The Food and Drug Administration (FDA) warned people with diabetes last week that hackers could compromise their insulin pumps by connecting to them via Wi-Fi and changing the pump’s settings to either under- or overdeliver insulin, which could be fatal for users — a gut punch for diabetics facing ever-rising insulin prices. The FDA has been aware of the issue for at least six years, according to reports.
The FDA lists 11 versions of Medtronic’s MiniMed insulin pumps vulnerable to hackers and cyber attacks on its website. Medtronic sent a letter to customers advising them to switch to a “newer model insulin pump with enhanced cybersecurity protection.”
Medtronic told in-warranty customers they can exchange their vulnerable insulin pumps for a newer model at no cost. Out-of-warranty customers may replace their vulnerable insulin pumps for refurbished models for $399. If they want a brand new insulin pump, they will pay full price.
Insulin pumps typically cost anywhere between $4,500 and $6,500 without health insurance. The American Diabetes Association (ADA) found that the average price of insulin tripled between 2002 and 2013, and the Health Care Cost Institute found in January that the price doubled between 2012 and 2016.
The FDA’s recommendation comes after several external cybersecurity experts found dangerous vulnerabilities in the technical design of some insulin pumps.
One of those experts is Jay Radcliffe, who suffers from Type 1 Diabetes and infamously hacked a Medtronic insulin pump on stage at the 2013 Black Hat cybersecurity conference, showing conference attendees that hackers could change how an insulin pump works and, theoretically, kill insulin pump users.
As potential solutions, Radcliffe suggested passcodes for insulin pumps as well as manufacturing pumps with a limited insulin range to avoid dramatically under- or overdelivering insulin to a patient. Because everything is becoming wireless and connected, he said, securing medical devices is necessary to protect patients.
Radcliffe told the Medical Device and Diagnostic Industry that he submitted the issue to the FDA, noting in an interview that “a software problem (not a cyber attack) caused me to have very dangerous low blood sugar.”
That was in 2013.
In 2015, the ADA called for “greater safety review” of insulin pumps” in a joint statement with the European Association for the Study of Diabetes.
“Not enough is known about the safety and efficacy of insulin pumps, and a comprehensive safety overhaul – including greater access to data from pump manufacturers and public funding of research on the use of insulin pumps – is needed to allow health care teams to educate and support those using the devices,” the associations said, according to the statement.
The two associations also called for “a single, publicly accessible, international database for reporting adverse events, including both technical and human errors.”
Despite concerns from cybersecurity experts and the ADA, wifi-enabled insulin pumps continued to go to market.
A 2017 study from the Technology and Health Care journal found that the industry doesn’t keep up with modern cybersecurity precautions, and a 2018 study from medical journal Maturitas found that medical devices — including insulin pumps and pacemakers — are highly vulnerable to cybercrime.
Stuart Madnick, a professor of information technology and engineering systems at MIT’s Sloan School of Management, told InsideSources that, for many doctors and hospitals, cybersecurity is not on the radar. Doctors’ and hospitals’ first priority usually isn’t making sure a new medical device is vulnerable to hackers, but rather providing patient care.
A 2013 Deloitte study claims the FDA has been aware of cybersecurity concerns surrounding medical devices since at least 2013, but noted that medical devices have always been vulnerable to interference, malicious or otherwise.
“In 1998, low-power heart monitors at a hospital were overwhelmed with electromagnetic interference and unable to provide critical care readings when a nearby TV station turned on a new digital television transmitter using a previously vacant TV channel,” according to the Deloitte study.
Tech-savvy health care startups may change the using new technology, but changing the mindset of an industry dominated by legacy companies like Medtronic and others could be agonizingly slow, according to Madnick.
In December 2018, the FDA updated its cybersecurity guidelines for medical devices, but this is the first cybersecurity-related safety guidance for a medical device in 2019.
The ADA did not respond to InsideSources’ request for comment.