Medtronic is pulling certain insulin pumps off the market because of cybersecurity vulnerabilities that could allow third parties to change settings, with thousands of patients potentially affected, the U.S. Food and Drug Administration said.
"An unauthorized person with special technical skills and equipment could potentially connect wirelessly to a nearby insulin pump to change settings and control insulin delivery", Medtronic said.
Medtronic on Thursday reported a cybersecurity flaw in its older-model insulin pumps.
The worst case scenario is that an attacker orders the device to either deliver additional insulin or stop administering the drug, causing the patient to suffer from low or high blood sugar, respectively.
But, she added that "out of an abundance of caution, it is clearly better for the FDA to take a proactive approach and recall Medtronic's more vulnerable pumps".
A patient letter on Medtronic's website details how to identify an insulin pump's software. About 4,000 patients use the older-model pumps.
Check the FDA statement for the list of affected products.More news: Taylor Swift to headline Prime Day Concert
More news: Morandi bridge in Italy demolished with explosives
More news: Google Maps Will Predict if if Your Train or Bus Is Crowded
The agency said it is not aware of any reports of patient harm related to this issue, and considers it to be "low in probability and risk". "Patients outside the USA will receive a notification letter with instructions based on the country where they live", ICS-CERT noted.
In its alert, DHS notes: "The affected insulin pumps are created to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices".
Security researchers Billy Rios, Jonathan Butts, and Jesse Young found that the wireless radio communications used between a vulnerable MiniMed pump uses and its CareLink controller device was insecure.
It's a rare example of a medical device recall over a cybersecurity issue, although security professionals and the FDA have raised numerous concerns over the vulnerability of these devices for years. In the advisory, the department said the devices don't "properly implement authentication or authorization".
Insulin pumps are small computerized devices that can deliver insulin therapy to diabetes patients in continuous doses or as a surge around mealtime to help them control blood glucose levels.
Disconnect the USB device from their computers when they are not using it to download data from their pump.
Monitor their blood glucose levels closely and act appropriately.