Medtronic Recalls MiniMed Remote Controllers Due to Serious Cybersecurity Vulnerability

Share this article on:

The Food and Drug Administration (FDA) has issued a warning to users of Medtronic wireless insulin pumps about a serious security vulnerability affecting certain remote controllers.

MiniMed insulin pumps deliver insulin for the management of diabetes and the pumps are supplied with an optional remote controller device that communicates wirelessly with the insulin pump. A security researcher has identified a cybersecurity vulnerability in older models of remote controllers that use previous-generation technology that could potentially be exploited to cause harm to users of the pumps.

The cybersecurity vulnerability could be exploited by an unauthorized person to record and replay the wireless communication between the remote and the MiniMed insulin pump. Using specialist equipment, an unauthorized individual in the vicinity of the insulin pump user could send radio frequency signals to the insulin pump to instruct it to over-deliver insulin to a patient or stop insulin delivery. Over-delivering insulin could result in dangerously low blood sugar levels and stopping insulin delivery could result in diabetic ketoacidosis and even death.

Medtronic MiniMed 508 insulin pumps and the MiniMed Paradigm family of insulin pumps were already the subject of a product recall. Cybersecurity vulnerabilities had previously been identified in the pumps that could not be adequately mitigated through updates or patches.

The latest security issue has seen Medtronic expand the product recall to include all MiniMed Remote Controllers (models MMT-500 and MMT-503), which are used with the Medtronic MiniMed 508 insulin pump or the MiniMed Paradigm family of insulin pumps.

Medtronic has not been manufacturing or distributing the affected remote controllers since July 2018, but the devices are still used by certain patients, healthcare providers, and caregivers.

This is a Class 1 product recall – the most serious category – as the issues with the remote controllers could result in serious injury or death. The FDA says there have been no reported cases of the vulnerabilities in the devices being exploited to cause harm to patients.

The FDA says users should immediately stop using the affected remote controller, turn off the easy bolus feature, turn off the radio frequency function, delete all remote controller IDs programmed into the pump, disconnect the remote controller from the insulin pump, and return the remote controller to Medtronic.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On