1. You are here:
  2. Homepage
  3. News & Insights Search
  4. FDA Warns of Cyber Risk With Medtronic Insulin Pumps

rf-fullcolor.png

 

Regulatory News
June 27, 2019
by Ana Mulero

FDA Warns of Cyber Risk With Medtronic Insulin Pumps

Diabetics using Medtronic’s MiniMed 508 insulin pump and MiniMed Paradigm series should switch to newer models to avoid a potential cybersecurity attack, federal government agencies advised.
 
A US Food and Drug Administration (FDA) safety communication and a US Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) medical advisory are alerting patients with the models to a cyber vulnerability that could allow a nearby attacker to wirelessly connect to the pumps and control insulin deliveries.
 
Both FDA and ICS-CERT report that exploiting the vulnerability in the affected models could result in the insulin pumps delivering too much insulin—leading to hypoglycemia—or stop insulin delivery—leading to high blood sugar levels and diabetic ketoacidosis. ICS-CERT also reported that the risk could allow an attacker in close proximity to intercept patient data from the pumps.
 
FDA and Medtronic are recommending that patients replace the 11 models of affected MiniMed 508 and Paradigm insulin pumps with newer models that have better cybersecurity controls as Medtronic cannot adequately update them with software or patches to address the cyber risk. Medtronic points US patients to its MiniMed 670G, which became the first automated insulin delivery device for type 1 diabetes in 2016 and received expanded approval for pediatric use last June.
 
Suzanne Schwartz, a deputy director at FDA’s Center for Devices and Radiological Health, said that while the agency is “not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm if such a vulnerability were left unaddressed, is significant.”
 
FDA reports that 4,000 US patients are believed to be using the affected pumps.
 
This is not the first time such a three-way effort—involving FDA, DHS and Medtronic—warned about cyber risks linked to the company’s devices. All three flagged hundreds of thousands of units of Medtronic implantable cardiac devices, programmers and home monitors as being vulnerable to cybersecurity incidents in March. FDA also issued a safety communication last month after becoming aware of a risk for premature battery depletion in Medtronic pacemakers.
Return to listing
×

Welcome to the new RAPS Digital Experience

We have completed our migration to a new platform and are pleased to introduce the updated site.

What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.

We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.

We welcome your feedback. Please let us know how we can continue to improve your experience.