The U.S. Food and Drug Administration announced Thursday that some high-tech insulin pumps made by Medtronic are being recalled for potential cybersecurity risks that could leave them vulnerable to hacking.
“An unauthorized person with special technical skills and equipment could potentially connect wirelessly to a nearby insulin pump to change settings and control insulin delivery,” Medtronic said in a letter it sent to patients.
Altered insulin delivery could lead to dangerously high or low blood sugar levels, the company noted.
It sounds like the plot of a crime thriller, but both the FDA and Medtronic said there are no known cases yet of someone hacking an insulin pump.
Dr. Caroline Messer is an endocrinologist at Lenox Hill Hospital in New York City. She said it’s pretty hard to “imagine cyberterrorists plotting the deaths of patients with diabetes by manipulating the inputs in their insulin pumps.”
But, she added that “out of an abundance of caution, it is clearly better for the FDA to take a proactive approach and recall Medtronic’s more vulnerable pumps.”
Dr. Joel Zonszein, director of the Clinical Diabetes Center at Montefiore Medical Center in New York City, agreed. He said that “cybersecurity vulnerabilities are a ‘side-effect’ of devices, and as is done with medications, we need to balance the benefits and harms.”
People with diabetes use insulin pumps — compact computerized devices — to deliver insulin throughout the day via a small tube inserted underneath the skin. The affected devices connect wirelessly to a patient’s blood sugar meter and to a continuous glucose monitor, which tracks a patient’s blood sugar level throughout the day. The pump’s data can also be uploaded to a computer and sent to the patient’s doctor.
The potentially vulnerable insulin pumps include Medtronic’s:
- Minimed 508 (All software versions)
- MiniMed Paradigm (All software versions for 511, 512, 712, 712E, 515, 715, 522, 722, 522K, 722K)
- MiniMed Paradigm (Software versions 2.4A or lower for 523, 723, 523K, 723K)
- MiniMed Paradigm Veo (Software version 2.6A and lower for 554, 754)
- MiniMed Paradigm Veo (Software version 2.7A and lower for 554CM, 754CM)
Medtronic said customers in the United States should speak with their health care providers about switching to a newer model insulin pump, because they have increased cybersecurity. The cost of any upgrade will depend on the patient’s insurance coverage, the company noted. Until the end of 2019, Medtronic is also offering users of recalled pumps — for a $399 discounted price — an exchange to a newer, safer model from the company.
More recent Medtronic insulin pumps, such as the MiniMed 620G, 630G, 640G and 670G, are not affected by this vulnerability, according to Medtronic.
Zonszein believes that a vulnerability to hacking likely isn’t limited to the recalled devices. He noted that there are a number of people who have created do-it-yourself automated insulin pumps that aren’t regulated by the FDA. Because information to create these DIY systems is shared online, these devices could also be at risk, Zonszein said.
He believes health care providers also need to be careful with the information they gather from patients’ pumps. Proper firewalls are needed to maintain safety, confidentiality and privacy, according to Zonszein.
Read more about the recall on Medtronic’s website.