MD+DI Online is part of the Informa Markets Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Medtronic’s MiniMed 600 Series Pump Faces Cybersecurity Vulnerability

Image courtesy of M4OS Photos / Alamy Stock Photo medtroniclogo (1).jpg
A potential communication issue could open users to cyberattacks and hackers hampering insulin delivery.

Medical devices play a critical role in modern healthcare. But, with device importance comes the ever-increasing threat of cybersecurity breaches or potential entry points for bad actors. In the current industry, it is par-for-the-course to implement security measures into all devices to minimize such occurrences, but unforeseen circumstances are bound to occur.

One such circumstance is the recent urgent medical device correction from Medtronic warning of a MiniMed 600 Series insulin pump system communication issue uncovered by the company. Medtronic reported in its Sept. 20 letter that these certain types of insulin pump systems were vulnerable to cyberattacks and hackers could potentially hamper insulin delivery by accessing the device, administering too much or too little insulin to the devices recipient.

The MiniMed 600 series pump system includes MiniMed 630G with model numbers MMT-1715, MMT-1755, and MMT-1754, and MiniMed 670G with model numbers MMT-1780, MMT-1781, MMT-1782, MMT-1760, MMT-1761, MMT-1762, MMT-1740, MMT-1741, MMT-1742. This series has components that communicate wirelessly such as to an insulin pump, continuous glucose monitoring transmitter, blood glucose meter, and CareLink USB device.

According to the company letter and an FDA release, for unauthorized system access to occur, a nearby person without permission to access the system – a person other than the insulin recipient or care partner – would need to access the pump while it is being paired with other system components. The potential issue was identified by Medtronic through internal testing and showed that under specific circumstances, communication between pump system components could be compromised. Of note, Medtronic states that this cannot be done over the internet and there is no evidence to date that such an issue has occurred.

“Our internal testing has indicated there is a remote likelihood of this issue occurring as it would require physical proximity to the communication signal while the pump is being paired and advanced technical knowledge,” wrote Pamela Reese, director of global communications & corporate marketing, Diabetes Group at Medtronic, in a statement to MD+DI. “This also cannot be done through the internet. This notification relates only to the MiniMed 600 series pump systems and does not impact other Medtronic pump systems.”

In the unlikely event of successful access, however, unauthorized insulin amounts could be delivered through unintended insulin bolus or insulin delivery being slowed or stopped. Unregulated insulin amounts are highly dangerous, resulting in hypoglycemia which could potentially cause diabetic ketoacidosis, and hyperglycemia leading to seizure, coma, or death.

In response to the uncovered issue, Medtronic stated to turn off the “Remote Bolus” feature on the pump if it is turned on. The company noted that the “Remote Bolus” capacity is on by default, so users should take the action to disable it even if the feature had not been used previously. The company urges users to not conduct any connection linking of devices in public places and to always keep the pump and connected system components within your control.

Additional recommendations written by Medtronic included:

  • Be attentive to pump notifications, alarms, and alerts.
  • Immediately cancel any boluses not initiated by the device user or care partner and monitor blood glucose levels closely. Also reach out to the Medtronic 24-hour technical support immediately to report the bolus. Turning off the “Remote Bolus” feature will ensure no remote bolus is possible.
  • Disconnect the USB device from your computer when not using it to download pump data.
  • Do not confirm remote connection requests or any other remote action on the pump screen unless initiated by the user or care partner.
  • Do not share pump or device serial numbers with anyone other than your healthcare provider, distributors, and Medtronic.
  • Do not use any software not authorized by Medtronic as safe for your pump.
  • Seek medical attention immediately when experiencing symptoms of severe hypoglycemia or diabetic ketoacidosis.
  • Reach out to the company’s 24-hour technical support if you suspect a pump setting or insulin delivery has changed unexpectedly, without your knowledge.

“At Medtronic, patient safety is core to our mission,” said Reese, in her statement to MD+DI. “During internal testing, we discovered a potential issue that can result in unauthorized pump access. While we have no evidence of this having occurred, we are proactively asking our customers to follow all precautions outlined in the notification letter, including an option to turn off the Remote Bolus feature to eliminate their individual risk of unintended delivery of insulin and to avoid pairing the pump in public. We have coordinated closely with the FDA on this matter and aligned on the recommended steps for patients to take.”

For more information, company recommendations, and instructions on how to turn of the Remote Bolus settings, view the Medtronic notification letter and FDA statement.

To learn more about protecting your company or device from cybersecurity breaches and how to implement best practices, consider attending the BIOMEDevice Boston Master Class Cybersecurity Series on day two of the conference.

TAGS: Inspection
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.