Insulin pumps are small computerized devices, often used instead of periodic insulin injections, to deliver insulin to a patient throughout the day using a catheter implanted under the skin.

The FDA has recommended patients using particular models to switch their insulin pump to models that are better equipped to protect against the potential risks. However, FDA has not yet noticed any confirmed reports of patient harm in relation to the potential cybersecurity risks of the devices.

According to the FDA, the potential risks are associated with the wireless communication between Medtronic’s MiniMed insulin pumps and other devices including glucose meters, continuous glucose monitoring systems, the remote controller and CareLink USB device used with the pumps.

In addition, the device is identified with cybersecurity vulnerabilities, where individuals other than a patient, caregiver or health care provider could access the MiniMed insulin pump through the wireless connection and change the pump’s settings.

FDA centre for devices and radiological health deputy director Suzanne Schwartz said: “The FDA urges manufacturers everywhere to remain vigilant about their medical products—to monitor and assess cybersecurity vulnerability risk, and to be proactive about disclosing vulnerabilities and mitigations to address them.

“This is part of the FDA’s overall effort to collaborate with manufacturers and health care delivery organizations, as well as security researchers and other government agencies, to develop and implement solutions to address cybersecurity issues throughout a device’s total product lifecycle.”

The vulnerability of the insulin pump may allow the person accessing the device to over deliver insulin to the patient, resulting in low blood sugar/hypoglycaemia, or to stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis.

The Medtronic’s pumps that are being recalled include MiniMed 508 insulin pump and MiniMed Paradigm series insulin pumps.

Medtronic is providing alternative insulin pumps to patients with enhanced built-in cybersecurity capabilities.

Schwartz added: “While we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm if such a vulnerability were left unaddressed is significant. The safety communication issued today contains recommendations for what actions patients and health care providers should take to avoid the risk this vulnerability could pose.

“Any medical device connected to a communications network, like Wi-Fi, or public or home Internet, may have cybersecurity vulnerabilities that could be exploited by unauthorized users. However, at the same time it’s important to remember that the increased use of wireless technology and software in medical devices can also offer safer, more convenient, and timely health care delivery.”