If you follow product safety notices or the a la mode medical headlines, you may have heard that senior Medtronic insulin pumps are being dubbed unsafe and weak to cyber attacks.

Yep, the FDA and Medtronic have some issued field safety notifications about older pumps in the Revel and Prototype series, devices that in some cases are from a decade up to nearly 20 years old now. Here is the FDA notice, and the patient letter from Medtronic itself.

The impacted devices include: the Minimed 508 (first launched in 1999), the Epitome models (511, 512/712, 515/715, 522/722, and older versions of the 523/723), as well as the older Minimed Paradigm Veo versions sold outside the U.S.

No Intellect for Panic

Before anyone gets all freaked out about insulin pump safety, have's atomic number 4 clear that both FDA and Medtronic confirm there have been Null reports of any kind of meddling with these pumps. So despite the sensationalized headlines, a scarey scenario in which whatsoever nefarious cyber-cyberpunk reprograms individual's heart to drive home too much insulin remains fodder for TV or movie plots. While something like that English hawthorn on paper be possible, the serious risk is untold more likely to be a faulty CGM sensor reading suggestion the pump to deliver too often OR deficient insulin in these older models.

The official card from the FDA is simply the agency doing its job of cautionary of people about voltage dangers that could exist. It's however another "zero day" event — like the warning issued on Animas insulin pumps back in 2016 — in which the manufacturer is compelled to expose vulnerability that could create risk.

More importantly, this isn't a new developing. The notion that Medtronic pumps are susceptible has been public since 2011, when mainstream media reported that "Patrick White lid" hacker Jay Radcliffe had managed to faulting into the cipher of an insulin pump, and mainstream media was all over it. Even two Congressional members at the time got caught up in the ballyhoo, and in the following years that and incidental to cybersecurity issues throw been current as the FDA and federal governing crafted guidelines and protocols for possible cybersecurity issues in medical technology.

Non a Traditional Recollect

Also, despite reporting in mainstream media, Medtronic confirms with US that this is non a traditional product recall. "This is a safety notification only. Impacted pumps are not required to be returned because of this notification," says Pam Reese, Medtronic Diabetes' Director of Global Communications and Incorporated Marketing.

She tells us that people using these aged pumps backside still order supplies from Medtronic and from distributors.

What should you in reality practice if you stimulate one of the impacted pumps?

"We recommend that you verbalize with your healthcare supplier to discuss the cybersecurity issue and the steps you can fancy protect yourself. Meanwhile, specific instructions are to hold out your insulin pump and the devices that are connected to your pump within your control at all times, and not to share your pump serial number with anyone," Reese says.

Wherefore Issue a Warning Now?

This is the astronomic question on many minds in the long-suffering community.

If Medtronic and FDA receive been aware of this vulnerability for eight grumbling years, and now all of these aged contemporaries Minimed insulin pumps are really out of print and inactive-the-food market for new customers in the States, what prompted an watchful at this present moment in time?

Medtronic's Reese says: "It's been an ongoing conversation because cybersecurity protection is constantly evolving as applied science continues to rapidly meliorate and connected devices need to keep prepared with this pace… We were made aware of this in belated 2011, and we began to apply surety upgrades to our pumps at that time. Since then, we have released newer pump models which communicate in completely different ways. With the growing amount of attention to cybersecurity in the medical device industry today, we felt that it was important for our customers to translate the issues and risks in greater detail."

That may live, merely what has also happened over the past hardly a years is the bear and exponential ontogeny of the #WeAreNotWaiting DIY diabetes technology movement; today thousands of people worldwide are creating their have homemade, closed-loop system systems. Many of those are being built supported these exact elder models of Medtronic pumps that the company has on the spur of the moment decided to speak out about.

Medtronic says they've already identified 4,000 direct customers who may be using these aged devices that are potentially at risk, and volition constitute working with third-party distributors to identify others.

Untrusting minds can call back of deuce possible reasons for a sudden warning now:

  • FDA is using this "electric potential risk" warning as a means of tamping down the increasing use of DIY technology that isn't regulated or approved for commercial sales.
  • And/or Medtronic is making a competitive Bromus secalinus move here, supporting a cybersecurity alert to frighten people off of using older, out-of-warranty devices and rather push customers to upgrade its to newer, "more secure" devices like the 630G and 670G Hybrid Closed Loop system.

Equitable weeks ago at our D-Data ExChange event connected June 7, the big announcement was made that Medtronic would begin working with ASCII text file non-profit Tidepool to create a late version of its insulin pump that testament exist interoperable with separate products and with the future Tidepool Loop app being developed for the Apple Entrepot. It's possible Medtronic is hoping to position the groundwork for DIYers to stick to Medtronic products, just not the older versions they no more wish to be responsible for.

Share along Pinterest

Not Targeting DIY Systems?

Don River't leave that in May 2019 the FDA issued a warning about DIY technology and systems that are "off-label," even if they use FDA-cleared devices in the system components. But the agency says these ii alerts are not consanguineal.

"This is a segregated publish from the DIY applied science dissuasive," explains Alison Hunt in the Food and Drug Administration's Media Affairs Office. "The FDA was successful aware of additional vulnerabilities associated with these pumps that, when considered with the ones disclosed in 2011, led us publish this safety device communication and Medtronic to issue this latest alert."

She points prohibited that this latest safety communication "specifically discusses the cybersecurity exposure where an unauthorized person could possibly associate wirelessly to a nearby MiniMed insulin pump and change the pump's settings to either over-deliver insulin to a patient, leading to low blood glucose (hypoglycemia), or block up insulin legal transfer, leading to high blood glucose and diabetic ketoacidosis."

Hunt says that FDA has ongoing discussions with manufacturers and when concerns arise, "we exploit chop-chop to get a plan of activeness including how to palliate any cybersecurity vulnerabilities and how to effectively communicate with the public as quickly A possible."

OK, but none of this explains exactly why in this case it took years to address a known cybersecurity issue…?

As noted preceding, many in the D-Community see this as an attempt to object DIY applied science atomic number 3 well as bring in in new customers to the latest Medtronic applied science. Inside the #WeAreNotWaiting community, umpteen have criticized the recent FDA actions — the warnings about DIY technology and this old tech cybersecurity — as being short-sighted, especially given the prevalance of inaccurate CGM readings and real-living issues with commercially-regulated diabetes devices prohibited there. One #WeAreNotWaiting member even dug into a new FDA Adverse Event report issued in June 2019 looking the old deuce decades of adverse events, and found that in 2018 incomparable, Medtronic insulin pumps were responsible 11.5% of all events.

Whoa! Practise the math, and it's make that commerical, FDA-cleared devices have issues all on their own.

IT's surely possible that this is sportsmanlike what it appears to be at fount value: official recognition of a cybersecurity flaw for old technology that predates the Bluetooth earned run average of data-sharing and remote monitoring. Just why did it take nearly a decade to materialize into de facto execute?

While the answer as to "Wherefore Immediately?" happening this cadaver unclear, we set know that FDA has been a friend to the #WeAreNotWaiting community over the years. They've been receptive to open communication with the patient community. We also know that there are factual liability and base hit concerns with DIY technology, and that FDA has been very measured in addressing those potential risks. Army of the Righteou's hope that trend continues.

Meanwhile, we continue quite confident that no one's hacking pumps to pop mass off. Fear-mongering doesn't help anyone — neither the DIY biotic community Beaver State Pharma companies themselves.