Medtronic recalls insulin pumps vulnerable to hacking

After an FDA warning, Medtronic has recalled two of its MiniMed insulin pump products that could be wirelessly interfered with by hackers.

Medtronic thinks there’s no evidence that anyone using the pumps has been affected in this way, but says it has decided to recall the MiniMed 508 and MiniMed Paradigm series as a precaution and allow patients to switch to models with greater cybersecurity.

The vulnerability in the recalled pumps lies in the wireless communication between them and other devices such as glucose monitors and remote controllers, according to the FDA. Around 4,000 people in the US are thought to use the affected pumps.

It says it is “concerned that, due to cybersecurity vulnerabilities identified in the device, someone other than a patient, caregiver or health care provider could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump’s settings.”

That means someone with malicious intent could feasibly direct the pump to over-deliver insulin, potentially causing dangerously low blood sugar levels, or stop delivery entirely, to cause a spike in blood sugar and diabetic ketoacidosis. Both of those actions could be life-threatening.

It's not the first time that the FDA has taken action over a cybersecurity risk for a medical device. In fact, Medtronic was warned in March this year that hundreds of thousands of its implantable cardiac defibrillators (ICDs) were vulnerable to hacking. An earlier incident having involved the company’s Medfusion 4000 drug infusion pumps.

It’s a widespread problem, however. In 2017, the FDA warned that implantable cardiac pacemakers sold by Abbott Laboratories also had a security flaw that could allow someone to take control of them remotely, making the batteries go flat or forcing the devices to run at dangerous speeds.

Abbott subsequently developed a software patch that could be uploaded to the device in the physician’s office, but the FDA says Medtronic “is unable to adequately update the MiniMed 508 and Paradigm insulin pumps with any software or patch to address the devices’ vulnerabilities.”

The FDA is paying much closer attention to medical device security now, as studies suggest that there are typically a dozen or more connected devices attached to any hospital bed in the US. That connectivity can provide invaluable data to help guide patient care, but also introduces a major security risk.

Medical device hacking has already found its way into popular culture, with the TV show Homeland running an episode in 2012 that involved a hacked pacemaker used to kill the fictional vice president, and it later emerged that former VP Dick Cheney had the wireless capabilities of his pacemaker turned off to guard against assassination via this route.

The low risk of being hacked is generally far outweighed by the benefits of remote monitoring and control, but medical device developers need to make sure their products keep up in the cyber security arms race.

“The FDA urges manufacturers everywhere to remain vigilant about their medical products – to monitor and assess cybersecurity vulnerability risk, and to be proactive about disclosing vulnerabilities and mitigations to address them,” said the agency in its latest alert.