On June 27, Medtronic announced that it was recalling certain MiniMed insulin pumps due to “potential security vulnerabilities.” On the same day, FDA issued a Safety Communication and the Department of Homeland Security issued a Cybersecurity Infrastructure Security Advisory about the same issue.
FDA’s Safety Communication states that “FDA has become aware that an unauthorized person (someone other than a patient, caregiver, or health care provider) could potentially wirelessly connect to a nearby MiniMed insulin pump with cybersecurity vulnerabilities.” FDA explains that the potential risk of a hacking attempt is that the hacker “could change the pump’s settings to either over-deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis.” FDA notes that it is not aware of any actual hacking incidents.
FDA has been increasingly focused on cybersecurity. In recent years, FDA has released guidance on premarket cybersecurity considerations (see our past blog posts here, here, and here) and postmarket cybersecurity considerations (see our past blog posts here and here). The Safety Communication from FDA about MiniMed is also not the first of its kind. FDA has issued at least six other Safety Communications since 2015 about specific medical device cybersecurity issues, including issues related to other Medtronic devices, listed on its webpage on cybersecurity.
Though Medtronic’s recent recall, as described in its Security Bulletin, was due to “work performed by external researchers” that identified the potential cybersecurity vulnerability, it is possible that FDA will identify these types of vulnerabilities more often in both the premarket and postmarket context. As we have reported in past blog posts (here and here), we are aware of FDA requesting additional information about device cybersecurity while reviewing pending premarket submissions.
If we start to see more cybersecurity-related recalls, particularly as wireless and cloud-based medical device software becomes more common, we may see more attention from FDA to cybersecurity issues in the postmarket context, including through inspectional observations.