In my 25 years in the data privacy and cybersecurity profession, this is the first time that I believe a medical device has been recalled because of a cybersecurity risk. This week, Medtronic recalled its 508 Insulin pumps because of cybersecurity vulnerabilities.
The FDA urged the recall, saying in a notice: “The FDA is concerned that, due to cybersecurity vulnerabilities identified in the device, someone other than a patient, caregiver or health care provider could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump’s settings. This could allow a person to over deliver insulin to a patient, leading to low blood sugar… or to stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis,” the FBI notice says.
Medtronic has identified 4,000 patients who use the pump, and is in the process of working with distributors to identify others. The pump is connected to other insulin equipment, including glucose monitoring systems. Medtronic has issued a letter to patients advising them to discuss the recall and options with their health care provider.
According to the notice, the MiniMed 508 pumps can’t be updated to address security flaws in the device’s firmware, which is a remedy we have seen with other medical device vulnerabilities, which could be addressed remotely. The company is offering alternatives with “enhanced built-in security capabilities.” Unfortunately, it looks like these alternatives are not remote fixes as they were in the past.
If you have a Medtronic 508 MiniMed insulin pump, reach out to your health care provider to address the cybersecurity vulnerability identified by Medtronic and the FDA.