Health officials warn of hacking risk in certain insulin pumps
Medtronic Canada says it has notified all customers in Canada who might be affected
Health officials are warning against the use of certain wireless insulin pumps because of a risk they could be hacked.
A cybersecurity issue has been identified in the MiniMed 508 and MiniMed Paradigm series of insulin pumps made by Medtronic.
A spokesperson for Medtronic Canada declined to say how many customers were affected but said the company has notified anyone who purchased the pumps in the past and may not have already upgraded.
The notification follows a warning from the U.S. Food and Drug Administration on Thursday that those models of pumps were being recalled due to the cybersecurity risk.
Medtronic said it has notified around 4,000 patients in the U.S. who could potentially be using an insulin pump affected by this issue.
The U.S. drug regulator said it was not aware of any confirmed reports of patient harm related to the potential cybersecurity risks but said it was "concerned" that someone other than the patient, a caregiver or health care provider could potentially connect wirelessly to a MiniMed insulin pump and change its settings.
That could allow a hacker to control the amount of insulin delivered to a patient, possibly leading to negative and potentially life-threatening health consequences: too much insulin can lead to hypoglycemia, and too little insulin could cause ketoacidosis (a buildup of acids in the blood).
"The risk of patient harm if such a vulnerability were left unaddressed is significant," the FDA said.
A wireless pump allows a patient to send their glucose readings directly to the pump because it communicate wirelessly with the glucose meter. A patient can also upload their data so they can track it and share it with their doctors.
While health professionals have warned that wireless medical devices — like all devices that connect to the internet — could possibly be hacked, it's largely a theoretical risk so far.
Roxane Bélanger of Medtronic Canada said the devices date from 2015 and earlier, and the company is unable to upgrade the software to improve the wireless security.
The company recommends patients talk to their health care providers about switching to a newer model with better cybersecurity. In the meantime, they should follow the precautions outlined in the letter sent to customers.
Health Canada posted an advisory on its website about the Medtronic insulin pumps on Saturday.
The agency said it is not aware of any reports of patient harm related to this issue, and considers it to be "low in probability and risk."
It said the settings could only be altered by an unauthorized person if they know the serial number of the specific pump, can connect wirelessly nearby and have the necessary technical skills and the correct radio frequency equipment.
Health Canada also provided instructions for patients to check the model number and software version of their devices.
Cybersecurity vulnerabilities were found in some of Medtronic's implantable defibrillators earlier this year. The FDA sent out a "safety communication" in March but did not recall any devices.