- "MiniMed 508" Medtronic insulin pumps have cybersecurity problems that can't be updated or patched, and the company is recalling them as a result, the Food and Drug Administration said Thursday.
- It's a rare example of a medical device recall over a cybersecurity issue, although security professionals and the FDA have raised numerous concerns over the vulnerability of these devices for years.
- The insulin pumps subject to the recall connect wirelessly to other insulin equpiment, including glucose meters, a monitoring system and controls that pump insulin.
Medtronic is recalling some models of insulin pumps that are open to hacks, and the Food and Drug Administration warned consumers on Thursday that they cannot be patched to fix the holes.
It's a rare example of a medical device recall over a cybersecurity issue, although security professionals and the FDA have raised numerous concerns over the vulnerability of these devices for years.
The insulin pumps subject to the recall connect wirelessly to other insulin equipment, including glucose meters, a monitoring system and controls that pump insulin.
"The FDA is concerned that, due to cybersecurity vulnerabilities identified in the device, someone other than a patient, caregiver or health care provider could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump's settings. This could allow a person to over deliver insulin to a patient, leading to low blood sugar ... or to stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis," the FDA notice says.
The MiniMed 508 pumps can't be updated to address security flaws in the device's firmware, according to the notice. The company is offering alternatives with "enhanced built-in security capabilities."
In a letter to patients, Medtronic urged customers to speak with their healthcare providers about whether to change the pump. For those continuing to use it, the company recommends they keep insulin pump and devices connected to it "within your control at all times" and advises customers not to share the pump's serial number, among other recommendations.
Medtronic has identified around 4,000 patients using the insulin pumps today, and is "working with distributor partners to identify additional patients potentially using the pumps."
A Medtronic spokesperson said Thursday evening the announcement was a "safety notice," and noted: "in the medical device industry, the term 'recall' is used generally to cover a range of actions including, for example, customer or patient communications with additional instructions for use of the product."
The spokesperson also said the company and FDA are not aware of any confirmed reports of a cyberattack on the pumps.
Medtronic's stock was steady Thursday.