Medtronic is recalling 11 versions of its MiniMed insulin pumps amid fears of cybersecurity risks.
The U.S. Food and Drug Administration has said that patients with diabetes using the models should switch their insulin pump to models that are better equipped to protect them against potential risks.
The models that have been recalled are listed on the FDA website, here.
The regulator has also issued guidance for diabetes patients and caregivers who may be affected by the recalls and are waiting for replacement pumps.
It said:
- Keep your insulin pump and the devices that are connected to your pump within your control at all times whenever possible.
- Do not share your pump serial number.
- Be attentive to pump notifications, alarms, and alerts.
- Monitor your blood glucose levels closely and act appropriately.
- Immediately cancel any unintended boluses.
- Connect your Medtronic insulin pump to other Medtronic devices and software only.
- Disconnect the USB device from your computer when you are not using it to download data from your pump.
One of the risks that the FDA has noted is that an unauthorised person could potentially connect wirelessly to a nearby MiniMed insulin pump with cybersecurity vulnerabilities. This person could change the pump’s settings to either over-deliver insulin to a patient, leading to low blood sugar, or stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis.
Medtronic has said it has received no confirmed reports of unauthorised persons changing settings or controlling insulin delivery.
Leon Lerman, CEO and co-founder of Cynerio – an expert in cybersecurity which is doing a full analysis on the plausibility of the attack said: “As hospitals become increasingly connected, their network-security professionals should keep track of different attack surfaces in their network bounds which, today include, internet communicating machines, internal ethernet networks and lately also wifi connected medical devices.
“Given attackers only need one opening to get in, defenders should deploy solutions that facilitate full control over the whole network. Hospitals also need to make sure they have an up to date inventory of all the connected devices and models they have on their network, so for example, when FDA issues a recall for Medtronic's MiniMed 508 Insulin pump, hospitals need to ensure they can identify the specific models swiftly before patient safety is compromised.”