Trouble follows device manufacturer Medtronic as the US Food and Drug Administration (FDA) issued the most severe recall on an insulin pump that could be vulnerable to cybersecurity risks.
The threat lies in two models of a wireless remote controller that communicates with the MiniMed insulin pump to deliver controlled quantities of insulin. The software could potentially be hacked to change the dosing and timing of insulin delivery, possibly leading to hypoglycemia, diabetic ketoacidosis or even death.
This recall echoes one issued over the summer, when Medtronic first described vulnerabilities in MiniMed 508 and all models of the Paradigm series. According to an FDA safety communication, there were 4,000 pumps affected by these risks; so far, 1,117 devices have been recalled in the US.
Both Medtronic and the FDA urged customers to consult with their healthcare providers to switch to a model that cannot be exploited by unauthorized personnel.
While the FDA has not been notified of any patient harm resulting from this defect, the MiniMed line of insulin pumps has not had a perfect track record. Adverse events were reported in both January and September this year about device malfunctions (unrelated to cybersecurity) that left users unable to measure their glucose levels or had their glucose levels skyrocket. In July, a female using the MiniMed Paradigm insulin pump died after the device “suspended insulin delivery” overnight. The report states that the user didn’t press any buttons and “no alarms went off since it was in suspend mode.”
Fears of cybersecurity risks plagued device manufacturers, hospital workers and patients in October when 11 vulnerabilities were discovered in one of the most widely used remote operating systems in the world.
Despite the risks of using highly connected devices, they offer convenience, autonomy and flexibility for patients. Advanced insulin pumps can give patients the ability to track their blood glucose levels, deliver prescribed doses of insulin automatically and communicate this information with healthcare providers. Other device manufacturers are developing mobile apps, diagnostic tools and next-generation drug delivery systems.
As more manufacturers integrate cloud-based software into their devices, the FDA cautions them to be vigilant about potential cybersecurity risks.
In the safety communication, deputy director of the Office of Strategic Partnerships and Technology Innovation, Dr. Suzanne Schwartz wrote, “the FDA urges manufacturers everywhere to remain vigilant about their medical products—to monitor and assess cybersecurity vulnerability risk, and to be proactive about disclosing vulnerabilities and mitigations to address them.”