FDA warns of dangerous cyber vulnerabilities on Medtronic insulin pumps

The Food and Drug Administration (FDA) warned patients and health care providers using certain types of insulin pumps of cyber threats involving the devices, with the pumps recalled due to vulnerabilities that could lead to negative health consequences for users. 

Security researchers found cyber vulnerabilities in certain types of Medtronic MiniMed insulin pumps that could enable unauthorized users to connect wirelessly to one of these pumps if they are nearby to alter or stop the amount of insulin delivered to a patient.

The pumps recalled are Medtronic’s MiniMed 508 insulin pump and MiniMed Paradigm series insulin pumps.  

{mosads}Medtronic wrote in a letter to its customers on Thursday that it recommended switching to a different type of insulin pump and taking cybersecurity precautions with these existing pumps. Security steps included making sure all devices related to the pump were kept in patients’ sight at all times and monitoring blood sugar levels closely.

These pumps are computerized devices that allow for the delivery of insulin throughout the day through a catheter implanted under the skin of a patient. They are widely used by people with Type 1 or Type 2 diabetes. 

If a diabetic patient is given too much insulin, this could lead to low blood sugar, and if the insulin delivery is halted altogether, this could lead to high blood sugar levels or even diabetic ketoacidis, which is when acid builds up in the bloodstream. 

The FDA wrote that Medtronic is currently not able to “adequately update” the pumps to prevent the cyber vulnerabilities. 

The FDA noted that while it is not aware of any patients that have been harmed by the cyber vulnerabilities on the devices, the agency recommended that existing users of the MiniMed insulin pumps switch to different devices to avoid the cyber risks. 

An FDA cyber official said in a statement that “the risk of patient harm if such a vulnerability were left unaddressed is significant.” 

“Any medical device connected to a communications network, like Wi-Fi, or public or home Internet, may have cybersecurity vulnerabilities that could be exploited by unauthorized users,” the FDA’s Suzanne Schwartz said. “However, at the same time it’s important to remember that the increased use of wireless technology and software in medical devices can also offer safer, more convenient, and timely health care delivery.”