Medtronic recalls DIY-favored insulin pumps, citing cybersecurity risks

Medtronic is recalling older, discontinued versions of its MiniMed insulin pump over potential cybersecurity risks, saying they may be vulnerable to unwanted, remote settings changes.

The recall was issued alongside an FDA safety notice to users and providers, warning them that a person nearby could wirelessly cause the device to overdose a patient with insulin, leading to dangerously low blood sugar, or halt delivery of the drug altogether to trigger diabetic ketoacidosis.

The FDA identified cybersecurity holes in the pumps’ wireless protocols, which enable them to communicate with other devices such as blood glucose meters, continuous monitoring systems and remote controls—however, those gaps are also what make the devices attractive to an “underground” market of do-it-yourselfers, who have been working to treat their diabetes with homegrown systems.

The affected models—including Medtronic’s Paradigm family of insulin pumps as well as the MiniMed 508, according to the Department of Homeland Security’s cybersecurity authority—are some of the devices that can be reprogrammed by users into their own version of an artificial pancreas, one that delivers insulin automatically in response to changing blood sugar levels.

RELATED: FDA warns against DIY insulin systems, citing overdose report

An article earlier this year in The Atlantic detailed how people have been exploiting these security flaws in older insulin pumps, found at a much lower price on Craigslist, Facebook and eBay, to connect them interchangeably with their own CGMs and drug delivery systems.

More recently, the FDA warned the public against altering and using such modified devices, describing them as illegally marketed. The agency listed safety concerns over misprogrammed insulin levels, and cited an overdose report that resulted in a patient requiring medical attention.

RELATED: FDA expands use of Medtronic’s ‘artificial pancreas’

“The FDA is aware that patients may choose to create these systems or purchase unauthorized or unapproved components or systems because of personal preference or for cost reasons,” the agency said in a statement at the time.

“The FDA recommends that patients talk with their doctor about appropriate diabetes management devices for their needs and to only use devices and components that have been reviewed by the agency for safety and effectiveness,” the agency said. “Patients who are concerned about the cost or availability of FDA-reviewed systems should talk with their doctor and insurance provider about coverage and appropriate alternative options.”

RELATED: Medtronic steps toward diabetes interoperability with Tidepool collaboration

In its safety notice this week, the FDA said Medtronic is unable to adequately update the devices with any software or patch, and the agency “recommends that patients using these models switch their insulin pump to models that are better equipped to protect against these potential risks.”

The agency also said it is not aware of any reports of patient harm related to the vulnerability, and that Medtronic is providing alternative insulin pumps to patients.

“Medtronic is recommending customers speak with their healthcare provider about changing to a newer model insulin pump with increased cybersecurity protection, like the MiniMed™ 670G insulin pump,” the medtech giant said in an FAQ on its website. “To help with this, we are offering a program for eligible people to upgrade to a newer insulin pump model or obtain a lower cost product exchange.”