Certain older Medtronic MiniMed insulin pumps may be vulnerable to cybersecurity risks
- Starting date:
- June 29, 2019
- Type of communication:
- Medical Device
- Source of recall:
- Health Canada
- Important Safety Information
- General Public
- Identification number:
Last updated: 2019-07-09
Update – July 9, 2019
Medtronic has informed Health Canada that all Medtronic MiniMed 508 and MiniMed Paradigm insulin pumps distributed before 2015 may be vulnerable to cybersecurity risks (not just devices distributed between 2010 and 2015).
If you are using any Medtronic MiniMed 508 or MiniMed Paradigm insulin pump distributed before 2015, speak with your health care provider at your next appointment about whether changing to a newer model insulin pump with increased cybersecurity protection is appropriate for you.
Original – June 29, 2019
For immediate release
OTTAWA – Health Canada is advising patients and health care providers that certain older Medtronic MiniMed 508 and MiniMed Paradigm insulin pumps distributed between 2010 and 2015, may be vulnerable to cybersecurity risks. According to Medtronic, 2,620 of these insulin pumps have been sold in Canada.
The risk is not with the normal functioning of the device, but with the remote possibility of a cyberattack. Diabetic patients using an affected model are advised to identify if they have an affected device and to take the precautions listed below, and to talk to their health care provider at their next appointment about whether switching to a newer model with increased cybersecurity protection is the right option for them.
The potential cybersecurity vulnerability could result in changes to pump settings by an unauthorized person (someone other than a patient, patient caregiver, or health care provider). Changes to pump settings could result in either over-delivery of insulin to a patient, leading to low blood sugar (hypoglycemia), or stopping insulin delivery, leading to high blood sugar (hyperglycemia) and diabetic ketoacidosis. To date, Health Canada is not aware of any reports of patient harm related to this potential cybersecurity risk, and considers it to be low in probability and risk.
According to the company, the settings could only be altered by an unauthorized person if they know the serial number of the specific pump and can connect wirelessly nearby, and if they have the necessary technical skills, the correct radio frequency equipment, and the malicious intent to perform the hack.
Medtronic has indicated that the potential security vulnerabilities were first identified by external security researchers and confirmed by Medtronic testing. Medtronic has advised that it cannot update the software in the MiniMed 508 and Paradigm insulin pumps to address these potential cybersecurity risks. The company has issued a notification to Canadian customers and to health care professionals.
Who is affected
Diabetes patients who are using an affected Medtronic MiniMed 508 or MiniMed Paradigm insulin pump listed below.
The following Medtronic MiniMed 508 or MiniMed Paradigm insulin pump are affected by this issue:
MiniMed Paradigm 511
MiniMed Paradigm 512/712
MiniMed Paradigm 515/715
MiniMed Paradigm 522/722
MiniMed Paradigm Veo 554/754
Version 2.6A or lower
MiniMed Paradigm Veo 554CM/754CM
Version 2.7A or lower
What consumers should do
- Do not stop using your insulin pump, as this could result in changes in your blood sugar levels. The risk of cybersecurity tampering with the pump is low in probability and risk.
Check to see if the model and software version of your Medtronic insulin pump is affected.
- To find the model number of your pump, look at the label on the back of your pump.
To find the software version for the MiniMed Paradigm pumps, go to the STATUS screen:
- To open the STATUS screen, press ESC until the STATUS screen appears.
- To view more text on the STATUS screen, press the up or down arrow to scroll and view all the information.
- To exit the STATUS screen, press ESC until the STATUS screen disappears.
- If you are using an affected device, speak with your health care provider about whether changing to a newer model insulin pump with increased cybersecurity protection is appropriate for you.
- If you have an affected device and have questions or concerns, talk to a health care provider or call Medtronic at 1-800-284-4416.
If you have an affected device, take the following precautions to protect yourself from cybersecurity risks:
- Keep your insulin pump and the devices that are always connected to your pump within your control.
- Do not share your pump serial number.
- Be attentive to pump notifications, alarms, and alerts.
- Immediately cancel any unintended boluses.
- Monitor your blood glucose levels closely and act as appropriate.
- Do not connect to any third-party devices or use any software not authorized by Medtronic.
- Disconnect your CareLink USB device from your computer when it is not being used to download data from your pump.
Get medical help right away if you:
- Have symptoms of severe hypoglycemia (such as excessive sweating, feeling very tired, dizzy and weak, being pale, and a sudden feeling of hunger).
- Have symptoms of diabetic ketoacidosis (such as excessive thirst, frequent urination, nausea and vomiting, feeling very tired and weak, and shortness of breath).
- Think your insulin pump settings or insulin delivery changed unexpectedly.
Report health or safety concerns
- Report complaints involving medical devices to Health Canada.
- Stay connected with Health Canada and receive the latest advisories and product recalls.
What Health Canada is doing
Health Canada continues to follow up with the company to make sure that the appropriate risk mitigation measures are taken. The Department will update Canadians if significant new information becomes available.
The world of medical devices is constantly evolving and the Government of Canada is working to ensure that regulations and guidance keep pace. Health Canada has recently published guidance on Pre-market Requirements for Medical Device Cybersecurity to help protect patient safety. The new guidance describes how and when to implement strategies to reduce potential risks associated with medical devices that contain software and technology that enable communication with outside networks.
This guidance complements work underway as part of Health Canada’s Action Plan on Medical Devices. The Action Plan lays out a three-part strategy to further improve how medical devices get on the market, to strengthen monitoring and follow-up for devices already in use, and to provide Canadians with more information about the medical devices they rely on.