Medtronic Insulin Pump Recall Announced After Hacking Risk Discovery

Published on July 1, 2019 by Sandy Liebhard

Medtronic, Inc. is recalling thousands of MiniMed Insulin Pumps, warning that the device’s software could be vulnerable to hackers.

“Security researchers have identified potential cybersecurity vulnerabilities related to these insulin pumps. An unauthorized person with special technical skills and equipment could potentially connect wirelessly to a nearby insulin pump to change settings and control insulin delivery,” the company said.“This could lead to hypoglycemia (if additional insulin is delivered) or hyperglycemia and diabetic ketoacidosis (if not enough insulin is delivered).”

Devices Affected by Medtronic Insulin Pump Recall

The Medtronic insulin pump recall includes the following products, with the affected software versions noted in parenthesis:

• MiniMed 508 (All versions)
• MiniMed Paradigm 511 (All versions)
• MiniMed Paradigm 512/712 (All versions)
• MiniMed Paradigm 515/715 (All versions)
• MiniMed Paradigm 522/722 (All versions)
• MiniMed Paradigm 522K/722K (All versions)
• MiniMed Paradigm 523/723 (Version 2.4A or lower)
• MiniMed Paradigm 523K/723K (Version 2.4A or lower)
• MiniMed Paradigm 712E  (All versions)
• MiniMed Paradigm Veo 554CM/754CM  (Version 2.7A or lower)
• MiniMed Paradigm Veo 554/754 (Version 2.6A or lower)

All of the above MiniMed insulin pumps use a wireless radio frequency to communicate with other medical devices, including blood glucose meters, glucose sensor transmitters, and CareLink USB devices.

What to Do After Medtronic Insulin Pump Recall

So far, there have been no confirmed reports of hackers actually changing the settings or insulin delivery. Nevertheless, Medtronic is urging patients to discuss replacing the affected Minimed insulin pumps with updated models that have added cybersecurity protections.

In the meantime, the following precautions will minimize the potential for hacking:

• Keep the insulin pump and any connected devices within your control at all times.
• Do not share the pump serial number.
• Be attentive to pump notifications, alarms, and alerts.
• Immediately cancel any unintended boluses.
• Monitor blood glucose levels closely and act as appropriate.
• Do not connect to any third-party devices or use any software not authorized by Medtronic
• Disconnect the CareLink USB device from your computer when it is not being used to download data from the insulin pump
• Get medical help right away if you experience symptoms of severe hypoglycemia or diabetic ketoacidosis, or suspect that your insulin pump settings, or insulin delivery changed unexpectedly.

Other Medical Devices May be Vulnerable to Hackers

The Medtronic insulin pump recall isn’t the first prompted by cybersecurity vulnerabilities.  Less than two years ago, in fact, similar issues forced Abbott (formerly St. Jude) to recall 465,000 implantable pacemakers for a software update.

Unfortunately, while hacking dangers extens well beyond insulin pumps and pacemakers, medical device manufacturers are still playing catch-up on cybersecurity.

“Any device can be hacked and that’s often not understood,” Suzanne Schwartz, M.D., who oversees medical device cybersecurity for the U.S. Food & Drug Administration (FDA), recently told CBS News.

“It’s a culture shift,” she continued. “So, the actions and the activities that we’re seeing manufacturers take are very encouraging, they’re very promising, but we still have a ways to go.”