HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Medtronic Recalls MiniMed Remote Controllers Due to Serious Cybersecurity Vulnerability

The Food and Drug Administration (FDA) has issued a warning to users of Medtronic wireless insulin pumps about a serious security vulnerability affecting certain remote controllers.

MiniMed insulin pumps deliver insulin for the management of diabetes and the pumps are supplied with an optional remote controller device that communicates wirelessly with the insulin pump. A security researcher has identified a cybersecurity vulnerability in older models of remote controllers that use previous-generation technology that could potentially be exploited to cause harm to users of the pumps.

The cybersecurity vulnerability could be exploited by an unauthorized person to record and replay the wireless communication between the remote and the MiniMed insulin pump. Using specialist equipment, an unauthorized individual in the vicinity of the insulin pump user could send radio frequency signals to the insulin pump to instruct it to over-deliver insulin to a patient or stop insulin delivery. Over-delivering insulin could result in dangerously low blood sugar levels and stopping insulin delivery could result in diabetic ketoacidosis and even death.

Medtronic MiniMed 508 insulin pumps and the MiniMed Paradigm family of insulin pumps were already the subject of a product recall. Cybersecurity vulnerabilities had previously been identified in the pumps that could not be adequately mitigated through updates or patches.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The latest security issue has seen Medtronic expand the product recall to include all MiniMed Remote Controllers (models MMT-500 and MMT-503), which are used with the Medtronic MiniMed 508 insulin pump or the MiniMed Paradigm family of insulin pumps.

Medtronic has not been manufacturing or distributing the affected remote controllers since July 2018, but the devices are still used by certain patients, healthcare providers, and caregivers.

This is a Class 1 product recall – the most serious category – as the issues with the remote controllers could result in serious injury or death. The FDA says there have been no reported cases of the vulnerabilities in the devices being exploited to cause harm to patients.

The FDA says users should immediately stop using the affected remote controller, turn off the easy bolus feature, turn off the radio frequency function, delete all remote controller IDs programmed into the pump, disconnect the remote controller from the insulin pump, and return the remote controller to Medtronic.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.