The U.S. Food and Drug Administration (FDA) issued a warning to patients and the medical community about Medtronic MiniMed insulin pumps because some of the devices are vulnerable to hackers.  FDA recalls for cybersecurity problems are rare even though the agency and other experts have expressed concerns about medical device vulnerability for years.

FDA Recalls Medtronic Insulin Pumps

Certain models of Medtronic insulin pumps use software that is vulnerable to hackers.  Because the manufacturer is unable to issue any updates that can effectively protect against this threat, the FDA is recalling the pumps before any diabetic patients risk injury.

As of today, there are no confirmed reports of any patient harm related to Medtronic cybersecurity issues.  In the best case scenario, FDA recalls prevent patient injury entirely by warning the public and the medical community before any injuries or deaths occur.

The insulin pumps included in this recall are:

• Medtronic’s MiniMed 508
• MiniMed Paradigm Models:
  • 512/712, 515/715, 522/722, 522k/722k, 523/723, 523k/723k
  • 712E
  • Veo 554/754, 554CM/754CM

Patients using any of these insulin pumps should check the version number and contact Medtronic.  Like many FDA recalls, this one includes various versions.  Consumers can contact Medtronic to learn more about the risk and find out if they need an alternative pump.

What Can a Hacker do to an Insulin Pump?

When the FDA recalls medical devices, they do so because continued use of the device presents a credible risk of harm to the user.  Insulin pumps rely on a wireless connection to communicate with accessory devices including blood glucose meters, continuous glucose monitoring systems, the remote controller, and CareLink USB devices.  The wireless connection is convenient for patients, allowing them basically unlimited mobility and the ability to wear their insulin pumps discreetly.

However, some Medtronic insulin pumps have vulnerabilities that would allow someone other than the patient to connect to the device wirelessly and alter the settings.  For a diabetic patient, this can cause very serious harm because without precise regulation of insulin, a diabetic patient’s blood sugar can reach dangerously high or low levels. This can result in:

• Hypoglycemia
• Diabetic ketoacidosis
• Coma
• Death

What Makes Insulin Pumps Vulnerable?

Diabetic patients often use computerized pumps like Medtronic’s to replace periodic insulin injections.  The devices deliver life-saving insulin to the patient via a small catheter implanted under the skin.  The vulnerability of the device is in the wireless connection.

The part of the pump implanted under the skin connects wirelessly to both the patient’s blood glucose meter and to the continuous glucose monitoring system.  The former provides information about blood sugar levels at a point in time, while the latter tracks levels throughout the day.  Therefore, hackers could exploit the wireless connection to change information in either system to prompt the patient to dose themselves incorrectly.

Alternatively, an unauthorized user may attack the dosing functions directly.  Both the remote controller and the CareLink USB are wireless devices as well.  These can be used to control the pump remotely and to download data about blood sugar levels.  Altering a diabetic’s insulin can have deadly consequences.  The unprotected wireless connection offers a window through which criminals could attack.

Normally, medical devices that are vulnerable to hackers can use software updates to protect their security, which is why FDA recalls about cybersecurity are so uncommon.  In the case of these insulin pumps, however, Medtronic is unable to issue any software update or patch to protect patients.

Why Would a Hacker Bother with an Insulin Pump?

Hackers who target medical devices block patient or medical provider access and demand a ransom to release them.  For the majority of hackers, terrorizing a single individual with an insulin pump probably won’t result in substantial financial gain.  However, targeting a large institution where many patients congregate, such as a hospital, may be incentive enough.  Hackers may attempt to exploit the vulnerabilities of individual insulin pumps in the hope of a large ransom from the hospital.

It would not be the first time hackers successfully held medical software for ransom.  Hackers are all too aware of the danger their nefarious interference poses. Furthermore, they know the urgency with which victims will try to regain control.

Who is at Risk in these FDA Recalls?

This FDA recall affects patients with type 1 or type 2 diabetes who use an insulin pump to maintain healthy blood glucose levels.  Medtronic has identified 4,000 patients in the United States who may be using the recalled insulin pumps.  There may certainly be more at-risk patients.  The manufacturer is working with their partner distributors to identify any additional patients who may be using these pumps and are, therefore, vulnerable to attack.

The FDA is monitoring Medtronic’s progress in resolving this cybersecurity issue. However, patients who use the affected pumps should speak to their healthcare provider about switching to a more secure device.  Medtronic is providing alternative pumps with enhanced built-in cybersecurity capabilities to many affected patients.

FDA Advice to Manufacturers

In our increasingly wireless world, the FDA is urging medical device manufacturers to monitor and continually reassess the cybersecurity vulnerability risk of their products.  FDA recalls are most effective when they are proactive and can warn the public prior to any casualties.  The agency must rely on manufacturers to self-report cybersecurity issues in order for these recalls to prevent, rather than react to, patient injury.

Cybersecurity concerns are certainly now an unavoidable part of medical care.  Many medical devices use internet connections to function properly or communicate sensitive patient information.  The truth is any medical device connected to a communications network may have cybersecurity vulnerabilities.

As patients move in public or at home, medical devices can be hacked when connected to any internet connection. This includes:

• Wi-Fi
• Public internet or “hot spots”
• Home internet
• Satellite internet

Wireless medical devices offer the uniquely modern trade-off between convenient and real-time healthcare and the risk of exploitation from hackers.

Questions about Cybersecurity and FDA Recalls?

If you think you are the victim of a cybersecurity attack, you have options.  Medical device manufacturers have the responsibility to offer products that protect patients from cybersecurity threats. Likewise, hospitals also have a duty to protect patient information and prevent harm from hacked devices to the best of their ability.

If you have questions about cybersecurity and FDA recalls, contact Drug and Device Watch.  Our legal professionals can answer your questions and provide guidance if you have an injury due to a hacked device.  Call 1-888-458-6825 or contact us online to schedule a free consultation.

Sources:

• https://www.fda.gov/news-events/press-announcements/fda-warns-patients-and-health-care-providers-about-potential-cybersecurity-concerns-certain
• https://www.cbsnews.com/news/medtronic-insulin-pump-recall-fda-says-hackers-could-hijack-device/