The Food and Drug Administration is warning insulin pump users about potential cybersecurity and hacking risks involved with some devices.
“While we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm if such a vulnerability were left unaddressed is significant,” Suzanne Schwartz, an FDA official specializing in cybersecurity for medical devices, said in a statement.
According to the FDA, an individual “could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump’s settings.” This could spur dire health concerns. Hypoglycemia could occur if too much insulin is delivered. It could also cause too little insulin to be delivered, and a diabetes patient could suffer from hyperglycemia and diabetic ketoacidosis.
Insulin pumps offer a convenient way to maintain blood glucose levels, compared with repeated insulin injections. According to the FDA, the MiniMed 508 and the MiniMed Paradigm wirelessly connect to multiple monitoring devices.
The devices cannot be updated, so “Medtronic is providing alternative insulin pumps to patients with enhanced built-in cybersecurity capabilities,” the FDA statement said.
Pamela Reese, a communication director at Medtronic, said that the devices listed in the FDA safety notification “were first brought to market in 2012 or earlier” and that most Medtronic costumers are not currently using them. Reese added that the safety notice does not require that patients return the devices.
The FDA is encouraging patients who might be at risk — at least 4,000 people — to talk to their medical providers about requesting newer insulin pumps that do not pose the same risks.
As patients await new devices, Medtronic and the FDA are asking that users take specific precautions, including paying close attention to blood glucose levels and having control of insulin pumps and connected devices at all times.