Aug. 4, the Washington Post and several other media published this story:
Several diabetes bloggers have shared their comments about it, including the following:
This morning, I reached out to pump and glucose meter manufacturers, asking them for more information on this. Following I am pasting the Q&A I received from Medtronic Minimed's Director of PR:
Medtronic takes very seriously the issue of information security of devices. It is an integral part of the very fabric of our product design processes. To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide.
Technology is constantly evolving and Medtronic is continually incorporating measures to maintain information security, while ensuring our devices meet their intended purpose of saving and extending lives.
We understand that there are no absolute certainties in information security. However, we also know that being vigilant in reviewing the external security landscape, designing our products with information security in mind and creating rigorous, complex safeguards will help ensure product security.
Key Questions and Answers
Q1. I’ve read a report that says a device can be manipulated and subsequently disrupted. Is this true?
A. Yes, we are aware of this report. This is the first and only such report we have seen and we do not see a reason to believe that this is a reason for concern as your device went through extensive testing to make sure it would be safe and protected from external harm.
In the reported instance, the researcher had in-depth knowledge about the product he tampered with, such as the serial number of both the insulin pump and remote device, and he TURNED ON the wireless feature. Additionally, he had access to specialized equipment which he used to rebroadcast the RF signal in a controlled environment.
Q2. Has a Medtronic device ever been manipulated?
A. To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide.
Q3. How would I know if someone had manipulated my insulin pump?
A. If someone manipulated your pump to deliver a bolus of insulin that you did not want to receive, your pump would play back a series of tones to confirm the size of the bolus. So, you would be able to detect tones on the insulin pump that weren’t intentionally programmed and could intervene accordingly.
Q4. What could happen if someone tampered with a CGM monitor?
A. To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use -- including the transfer of viruses and malicious code, which includes millions of devices worldwide.
We have and will continue to be vigilant in reviewing the external security landscape, designing our products with information security in mind and creating rigorous, complex safeguards which will help ensure product security.
In the very remote chance a patient encountered wireless tampering, a CGM monitor could potentially receive an erroneous sensor value or meter value. However, our CGM labeling requires patients to confirm the sensor glucose reading with a fingerstick measurement prior to making any type of therapy decisions. So, they would have the opportunity to investigate any type of discrepancy caused by wireless tampering.
Q5. Is there really anything Medtronic can do to “prevent” manipulation of devices?
A. We recognize there are people who focus on manipulation of devices – medical and otherwise. Most do so as part of an academic pursuit or to improve existing technology. We also recognize there may be some who have malicious intent. Our job is to incorporate information security measures into our designs, vigilantly monitor potential threats and to always be proactively finding ways to make our devices more secure for you. That is what we have done and what we will continue to do.
Or they could just use bluetooth with encryption, which would give more than enough security given that the CIA, Mossad, MI5, OSS, or whoever, only have a few days to crack it. I'm assuming that pairing is inherently secure; once the devices are paired and the communication is encrypted it's as good as a hard wire.