Statement from Animas about "pump hack"
Below you will find the statement I just received from the Director of\ Global Communications at Animas Corporation. It complements the post with a Q&A issued by Metronic Minimed yesterday.
The security and safety of our pumpers is of utmost concern to Animas. We have high levels of proprietary security measures in place for all our products, that meet and exceed industry requirements. To date, we are not aware of a single customer complaint or report claiming a security breach with our insulin pumps or wireless glucose management systems.
We are aware of Jerome Radcliffe’s study investigating security attacks on insulin pumps. We closely reviewed his study, which clearly states that the researcher was only able to “hack” into the insulin pump with knowledge of the pump and remote device’s serial numbers.
At Animas, the serial numbers of our products are considered “Personally Identifiable Information,” and as such are closely protected by our privacy policies and security. We protect or patients’ serial numbers with the same protocols we use to protect our patients’ names, social security numbers, and other personal information.
All Animas products and systems are built with encryption algorithms and proprietary radio frequency protocols designed to ensure pairing between a wireless device and pump, and to ensure the devices “speak” to one another in a secure manner. These proprietary algorithms are confirmed between the unique serial numbers of each device. (To ensure our products’ integrity and ability to prevent tampering, Animas cannot share the specific details of these protocols.)
Animas is confident that the security measures we have in place would make it extremely difficult to hack into our products utilizing third party technology.
Thank you again for allowing us to help educate our pumpers on this issue. We appreciate our customers’ trust in us and want to ensure our pumpers that we are committed to delivering the highest quality of products and services, that enhance quality of life.
Replies to This Discussion
-
Permalink Reply by jbowler on -
Yes, that's what I thought too. But then I read the Animas response and it betrays a fundamental lack of understanding about computer security. The Medtronic response is reasonable - it is meaningless drivel, and therefore doesn't give away any information. I can only assume that either Medtronic know what they are doing or that they are currently doing the chicken-with-head-cut-off thing and trying to find out.
The issue isn't that they've been caught with their pants around their ankles; we all do that, it's that they (Animas) apparently think this is a normal state of dress.
-
Permalink Reply by nel on
-
And me the computer very unsavvy person is confused as well , after I read your profile , jbowler , your diagnosed date is : January 1, 0197 ????...just my observation ...I hope , you are laughing with me :)
-
Permalink Reply by jbowler on
-
Yes; tudiabetes.org has a *** doofus *** broken *** user interface.
I am not *permitted* to enter 197?, or 197x, or 197, I am obliged to enter a numerical value.
This is what gets me so angry about my fellow software engineers - they just don't know how to write user interfaces. And, for the record, I am very annoyed by non-computer people who don't scream blue murder whenever they can't work out how to make a computer work - it's not *your* fault, it's *mine* (and all my fellow reprobate software engineers.)
If a computer doesn't work a human being is to blame, and it is not you.
-
Permalink Reply by jbowler on
-
Oh, and the above reponse was auto-magically editted by some insane piece of moronic brain dead software written by some equally capable software engineer (I think we call ourselves "web designers" in this context) who doesn't realise that the two characters angle-bracket-left and angle-bracket-right are not meaningful to normal, well developed, highly intelligent [all human beings are highly intelligent] human beings.
I *did not write* "197,"; I wrote something like:
197<I don't know what year because at the time I was in my pre-teens and why on earth should I remember the exact date>
-
Permalink Reply by jbowler on
-
Sorry to be so aggressive: I keep seeing people who think it's their problem when a computer doesn't do what they want and I get annoyed by that, but I've produced incomprehensible interfaces often enough in my life to know how difficult it is to get right.
-
Permalink Reply by merfernut on -
I don't like that a vulnerability was found, but the serial number detail is comforting to me. That's not information I'd give to anyone, and it sounds like Animas has reasonable safeguards in place to protect that data.
Despite those measures, no system is foolproof and someone committed enough could hack Animas for the serial numbers. But what are the odds of someone doing that and then going after specific pumpers? The effort and expense would be extraordinary. An individual being targeted by someone he or she knows strikes me as more likely, and even that possibility seems remote.
The possible impact on a victim's health is terrifying, but this kind of attack just doesn't seem realistic to me. I may change my tune if more solid data comes out or if a confirmed hack occurs outside of a test environment, but in the meantime, I'll take precautions with my serial number, as I do with my passwords, credit cards, etc.
-
Permalink Reply by Kelly WPA on -
Don’t forget that pacemakers and defibrillators are in the same category as insulin pumps and CGMSs. How often do you hear about someone using those devices being done in by a crazy person?
-
Permalink Reply by Jerome Radcliffe on -
I think they should send me a Ping. Unless of course they don't really think it's secure........
-
Permalink Reply by jbowler on
-
More important it falls within the responsibility of the FDA:
http://www.fda.gov/RegulatoryInformation/Legislation/ucm148785.htm
That explicitly lists "devices" and, while it doesn't consider software tampering that's hardly surprising - this started in 1982 (with the cyanide laced tylenol). It does show something of a failure of the FDA that anti-tamper requirements aren't already in the device regulations. It's not as though it is hard to get right, and we all know how paranoid people got after 1982 - fixing the problem after someone exploits it is not a good idea.
-
Permalink Reply by MossDog on -
What exactly would there to be to prove? That any computer based system is impossible to make 100% secure if the person trying to hack the system has the money, time, and technical expertise? I think that is something already well known.
-
Permalink Reply by jbowler on
-
That's not a true statement and, in fact, it is pretty easy to get right because it's tried, tested and well understood technology.
- ‹ Previous
- 1
- 2
- 3
- Next ›
Advertisement
REsources
Groups
From the Diabetes Hands Foundation blog...
Congratulations Diabetes Advocates Scholarship Recipients!
The Diabetes Hands Foundation and Diabetes Advocates Program is proud to announce and congratulate the members of DA who were granted scholarships to attend diabetes conferences in 2013! Thanks to a generous grant from Novo Nordisk, in 2013 we were …Continue Reading
La Familia de EsTuDiabetes Sigue Creciendo
El Centro Nacional de Prevención de Enfermedades Crónicas y Promoción de la Salud en el Estados Unidos encontró que a partir de 2002-2009, el 11,8% de los hispanos mayores de 20 años, que viven en los EU, viven con diabetes …Continue Reading
TuDiabetes Team
DHF STAFF
 Manny Hernandez(Co-Founder, Editor, has LADA)
|
DHF VOLUNTEERS
Lead Administrator
 Bradford (has type 1) |
Administrators
 Lorraine (mother of type 1) |
 Marie B (has type 1) |
|
|
|
|
|
|
LIKE us on Facebook
Spread the word
This site complies with the HONcode standard for trustworthy health information: verify here.
© 2013 A community of people touched by diabetes, run by the Diabetes Hands Foundation.
