FDA Warns Certain Insulin Pumps Could Be Hacked

The Food and Drug Administration issued a warning to patients using certain Medtronic MiniMed insulin pumps: The devices have cybersecurity risks and they should switch to more secure models.

“The FDA has become aware that an unauthorized person (someone other than a patient, patient caregiver, or health care provider) could potentially connect wirelessly to a nearby MiniMed insulin pump with cybersecurity vulnerabilities,” the agency said in a statement Thursday. “This person could change the pump’s settings to either over-deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis.”

Insulin pumps are small computerized medical devices that are implanted under patients’ skin to deliver insulin, which helps regulate blood sugar levels. They are often used by people with types 1 and 2 diabetes as an alternative to periodic insulin injections. The MiniMed 508 and MiniMed Paradigm series of insulin pumps are those that are affected. 

“In the U.S., Medtronic has identified 4,000 patients who are potentially using insulin pumps that are vulnerable to this issue,” FDA said. “In addition, Medtronic is working with distributor partners to identify additional patients potentially using these pumps.”

Pamela Reese, Medtronic's global communications director, told Nextgov that the company began notifying customers about the potential for cybersecurity exploits through letters distributed Friday. The message suggests security researchers were the first to identify the pumps’ vulnerability.

Reese said the models in question are from 2012 and earlier and noted that the devices don’t have the ability to be patched or updated wirelessly. 

“Currently none of our insulin pumps are capable of wireless software upgrades,” Reese said. “It’s a feature we’re working on in our innovation pipeline.”

While the primary fear is that an unauthorized person with special technical skills could potentially connect wirelessly to a device and control a person’s insulin delivery, Reese said the company has not received any confirmed reports of that happening or a device being compromised. 

“Medtronic provided its customers and their doctors with recommended security precautions when using their insulin pump,” she said. “In some countries, Medtronic will have programs in place to exchange one of these older pumps for a newer model.”

FDA said it’s working vigilantly to ensure the company addresses the issue appropriately. It recommends that patients notify their doctors immediately if they feel like their insulin delivery changed unexpectedly. The agency said it’s also helping patients who own impacted pumps switch to newer models that have more robust cybersecurity protections. 

“This is part of the FDA’s overall effort to collaborate with manufacturers and health care delivery organizations—as well as security researchers and other government agencies—to develop and implement solutions to address cybersecurity issues throughout a device’s total product lifecycle,” Suzanne Schwartz, an acting division director in the agency’s Center for Devices and Radiological Health, said.

Reese also noted that the warning should be treated as a “safety notification only.”

“Impacted pumps are not required to be returned because of this notification,” she said.