Medtronic recalls DIY-favored insulin pumps, citing cybersecurity risks

Medtronic HQ
The affected models include those that can be reprogrammed into a homemade artificial pancreas, one that delivers insulin automatically in response to changing blood sugar levels. (Image: Medtronic)

Medtronic is recalling older, discontinued versions of its MiniMed insulin pump over potential cybersecurity risks, saying they may be vulnerable to unwanted, remote settings changes.

The recall was issued alongside an FDA safety notice to users and providers, warning them that a person nearby could wirelessly cause the device to overdose a patient with insulin, leading to dangerously low blood sugar, or halt delivery of the drug altogether to trigger diabetic ketoacidosis.

The FDA identified cybersecurity holes in the pumps’ wireless protocols, which enable them to communicate with other devices such as blood glucose meters, continuous monitoring systems and remote controls—however, those gaps are also what make the devices attractive to an “underground” market of do-it-yourselfers, who have been working to treat their diabetes with homegrown systems.

Sponsored by Clinical Ink

White Paper: Keep Your GI Trials Moving During COVID-19

Clinical Ink’s intimate knowledge of and experience with GI trials enables a better deployment experience and improved trial conduct. Learn how our GI-specific data capture solutions can support virtual and hybrid trials during COVID-19.

The affected models—including Medtronic’s Paradigm family of insulin pumps as well as the MiniMed 508, according to the Department of Homeland Security’s cybersecurity authority—are some of the devices that can be reprogrammed by users into their own version of an artificial pancreas, one that delivers insulin automatically in response to changing blood sugar levels.

RELATED: FDA warns against DIY insulin systems, citing overdose report

An article earlier this year in The Atlantic detailed how people have been exploiting these security flaws in older insulin pumps, found at a much lower price on Craigslist, Facebook and eBay, to connect them interchangeably with their own CGMs and drug delivery systems.

More recently, the FDA warned the public against altering and using such modified devices, describing them as illegally marketed. The agency listed safety concerns over misprogrammed insulin levels, and cited an overdose report that resulted in a patient requiring medical attention.

RELATED: FDA expands use of Medtronic’s ‘artificial pancreas’

“The FDA is aware that patients may choose to create these systems or purchase unauthorized or unapproved components or systems because of personal preference or for cost reasons,” the agency said in a statement at the time.

“The FDA recommends that patients talk with their doctor about appropriate diabetes management devices for their needs and to only use devices and components that have been reviewed by the agency for safety and effectiveness,” the agency said. “Patients who are concerned about the cost or availability of FDA-reviewed systems should talk with their doctor and insurance provider about coverage and appropriate alternative options.”

RELATED: Medtronic steps toward diabetes interoperability with Tidepool collaboration

In its safety notice this week, the FDA said Medtronic is unable to adequately update the devices with any software or patch, and the agency “recommends that patients using these models switch their insulin pump to models that are better equipped to protect against these potential risks.”

The agency also said it is not aware of any reports of patient harm related to the vulnerability, and that Medtronic is providing alternative insulin pumps to patients.

“Medtronic is recommending customers speak with their healthcare provider about changing to a newer model insulin pump with increased cybersecurity protection, like the MiniMed™ 670G insulin pump,” the medtech giant said in an FAQ on its website. “To help with this, we are offering a program for eligible people to upgrade to a newer insulin pump model or obtain a lower cost product exchange.”

Suggested Articles

The FDA cleared a miniaturized and disposable sensor patch designed to detect early complications from IV drug infusions.

German researchers uncovered 28 antibodies that neutralize COVID-19 and are working with Boehringer Ingelheim to advance them into clinical testing.

Philips announced plans to integrate BioIntelliSense’s health-tracking sticker into its remote patient monitoring programs.