Certain models of the MiniMed insulin pump were recalled by its manufacturer Medtronic due to potential cybersecurity risks related to the pumps’ wireless communication with other devices, such as glucose meters and monitoring systems.

Because of the vulnerabilities, a hacker could potentially connect wirelessly to a nearby insulin pump and change its settings. This could allow insulin to be overdelivered to a patient, leading to low blood sugar, or to stopping insulin delivery, leading to high blood sugar and diabetic ketoacidosis. An estimated 4,000 patients are affected by the recall.

Medtronic cannot update the MiniMed 508 and MiniMed Paradigm series models, so the U.S. Food and Drug Administration is advising patients using them to switch to a model with more cybersecurity protection.

While waiting for a replacement pump, patients are advised to try to keep their pump and connected devices within their control at all times. To date, the FDA says it is not aware of any patient harm related to the risks.

“The FDA urges manufacturers everywhere to remain vigilant about their medical products-to monitor and assess cybersecurity vulnerability risk, and to be proactive about disclosing vulnerabilities and mitigations to address them,” Suzanne Schwartz, MD, MBA, deputy director of the Office of Strategic Partnerships and Technology Innovation for the FDA said in a news release. “This is part of the FDA’s overall effort to collaborate with manufacturers and health care delivery organizations-as well as security researchers and other government agencies-to develop and implement solutions to address cybersecurity issues throughout a device’s total product lifecycle.”

A list of all affected pumps is available here.