The risk could allow unauthorized users to change insulin levels.
The US Food and Drug Administration has issued an alert to users related to a potential cybersecurity risk for Medtronic MiniMed 600 Series Insulin Pump Systems.
Announced on September 20, the FDA’s alert, which pertains to multiple systems including the MiniMed 630 G and MiniMed 670G, points out the agency had not been made aware of any reports related to this cybersecurity vulnerability. The FDA’s alert also noted Medtronic has issued an Urgent Medical Device Correction on their own website notifying users as well as providing recommended actions.
“There is a potential issue associated with the communication protocol for the pump system that could allow unauthorized access to the pump system. If unauthorized access occurs, the pump’s communication protocol could be compromised, which may cause the pump to deliver too much or too little insulin,” noted the FDA’s September 20 Cybersecurity alert.
On their website, Medtronic provides the Urgent Medical Device Correction, a list of model numbers impacted by the issue, and a multitude of frequently asked questions for device users. Within these resources, Medtronic notes the issue was identified through an internal review and, while the event meets the definition of a recall, users are not required to return their devices.
In a letter to users, which was signed by Chirag Tilara, vice president of Quality at Medtronic Diabetes, and Robert Vigersky, MD, chief medical officer at Medtronic Diabetes, the pair recommended all patients turn off the “Remote Bolus” feature on their pump if it is turned on, which is on by default. The letter also urged users to conduct any connection linking of devices in a nonpublic setting. Additional recommended precautions from Medtronic included keeping pump and connected system components within user control at all times, be attentive to pump notifications, alarms, and alerts, and immediately cancel any boluses you or your care partner did not initiate.
“Medtronic has recently identified a potential issue through internal testing whereby, under specific circumstances, the communication between the components of the pump system could be compromised through unauthorized access,” reads the letter. “For unauthorized access to occur, a nearby person other than you or your care partner would need to gain access to your pump at the same time that the pump is being paired with other system components. This cannot be done over the internet.”
In the aforementioned release, the FDA noted they are working with Medtronic to identify, communicate, and prevent adverse events related to this incident. The FDA urged those with questions to reach out to Medtronic at 1-800-646-4633, option 1.