When the FDA issued a warning in late June about the potential cybersecurity risk of older Medtronic MiniMed pumps, and Medtronic at the same time initiated a trade-in program for these pumps, more than a few in the type 1 diabetes community questioned the timing of the moves. These cybervulnerabilities had been known for years, they argued, so why was it suddenly necessary to initiate the warning and trade-in program for obsolete pumps?
A new Wired article suggests that the move might have been made in response to a meeting between the FDA and a team of hackers in which the hackers discussed how they could hack into the devices.
According to the report, the FDA met with two White Hat hackers from QED Security Solutions, a cybersecurity firm, in mid-June. At that meeting, the hackers showed their proof of concept of an app they created which could hijack the remote radio signal of the older pumps. The app could be used to remotely change insulin delivery rates, or interrupt insulin delivery altogether, of these older Medtronic pumps without a pump user necessarily knowing it.
A week after the FDA met with the app makers, Medtronic initiated the trade-in program.
However, neither Medtronic nor the FDA officially have made a direct connection between the mid-June meeting and the late-June voluntary recall. An FDA official, Suzanne Schwartz, the deputy director and acting office director of the FDA’s Office of Strategic Partnerships & Technology Innovation, suggested that one of the reasons this move took some time in coming was that it was necessary to coordinate with regulatory agencies around the world before initiating it.
Schwartz also stated that the recall was voluntary partly because regulators were aware that many people were utilizing the cybervulnerability to create their own closed-loop insulin pumps with the older Medtronic pumps. The FDA did not want to outlaw devices that people were actively using in this way, she said in the report.