In an alert published on June 27 2019, the FDA said that certain Medtronic MiniMed™ insulin pumps carry potential cybersecurity risks and that patients with diabetes using these models should switch their insulin pump to other models.
The alert says: “The FDA has become aware that an unauthorized person (someone other than a patient, patient caregiver, or health care provider) could potentially connect wirelessly to a nearby MiniMed insulin pump with cybersecurity vulnerabilities.” The alert goes onto say that a person could change a pump’s settings to either “over-deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis.” Both are life-threatening.
According to the FDA website, Medtronic cannot update the MiniMed™ 508 and Paradigm™ insulin pump models to address these potential cybersecurity risks, meaning that patients are advised to replace affected pumps with models that are better equipped to protect them from these risks.
Medtronic was founded in 1949 as a medical equipment repair shop, which eventually went on to create a wearable, battery-powered cardiac pacemaker. The company is recalling the following affected MiniMed pumps and providing alternative insulin pumps to patients:
- MiniMed™ 508, All versions
- MiniMed™ Paradigm™ 511, All versions
- MiniMed™ Paradigm™ 512/712, All versions
- MiniMed™ Paradigm™ 515/715, All versions
- MiniMed™ Paradigm™ 522/722, All versions
- MiniMed™ Paradigm™ 522K/722K, All versions
- MiniMed™ Paradigm™ 523/723, Version 2.4A or lower
- MiniMed™ Paradigm™ 523K/723K, Version 2.4A or lower
- MiniMed™ Paradigm™ 712E*, All versions
- MiniMed™ Paradigm™ Veo 554CM/754CM*, Version 2.7A or lower
- MiniMed™ Paradigm™ Veo 554/754*, Version 2.6A or lower
This recall follows a report made by Siemplify last week that found that healthcare companies lacked maturity when it came to cybersecurity. The report was based on a survey of more than 250 security operations practitioners working at enterprises and managed security service providers (MSSPs).
To date, the FDA is not aware of any reports of patient harm related to these potential cybersecurity risks.
*Denotes patients are affected outside of the US.