Some Medtronic insulin pumps are vulnerable to hackers, FDA warns

One of the features Medtronic touts in its MiniMed 600 series insulin pumps is a series of components that connect wirelessly to allow the remote delivery of insulin. On Tuesday, regulators warned that the technology also leaves the door open to potential hackers.

The FDA issued an alert that unauthorized users could gain control of the pumps in certain circumstances, resulting in either too much or too little insulin being administered. While too much insulin leads to low blood sugar — which in severe cases can cause seizure, coma or death — too little may lead to diabetic ketoacidosis, a life-threatening condition where the body starts breaking down fat too fast.

Medtronic reassured patients that no cybersecurity issues have been reported yet, and a nearby person can only gain access at the exact time the pump is being paired with other components — not via the internet, according to a recent statement. Only 600 series pumps are impacted, including the MiniMed 630G and 670G pumps.

“Our internal testing has indicated there is a remote likelihood of this issue occurring as it would require physical proximity to the communication signal while the pump is being paired and advanced technical knowledge. This also cannot be done through the internet,” the company said in an email to Endpoints News. 

However, the company still recommended taking a few precautions, such as switching off the “remote bolus” feature, which is turned on by default, and only linking the devices in a private space. The company also cautioned against sharing a device’s serial numbers, and accepting, calibrating or administering insulin based on a blood glucose reading that wasn’t initiated by the patient.

This isn’t the first time Medtronic has run into cybersecurity problems. Back in 2018, the company acknowledged a “potential vulnerability” with its MiniMed Paradigm pumps that could allow hackers to copy the wireless radio frequency signals used by remote controllers and deliver extra insulin doses.

“Users should immediately stop using and disconnect the remote controller, disable the remote feature, and return the remote controller to Medtronic,” the company said of the older Paradigm and 508 models.

Charles Fracchia

Cybersecurity has been top of mind for companies across the pharma industry, as the number of cyberattacks in the bio space has skyrocketed amid the pandemic, Charles Fracchia, CEO and founder of BioBright, told Endpoints earlier this year. Experts have encouraged companies to maintain better “cyber hygiene,” including training employees and updating their tech.

Medtronic’s latest threat marks yet another tough blow for the company’s diabetes unit, which was slapped with an FDA warning letter back in December over its alleged failure to promptly recall faulty insulin pumps. The recall followed an increase in complaints about damaged retainer rings, which can lead to an insufficient amount of insulin being delivered.

CEO Geoff Martha said on the company’s recent quarterly call that he’s “making good progress on our warning letter commitments,” and is in active discussion with the FDA about its submission for its latest MiniMed 780G. In an attempt to boost sales for its smart insulin pen, the company recently enlisted former Disney actress Jennifer Stone to join its campaign.

delivery
device
devices
fda