The Food and Drug Administration has issued a warning to patients and health care providers that a pair of Medtronic insulin pumps are being recalled because of potential cybersecurity risks, according to a press release.
The affected devices are the MiniMed 508 and MiniMed Paradigm series insulin pumps, which wirelessly connect to both the patient’s blood glucose meter and continuous glucose monitoring system. A remote controller and CareLink USB – a thumb-sized wireless device that plugs into a computer – are used to operate the devices; the remote controller sends insulin dosing commands to the pump and the CareLink USB can be used to download and share data with the patient’s health care provider.
The potential risk involves the wireless communication between the pumps and related devices such as the blood glucose meter and remote controller. The FDA has identified a cybersecurity vulnerability within the insulin pumps, and is concerned that a third party could connect to the device and change the pump’s settings. Insulin could be given in excess, causing hypoglycemia, or stopped, causing hyperglycemia or diabetic ketoacidosis.
Medtronic has identified 4,000 patients in the United States who are affected by the security weakness. Because the company is unable to adequately update or patch the device to remove the weakness, the FDA is working to ensure that Medtronic addresses the issue in any way possible, including helping patients with affected pumps switch to newer models.
“While we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm if such a vulnerability were left unaddressed is significant. The safety communication issued today contains recommendations for what actions patients and health care providers should take to avoid the risk this vulnerability could pose,” said Suzanne Schwartz, MD, MBA, deputy director of the Office of Strategic Partnerships and Technology Innovation.
Find the full press release on the FDA website.
