FDA urges patients to ditch vulnerable insulin pumps built by Medtronic

Medtronic equipment again is the subject of a cybersecurity warning from U.S. regulators.

A vulnerability in an insulin pump made by medical device vendor Medtronic could allow a hacker to change the pump’s settings and control the delivery of the hormone, the Food and Drug Administration warned Thursday.

After security researchers demonstrated how an attacker could abuse a radio frequency protocol, which the pump uses to communicate with other devices, to inject and intercept data, the FDA told patients to switch to pump models with better cybersecurity protections. The advisory is the latest example of a health care company struggling to secure medical technology, which often is expensive and difficult to replace.

Norman “Ned” Sharpless, acting head of the FDA, said the agency wasn’t aware of any patient harm stemming from the software vulnerability.


Minneapolis-based Medtronic said it is recalling the affected “MiniMed” pump model, which was produced in 2012 and before. Medtronic, in a letter, advised patients to consult with their physicians before switching to another model of insulin pumps with stronger cybersecurity protections. Medtronic heart defibrillators were the subject of a separate advisory in March from the U.S. Department of Homeland Security, which said hackers could have changed setting in those devices.

In this case, Medtronic spokeswoman Pamela Reese told CyberScoop that roughly 4,000 “direct customers” in the United States could be using the affected pumps, and that the company is working with distributors to identify anyone else who might be using vulnerable equipment. “Most of our current customer base [is] already using insulin pumps that are not impacted by this cybersecurity concern,” Reese said.

Medtronic said it hadn’t received any “confirmed” reports of unauthorized tampering with the affected pumps. Asked if there were “unconfirmed” reports of tampering, Reese told CyberScoop: “On occasion, we’ve been alerted to a suspected tampering incident which we investigate thoroughly. But none of those investigations have ever confirmed an incident of this nature.”

The Department of Homeland Security also released an advisory about the vulnerability on Thursday which said that no known exploits specifically target the protocol flaw.

Cybersecurity experts have credited medical device makers for being more willing to embrace vulnerability disclosure programs for their equipment, but have also said more of the industry should follow suit.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts