Update – 6/28/2019 – This post was updated to include Medtronic’s response to DiabetesMine about the timing of the announcement.
Medtronic have issued a sweeping recall of many older brands of Medtronic MiniMed pumps after an FDA warning that there is a significant cybersecurity risk with the pumps that hackers could exploit to disrupt the delivery of insulin. According to a FDA notice, Medtronic is offering alternative pumps for those who turn in the pumps affected by the recall.
Here are the models and software versions of the models affected by the recall:
The following Medtronic pump models HAVE NOT been affected by the recall:
According to the FDA, there is the potential for an unauthorized individual to connect wirelessly to these pumps and remotely change the pump settings. Medtronic is unable to update these older pump models and software versions to fix the cybersecurity flaws.
At the time of the issuance of the recall notice, Medtronic has “received no confirmed reports of unauthorized persons changing settings or controlling insulin delivery.” If a pump user believes they have experienced a problem with their pump, they are encouraged to report it to the government through the MedWatch Voluntary Reporting Form.
To minimize the cybersecurity risk, the FDA advises users of the above pumps to do the following until the pumps can be exchanged:
- Keep your insulin pump and the devices that are connected to your pump within your control at all times whenever possible.
- Do not share your pump serial number.
- Be attentive to pump notifications, alarms, and alerts.
- Monitor your blood glucose levels closely and act appropriately.
- Immediately cancel any unintended boluses.
- Connect your Medtronic insulin pump to other Medtronic devices and software only.
- Disconnect the USB device from your computer when you are not using it to download data from your pump
Medtronic provided details about the criteria to exchange the pump models affected by the recall:
-The offer to exchange these pump models for other Medtronic pumps is good until December 31st, 2019.
-You must currently be using the affected device, and have proof that you have ordered supplies related to an affected pump in the last six months.
-A valid prescription will be required to receive the new insulin pump.
-Insurance must provide coverage for the new pump and supplies.
Many of the pump models that have been impacted have been sought after for those who have wanted to create DIY artificial pancreas systems particularly because of these vulnerabilities. Because of this, this recall may be seen by those in the DIY communities as an attempt by federal health officials to crack down on this practice. Recently, the FDA issued a warning against the use of such DIY systems after a report of an adverse medical outcome with someone using a homemade pump-and-CGM closed loop system, but it did not indicate what model of insulin pump in the initial notice.
Cybersecurity experts have long warned that the radio signal of some insulin pumps could be hacked remotely, which could lead to disruption of insulin delivery. In 2016, for example, Johnson & Johnson warned customers that one of its insulin pump models, the Animas OneTouch Ping, was vulnerable to hacking. It is unclear why the FDA chose to take action on this well-known vulnerability with these Medtronic pumps now.
On the same day of the announcement, DiabetesMine contacted Medtronic to ask about the announcement’s timing. Medtronic responded that it has been working with cybersecurity experts since 2011, when the security flaw with the pump lines was first discovered and that with “the growing amount of attention to cybersecurity in the medical device industry today, we felt that it was important for our customers to understand the issues and risks in greater detail.”
(You can see the complete response from Medtronic on DiabetesMine’s Facebook page.)
According to the FDA statement, if you have questions about replacing your pump, call Medtronic at 1-866-222-2584 or go to Medtronic’s website. You can also get additional information by contacting the FDA’s Division of Industry and Consumer Education (DICE) at DICE@FDA.HHS.GOV, 1-800-638-2041, or 301-796-7100.
To read the complete FDA notice, click here.
To read Medtronic’s cybersecurity statement, click here.
To read Medtronic’s safety notification on the recall, click here.