FDA Issues Recall For Medtronic mHealth Devices Over Hacking Concerns

Thousands of people living with diabetes who use mHealth devices to manage their health are in danger of having those devices hacked, according to federal officials.

The US Food and Drug Administration this week issued a recall for two insulin pumps manufactured by Medtronic, saying the digital health tools could be remotely accessed by someone other than a user or caregiver and programmed to deliver unsafe doses of insulin.

“While we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm if such a vulnerability were left unaddressed is significant,” Suzanne Schwartz, MD, MBA, deputy director of the Office of Strategic Partnerships and Technology Innovation and acting division director for All Hazards Response, Science and Strategic Partnerships in the FDA’s Center for Devices and Radiological Health, said in a press release. “Any medical device connected to a communications network, like Wi-Fi, or public or home Internet, may have cybersecurity vulnerabilities that could be exploited by unauthorized users.”

“However, at the same time it’s important to remember that the increased use of wireless technology and software in medical devices can also offer safer, more convenient, and timely health care delivery,” she added.

The concern extends to a wide range of mobile health and telehealth technology, from implanted pacemakers and wireless devices for diabetes care management to mHealth apps, digital personal assistants and even technology within the hospital. Officials worry that hackers could access these platforms and reprogram them, causing potentially fatal outcomes.

While no such case has been reported, the concept caught the public’s attention in 2012, when an episode of the Showtime TV series Homeland featured a story line where the fictional vice president’s pacemaker was hacked by terrorists. The FDA issued its first warning the following year, and in 2014 the Department of Homeland Security admitted that it was investigating potential vulnerabilities in about two dozen devices, while the FDA issued new guidance for device developers outlining what security features they should include before applying to the FDA for approval.

Two years ago, the FDA urged anyone with pacemakers developed by Abbott (formerly St. Jude Medical) to consult their healthcare providers about a software update. The agency said about 465,000 radio frequency-enabled Accent, Anthem, Accent MRI, Accent ST, Assurity and Allure devices were in danger of being hacked.

In this latest alert, the FDA warned anyone using Medtronic’s MiniMed 508 and Paradigm Series insulin pumps – roughly 4,000 people, according to the agency – that those devices could be programmed to deliver too much or too little insulin, a potentially fatal occurrence for those living with diabetes.

“The potential risks are related to the wireless communication between Medtronic's MiniMed insulin pumps and other devices such as blood glucose meters, continuous glucose monitoring systems, the remote controller and CareLink USB device used with these pumps,” the agency reported in its pres release. “The FDA is concerned that, due to cybersecurity vulnerabilities identified in the device, someone other than a patient, caregiver or health care provider could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump’s settings.”

Originally published in mHealth Intelligence by Eric Wicklund on June 28, 2019