Some insulin pumps vulnerable to hacking, FDA warns amid recall

Grant Boone
June 30, 2019

Medtronic is recalling several models of its insulin pumps after the Food and Drug Administration warned patients and healthcare providers that the devices are vulnerable to cyber threats that could lead to serious health risks.

Medtronic can't update the MiniMed 508 and Paradigm insulin pumps well enough with any software or patch to address the devices' risks, the FDA says.

The FDA says that they are "not aware of any confirmed reports of patient harm related to these potential cybersecurity risks" and ICS-CERT added that there are now no known public exploits for targeting this vulnerability.

Health implant maker MedTronic is recalling some of its insulin pumps following the discovery of security vulnerabilities in the equipment that can be exploited over the air to hijack them.

A spokesperson for Medtronic Canada declined to say how many customers were affected but said the company has notified anyone who purchased the pumps in the past and may not have already upgraded. See the full list of recalled pumps here. If you have one of those pumps, they recommend you switch to different models.

Trump says Huawei can purchase from American suppliers
Tensions have been rising between the two global superpowers for nearly a year now, with neither seeming willing to compromise. China is expected to release a statement later on Saturday, while Trump will address trade friction at a press conference.

Insulin pumps offer a convenient way to maintain blood glucose levels, compared with repeated insulin injections.

That means someone with malicious intent could feasibly direct the pump to over-deliver insulin, potentially causing dangerously low blood sugar levels, or stop delivery entirely, to cause a spike in blood sugar and diabetic ketoacidosis.

"While we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm, if such a vulnerability were left unaddressed, is significant", she added.

Roxane Bélanger of Medtronic Canada said the devices date from 2015 and earlier, and the company is unable to upgrade the software to improve their wireless security. "This is part of the FDA's overall effort to collaborate with manufacturers and health care delivery organizations-as well as security researchers and other government agencies-to develop and implement solutions to address cybersecurity issues throughout a device's total product lifecycle", said Suzanne Schwartz, M.D., MBA, deputy director of the Office of Strategic Partnerships and Technology Innovation and acting division director for All Hazards Response, Science and Strategic Partnerships in the FDA's Center for Devices and Radiological Health in a statement. A patient can also upload their data so they can track it and share it with their doctors. DHS' prior notices include a warning about another weakness affecting MiniMed 508 pumps.

Thus far, Medtronic has identified 4,000 patient users (in the US) who are vulnerable to this issue.

Other reports by

Discuss This Article

FOLLOW OUR NEWSPAPER