INDIANAPOLIS — Users of one insulin pump system are being urged to take precautions after a cybersecurity risk was discovered that could put them at risk.
On Tuesday, the FDA alerted medical device users about the risk for the Medtronic MiniMed 600 Series Insulin Pump System. The risk could compromise the pump’s communication protocol, leading the pump to deliver too much or too little insulin.
Medtronic says too much insulin could result in hypoglycemia, potentially leading to seizure, coma or death. Too little insulin could result in hyperglycemia, potentially leading to diabetic ketoacidosis.
The potential issue is associated with the communication protocol for the pump system. The MiniMed 600 series pump system has components that communicate wirelessly. This includes the insulin pump, continuous glucose monitoring transmitter, blood glucose meter and CareLink USB device.
The FDA says a nearby unauthorized person could get physical access to the pump while it is being paired with other system components. Medtronic says because the pumps do not connect to the internet, there is a low likelihood of the issue actually occurring.
So far, Medtronic has no evidence that this has happened. Still, they are recommending that patients take the following actions and precautions.
What should Medtronic patients do now?
- Turn off the “Remote Bolus” feature on your pump if it is turned on.
- The “Remote Bolus” capability is on by default, so you should take this action even if you have never used this feature. For help on how to turn the Remote Bolus, visit Medtronic’s website.
- Conduct any connection linking of devices in a non-public place.
What can Medtronic patients do to prevent the issue?
- Keep your pump and connected system components within your control at all times.
- Be attentive to pump notifications, alarms, and alerts.
- Immediately cancel any boluses you or your care partner did not initiate, monitor blood glucose levels closely and reach out to Medtronic 24-Hour Technical Support to report the bolus.
- NOTE: Turning off Remote Bolus feature will ensure no Remote Bolus is possible.
- Disconnect the USB device from your computer when you’re not using it to download pump data.
- DO NOT confirm remote connection requests or any other remote action on the pump screen unless it is initiated by you or your care partner.
- DO NOT share your pump’s or devices’ serial numbers with anyone other than your healthcare provider, distributors, and Medtronic.
- DO NOT accept, calibrate, or bolus using a blood glucose reading you didn’t initiate.
- DO NOT connect to or allow any third-party devices to be connected to your pump.
- DO NOT use any software which has not been authorized by Medtronic as being safe for use with your pump.
Medtronic says people should get medical help immediately when experiencing symptoms of severe hypoglycemia or diabetic ketoacidosis. They should also reach out to Medtronic 24-Hour Technical Support if they suspect a pump setting or insulin delivery has changed unexpectedly, without their knowledge.
Anyone who experienced an adverse reaction or quality problem connected to the product should also report it to FDA’s MedWatch Adverse Event Reporting program.