RAPS is closely monitoring developments in the Coronavirus (COVID-19) outbreak. See our public safety page for the latest updates.

 
Regulatory Focus™ > News Articles > 2019 > 6 > FDA Warns of Cyber Risk With Medtronic Insulin Pumps

FDA Warns of Cyber Risk With Medtronic Insulin Pumps

Posted 27 June 2019 | By Ana Mulero 

FDA Warns of Cyber Risk With Medtronic Insulin Pumps

Diabetics using Medtronic’s MiniMed 508 insulin pump and MiniMed Paradigm series should switch to newer models to avoid a potential cybersecurity attack, federal government agencies advised.
 
A US Food and Drug Administration (FDA) safety communication and a US Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) medical advisory are alerting patients with the models to a cyber vulnerability that could allow a nearby attacker to wirelessly connect to the pumps and control insulin deliveries.
 
Both FDA and ICS-CERT report that exploiting the vulnerability in the affected models could result in the insulin pumps delivering too much insulin—leading to hypoglycemia—or stop insulin delivery—leading to high blood sugar levels and diabetic ketoacidosis. ICS-CERT also reported that the risk could allow an attacker in close proximity to intercept patient data from the pumps.
 
FDA and Medtronic are recommending that patients replace the 11 models of affected MiniMed 508 and Paradigm insulin pumps with newer models that have better cybersecurity controls as Medtronic cannot adequately update them with software or patches to address the cyber risk. Medtronic points US patients to its MiniMed 670G, which became the first automated insulin delivery device for type 1 diabetes in 2016 and received expanded approval for pediatric use last June.
 
Suzanne Schwartz, a deputy director at FDA’s Center for Devices and Radiological Health, said that while the agency is “not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm if such a vulnerability were left unaddressed, is significant.”
 
FDA reports that 4,000 US patients are believed to be using the affected pumps.
 
This is not the first time such a three-way effort—involving FDA, DHS and Medtronic—warned about cyber risks linked to the company’s devices. All three flagged hundreds of thousands of units of Medtronic implantable cardiac devices, programmers and home monitors as being vulnerable to cybersecurity incidents in March. FDA also issued a safety communication last month after becoming aware of a risk for premature battery depletion in Medtronic pacemakers.

Regulatory Focus newsletters

All the biggest regulatory news and happenings.

Subscribe