India’s drug regulatory agency has issued an alert about several models of insulin pumps made by the US company Medtronic, saying they pose a “cybersecurity risk” because unauthorised persons could wirelessly gain control over them.
The July 2 alert from the Central Drugs Standard Control Organisation (CDSCO) has cited an “urgent safety field notification” from Medtronic and a US Food and Drug Administration warning on June 27 about the pumps — electronic devices that deliver insulin into the bloodstream.
“An unauthorised person with special technical skills and equipment could potentially connect wirelessly to a nearby insulin pump to change settings and control insulin delivery,” the CDSCO has said in its alert, citing the Medtronic notification.
“Security researchers have identified potential cybersecurity vulnerabilities related to these insulin pumps,” the company’s notification said. Unauthorised tampering with settings could expose patients to the risks of low blood glucose or high sugar levels.
The CDSCO — an agency under the Union health ministry — and Medtronic have both said they have received no confirmed reports or complaints of unauthorised persons changing settings or controlling insulin delivery.
But while the US FDA has said Medtronic is “recalling the affected pumps and providing alternative insulin pumps to patients,” the company issued a media release in India on Wednesday night saying there is no recall.
“The insulin pumps are not being recalled and are not required to be returned. This is a safety notification only,” Medtronic said in the release issued through a communications agency in Mumbai.
The company said it has provided its customers and their doctors with security precautions when using their insulin pump. These include paying attention to any pump notifications, alarms and alerts.
However, the US FDA warning said patients with diabetes using these models should switch their insulin pump to models that are better equipped to protect against these potential risks.
The CDSCO, in line with the FDA advisory, has urged patients to talk to their healthcare providers about a prescription to switch to a model with more cybersecurity protection. The alert also asks patients not to share pump serial numbers, to remain attentive to pump notifications or alarms, and to immediately cancel any unintended boluses.
The company’s officials were not immediately available to explain the differential actions prescribed for patients in the US and patients in other countries such as India.
Medtronic said the MiniMed 508 insulin pump and the MiniMed Paradigm series insulin pumps are designed to communicate using a wireless radio frequency with other devices such as blood glucose meters, glucose sensor transmitters and CareLink USB devices.
The CDSCO said the alert applies to MiniMed Paradigm (MMT-715 MMT-712, and MMT-722) and MiniMed Paradigm Veo (MMT-754) insulin pumps.
The Medtronic notification contains the full list of the affected insulin pumps.
The company said the following models “are vulnerable” to this potential issue: MiniMed Paradigm 508, MiniMed Paradigm 511, MiniMed Paradigm 512/712, MiniMed Paradigm 712E, MiniMed Paradigm 515/715, and MiniMed Paradigm 522/722 with all software versions, and MiniMed Paradigm 523/723, MiniMed Paradigm 523K/723K with software versions 2.4A or lower, MiniMed Paradigm Veo 554/754 with software versions 2.6A or lower, and MiniMed Paradigm Veo 554CM/754CM with software versions 2.7A or lower.
The differential actions for patients in the US and outside the US are outlined in Medtronic’s June 27 notification.
For patients in the US, the company has recommended they speak with their healthcare providers “about changing to a newer model insulin pump with increased cybersecurity protection.”
For patients outside the US, the company has recommended that they speak with their healthcare providers “to discuss the cybersecurity issue and the steps you can take to protect yourself.”