FDA warns of possible cybersecurity risk with Medtronic MiniMed 600 Series insulin pumps
Click Here to Manage Email Alerts
The FDA has issued an alert warning people with diabetes using a Medtronic MiniMed 630G or MiniMed 670G insulin pump of a possible cybersecurity risk, according to an agency press release.
The MiniMed 600 series insulin pumps include wireless components, such as the pump itself, the continuous glucose monitoring transmitter, blood glucose meter and CareLink USB device. The FDA announced there is a potential issue with the communication protocol that could allow unauthorized access to the system.
According to the FDA and Medtronic, unauthorized access could compromise the pump’s communication protocol and cause it to deliver too much or too little insulin. For this to occur, a nearby unauthorized person would need to gain access to a user’s insulin pump while it is being paired with other system components. It cannot be done over the Internet.
Medtronic has issued an Urgent Medical Device Correction to inform users of the cybersecurity risk. The letter includes actions and recommended precautions users should take to avoid unauthorized access.
This is the second time in the past 4 years cybersecurity vulnerabilities have been identified in Medtronic MiniMed insulin pumps. As Healio previously reported, Medtronic recalled its MiniMed 508 insulin pump and MiniMed Paradigm series insulin pumps in 2019 due to cybersecurity vulnerabilities. This latest alert does not include a recall.
Neither Medtronic nor the FDA has received any report related to the cybersecurity vulnerability. The FDA is working with Medtronic to identify, communicate and prevent adverse events related to the cybersecurity vulnerability.
Anyone with questions about the cybersecurity risk can contact Medtronic at 1-800-646-4633, option 1.
Perspective
Back to Top
Around the time of the discovery of insulin in 1922, the London Times newspaper described this new lifesaving treatment as a “force of magical activity.” A century later however, the risk of severe hypoglycemia — the so-called dark side of insulin — continues to be a concern despite advances in insulin formulations and delivery systems. Calculating a safe and effective dose of insulin is an arithmetical problem but is compounded by the multiple outside influences on achieved glucose levels, some of which are bewildering.
Recently, yet another factor has been suggested for an insulin pump user to think about — the potential for an unauthorized third party to hack into the pump causing the device to over- or under-infuse insulin.
Hacking an insulin pump was first shown to be possible by an expert hacker with type 1 diabetes in 2011. Apparently, the hack was possible based simply on knowing the serial number of the pump. Since then, the FDA’s Manufacturer and User Facility Device Experience database of adverse events has continued to receive reports of malfunctioning of insulin pumps, but thus far none have been due to a third-party hack. Previously, a case report described an insulin pump being used in a homicide, but in that case, the perpetrator used drugs (etomidate and atracurium) other than insulin.
The current cybersecurity vulnerability relates to the Medtronic MiniMed 600 insulin pump series, and the manufacturers have provided corrective actions. These all appear to be straightforward, although the advice to “conduct any connection linking of devices in a non-public place” may not always be practical.
Living with insulin treated is hard enough, and hacking pumps is hopefully more of a theoretical than real-world problem. Sadly, in today’s technophilic world, the risk is not, however, zero.
Read more about
Click Here to Manage Email Alerts