FDA Warns Hackers Could Hijack Medtronic MiniMed Insulin Pumps And Alter Doses

The Food and Drug Administration (FDA) is urging thousands of people with diabetes to stop using certain Medtronic MiniMed insulin pumps over fears they are vulnerable to a cybersecurity attack.

The FDA warned that an unauthorized person might be able to wirelessly connect to the devices, including Medtronic's MiniMed 508 insulin pump and MiniMed Paradigm series insulin pumps, and change the pump's settings to alter the doses given to the patient.

Insulin pumps are small computerized devices that deliver insulin to a patient using a catheter placed under the skin in order to maintain acceptable blood glucose levels throughout the day. The pumps are often used instead of frequent injections.

The FDA warned that if someone hacked into the device wirelessly, they could manually change the settings to deliver too much insulin, resulting in low blood sugar (hypoglycemia), or even stop it entirely, leading to high blood sugar and potentially fatal diabetic ketoacidosis.

Medtronic said around 4,000 patients in the U.S. are potentially using the vulnerable insulin pumps, which are now being recalled.

"The FDA urges manufacturers everywhere to remain vigilant about their medical products—to monitor and assess cybersecurity vulnerability risk, and to be proactive about disclosing vulnerabilities and mitigations to address them," Dr. Suzanne Schwartz, deputy director of the Office of Strategic Partnerships and Technology Innovation and acting division director for All Hazards Response, Science and Strategic Partnerships in the FDA's Center for Devices and Radiological Health, said in a statement.

"While we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm if such a vulnerability were left unaddressed is significant."

The FDA has also given a list of recommendations on its website to those waiting for a replacement pump to arrive to minimize the risk of a cybersecurity attack. They include keeping your insulin pump and the devices that are connected to it within control, not sharing your pump serial number and only connecting your Medtronic insulin pump to other Medtronic devices and software.

"The safety communication issued today contains recommendations for what actions patients and health care providers should take to avoid the risk this vulnerability could pose," Schwartz added. "Any medical device connected to a communications network, like Wi-Fi, or public or home Internet, may have cybersecurity vulnerabilities that could be exploited by unauthorized users. However, at the same time it's important to remember that the increased use of wireless technology and software in medical devices can also offer safer, more convenient, and timely health care delivery."

List of Medtronic MiniMed pumps being recalled

Pump ModelSoftware Version
MiniMed™ 508All versions
MiniMed™ Paradigm™ 511All versions
MiniMed™ Paradigm™ 512/712All versions
MiniMed™ Paradigm™ 515/715All versions
MiniMed™ Paradigm™ 522/722All versions
MiniMed™ Paradigm™ 522K/722KAll versions
MiniMed™ Paradigm™ 523/723Version 2.4A or lower
MiniMed™ Paradigm™ 523K/723KVersion 2.4A or lower
MiniMed™ Paradigm™ 712E*All versions
MiniMed™ Paradigm™ Veo 554CM/754CM*Version 2.7A or lower
MiniMed™ Paradigm™ Veo 554/754*Version 2.6A or lower
Insulin pump
Diabetes patient Dana Lewis (L) of Huntsville, Alabama, wears an insulin pump which constantly injects insulin into her body to help control blood sugar. The FDA said MiniMed insulin pumps are being recalled because of potential cybersecurity risks. Alex Wong/Getty