If you follow product safety notices or the latest medical headlines, you may have heard that older Medtronic insulin pumps are being dubbed unsafe and vulnerable to cyber attacks.

Yep, the FDA and Medtronic have both issued field safety notifications about older pumps in the Revel and Paradigm series, devices that in some cases are from a decade up to nearly 20 years old now. Here is the FDA notice, and the patient letter from Medtronic itself.

The impacted devices include: the Minimed 508 (first launched in 1999), the Paradigm models (511, 512/712, 515/715, 522/722, and older versions of the 523/723), as well as the older Minimed Paradigm Veo versions sold outside the U.S.

 

No Reason for Panic

Before anyone gets all freaked out about insulin pump safety, let's be clear that both FDA and Medtronic confirm there have been ZERO reports of any kind of tampering with these pumps. So despite the sensationalized headlines, a scary scenario in which some nefarious cyber-hacker reprograms someone's pump to deliver too much insulin remains fodder for TV or movie plots. While something like that may theoretically be possible, the real risk is much more likely to be a faulty CGM sensor reading prompting the pump to deliver too much or too little insulin in these older models.

The official notice from the FDA is simply the agency doing its job of warning of people about potential dangers that could exist. It's yet another "zero day" event -- like the warning issued on Animas insulin pumps back in 2016 -- in which the manufacturer is compelled to expose vulnerability that could create risk.

More importantly, this isn’t a new development. The notion that Medtronic pumps are vulnerable has been public since 2011, when mainstream media reported that “white hat” hacker Jay Radcliffe had managed to break into the code of an insulin pump, and mainstream media was all over it. Even two Congressional members at the time got caught up in the hype, and in the following years that and related cybersecurity issues have been circulating as the FDA and federal government crafted guidelines and protocols for possible cybersecurity issues in medical technology.

 

Not a Traditional Recall

Also, despite reporting in mainstream media, Medtronic confirms with us that this is not a traditional product recall. “This is a safety notification only. Impacted pumps are not required to be returned because of this notification," says Pam Reese, Medtronic Diabetes' Director of Global Communications and Corporate Marketing.

She tells us that people using these older pumps can still order supplies from Medtronic and from distributors.

What should you actually do if you have one of the impacted pumps?

“We recommend that you speak with your healthcare provider to discuss the cybersecurity issue and the steps you can take to protect yourself. In the meantime, specific instructions are to keep your insulin pump and the devices that are connected to your pump within your control at all times, and not to share your pump serial number with anyone," Reese says.

 

Why Issue a Warning Now?

This is the big question on many minds in the patient community.

If Medtronic and FDA have been aware of this vulnerability for eight full years, and now all of these older generation Minimed insulin pumps are actually discontinued and off-the-market for new customers in the States, what prompted an alert at this moment in time?

Medtronic's Reese says: “It’s been an ongoing conversation because cybersecurity protection is constantly evolving as technology continues to rapidly improve and connected devices need to keep up with this pace... We were made aware of this in late 2011, and we began to implement security upgrades to our pumps at that time. Since then, we have released newer pump models which communicate in completely different ways. With the growing amount of attention to cybersecurity in the medical device industry today, we felt that it was important for our customers to understand the issues and risks in greater detail.”

That may be, but what has also happened over the past few years is the birth and exponential growth of the #WeAreNotWaiting DIY diabetes technology movement; today thousands of people worldwide are creating their own homemade, closed loop systems. Many of those are being built based on these exact older models of Medtronic pumps that the company has suddenly decided to speak out about.

Medtronic says they’ve already identified 4,000 direct customers who may be using these older devices that are possibly at risk, and will be working with third-party distributors to identify others.

Suspicious minds can think of two possible reasons for a sudden warning now:

  • FDA is using this "potential risk" warning as a means of tamping down the growing use of DIY technology that isn’t regulated or approved for commercial sales.
  • And/or Medtronic is making a competitive chess move here, supporting a cybersecurity alert to frighten people off of using older, out-of-warranty devices and instead push customers to upgrade its to newer, “more secure” devices like the 630G and 670G Hybrid Closed Loop system.

Just weeks ago at our D-Data ExChange event on June 7, the big announcement was made that Medtronic would begin working with open-source non-profit Tidepool to create a new version of its insulin pump that will be interoperable with other products and with the future Tidepool Loop app being developed for the Apple Store. It's possible Medtronic is hoping to lay the groundwork for DIYers to stick with Medtronic products, just not the older versions they no longer wish to be responsible for.

Diabetes Looping System (Image: Dr. Jeremy Pettus)

 

Not Targeting DIY Systems?

Don’t forget that in May 2019 the FDA issued a warning about DIY technology and systems that are “off-label,” even if they use FDA-cleared devices in the system components. But the agency says these two alerts are not related.

“This is a separate issue from the DIY technology warning,” explains Alison Hunt in the FDA’s Media Affairs Office. “The FDA was made aware of additional vulnerabilities associated with these pumps that, when considered with the ones disclosed in 2011, led us issue this safety communication and Medtronic to issue this latest alert.”

She points out that this latest safety communication "specifically discusses the cybersecurity vulnerability where an unauthorized person could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump’s settings to either over-deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis.”

Hunt says that FDA has ongoing discussions with manufacturers and when concerns arise, "we work quickly to develop a plan of action including how to mitigate any cybersecurity vulnerabilities and how to effectively communicate with the public as quickly as possible.”

OK, but none of this explains exactly why in this case it took years to address a known cybersecurity issue...?

As noted above, many in the D-Community see this as an attempt to target DIY technology as well as bring in new customers to the latest Medtronic technology. Within the #WeAreNotWaiting community, many have criticized the recent FDA actions -- the warnings about DIY technology and this older tech cybersecurity -- as being short-sighted, especially given the prevalance of inaccurate CGM readings and real-life issues with commercially-regulated diabetes devices out there. One #WeAreNotWaiting member even dug into a new FDA Adverse Event report issued in June 2019 looking at the past two decades of adverse events, and found that in 2018 alone, Medtronic insulin pumps were responsible for 11.5% of all events.

Whoa! Do the math, and it's clear that commerical, FDA-cleared devices have issues all on their own.

It's certainly possible that this is just what it appears to be at face value: official recognition of a cybersecurity flaw for old technology that predates the Bluetooth era of data-sharing and remote monitoring. But why did it take nearly a decade to materialize into actual action?

While the answer as to "Why Now?" on this remains unclear, we do know that FDA has been a friend to the #WeAreNotWaiting community over the years. They've been receptive to open communication with the patient community. We also know that there are real liability and safety concerns with DIY technology, and that FDA has been very measured in addressing those potential risks. Let's hope that trend continues.

Meanwhile, we remain quite confident that no one's hacking pumps to kill people off. Fear-mongering doesn't help anyone -- neither the DIY community or Pharma companies themselves.