At least 4,000 U.S. patients who are using Medtronic MiniMed insulin pumps are vulnerable to potential hacking. The company is working with distributors to identify additional patients who may be using the pumps that are now being recalled due to potential cybersecurity risks, according to an FDA notice issued Friday.
The agency said it is concerned that, due to cybersecurity vulnerabilities identified in the device, a hacker could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump's settings. This could allow a person to over deliver insulin to the patient, leading to low blood sugar, or to stop insulin delivery, leading to high blood sugar and a buildup of acids in the blood.
FDA said it is not currently aware of any confirmed reports of patient harm related to these risks, but because the company cannot update the MiniMed 508 and MiniMed Paradigm pump models to address the vulnerabilities, the devices are being recalled. The agency said patients using these models should replace the devices with models that are better equipped to protect them from hacking. Medtronic is providing patients with alternative insulin pumps that have enhanced built-in cybersecurity capabilities.
Cybersecurity vulnerabilities have been an ongoing battle for Medtronic in the past year. In March the Department of Homeland Security and FDA alerted healthcare providers and patients about cybersecurity flaws identified in a wireless telemetry technology used for communication between Medtronic’s implantable defibrillators, clinical programmers, and home monitors. In that situation, FDA advised healthcare providers and patients to continue to use the devices as intended, however, because the system's overall design features help safeguard patients and the company was already developing updates to further mitigate that particular risk.
Last year the agency reported cybersecurity vulnerabilities affecting the company's N'Vision clinical programmer used in conjunction with certain neurological implantable therapies. Several of the company's peers have also experienced cybersecurity problems, including Abbott, and Guardant Health.
“The FDA urges manufacturers everywhere to remain vigilant about their medical products—to monitor and assess cybersecurity vulnerability risk, and to be proactive about disclosing vulnerabilities and mitigations to address them," said Suzanne Schwartz, MD, deputy director of the Office of Strategic Partnerships and Technology Innovation and acting division director for All Hazards Response, Science, and Strategic Partnerships in FDA's Center for Devices and Radiological Health.
Schwartz said FDA is collaborating with manufacturers, healthcare organizations, security researchers, and other government agencies to develop solutions to address cybersecurity issues throughout a device's total product lifecycle.
“While we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm, if such a vulnerability were left unaddressed, is significant," she said.
Any medical device connected to a communications network like WiFi or the Internet may have cybersecurity vulnerabilities that could be exploited by unauthorized users, Schwartz said. But at the same time, increased use of wireless technology and software in medical devices can also offer safer, more convenient, and timely healthcare delivery, she added.