Certain Medtronic Insulin Pumps Pose Healthcare Cybersecurity Risks, FDA Says

September 23, 2022 - The US Food and Drug Administration (FDA) warned the sector of healthcare cybersecurity risks associated with the Medtronic MiniMed 600 Series Insulin Pump System that could jeopardize patient safety in the unlikely event of exploitation. The FDA and Medtronic are working together on mitigating these risks, and Medtronic issued an Urgent Medical Device Correction.

“There is a potential issue associated with the communication protocol for the pump system that could allow unauthorized access to the pump system,” the FDA stated.

“If unauthorized access occurs, the pump’s communication protocol could be compromised, which may cause the pump to deliver too much or too little insulin.”

It is important to note that the FDA has not received any reports related to this specific vulnerability, and the vulnerability cannot be exploited over the internet. Medtronic noted that successful, unauthorized access would be unlikely.

“The MiniMed 600 series pump system has components that communicate wirelessly (such as the insulin pump, continuous glucose monitoring (CGM) transmitter, blood glucose meter, and CareLink USB device),” the FDA continued.

“For unauthorized access to occur, a nearby unauthorized person (person other than you or your care partner) would need to gain access to your pump while the pump is being paired with other system components.”

Even so, Medtronic and the FDA recommended that users take immediate action to mitigate risk. Specifically, Medtronic urged MiniMed 600 Series users to turn off the “remote bolus” feature on their pumps if it is turned on. The feature is on by default, so users should take this action even if they have never used the feature. Medtronic also urged users to conduct any connection linking of devices in a non-public place.

For additional security, Medtronic recommended that users and caregivers remain attentive to pump notifications and alerts, keep the pump and connected system components within their control always, and immediately cancel any boluses that they did not initiate themselves.

Additionally, Medtronic recommended that users do not use any software that has not been authorized by Medtronic, do not connect to third-party devices, and get medical help if experiencing symptoms of severe hypoglycemia or diabetic ketoacidosis.

“The best step you can take now to eliminate your individual risk of unintended delivery of insulin is to permanently turn off the Remote Bolus feature on your pump,” Medtronic reiterated. 

“We will continue to actively monitor the situation and are committed to sharing relevant information or actions with you in the future.”