Below you will find the statement I just received from the Director of\ Global Communications at Animas Corporation. It complements the post with a Q&A issued by Metronic Minimed yesterday.
The security and safety of our pumpers is of utmost concern to Animas. We have high levels of proprietary security measures in place for all our products, that meet and exceed industry requirements. To date, we are not aware of a single customer complaint or report claiming a security breach with our insulin pumps or wireless glucose management systems.
We are aware of Jerome Radcliffe’s study investigating security attacks on insulin pumps. We closely reviewed his study, which clearly states that the researcher was only able to “hack” into the insulin pump with knowledge of the pump and remote device’s serial numbers.
At Animas, the serial numbers of our products are considered “Personally Identifiable Information,” and as such are closely protected by our privacy policies and security. We protect or patients’ serial numbers with the same protocols we use to protect our patients’ names, social security numbers, and other personal information.
All Animas products and systems are built with encryption algorithms and proprietary radio frequency protocols designed to ensure pairing between a wireless device and pump, and to ensure the devices “speak” to one another in a secure manner. These proprietary algorithms are confirmed between the unique serial numbers of each device. (To ensure our products’ integrity and ability to prevent tampering, Animas cannot share the specific details of these protocols.)
Animas is confident that the security measures we have in place would make it extremely difficult to hack into our products utilizing third party technology.
Thank you again for allowing us to help educate our pumpers on this issue. We appreciate our customers’ trust in us and want to ensure our pumpers that we are committed to delivering the highest quality of products and services, that enhance quality of life.
I'm very surprised that Animas would attempt to develop their own proprietory protocols. Security issues in wireless protocols are well understood and extremely well studied, but many people who are otherwise extremely capable have poor intuitions about security. The *well published* protocols such as bluetooth have, as a result of being well published, received expert scrutiny necessary for them to be truely secure.
Suppose Animas said, "We use a bluetooth, a well published protocol, and we use it with the highest security available. Once our devices have been paired, which always happens under the control of the user, we are confident our devices are secure." In that case I would not be writing this.
Animas's response, however, is seriously flawed; "to prevent tampering... Animas cannot share the specific details of these protocols." The only interpretation of that statement is that if someone knew the details the protocol would be compromised. That's not true of bluetooth (for example.)
Other details of their response create the distinct impression that they don't know what they are doing; the response implies that security relies on the serial number of the device being secret, that the term "extremely difficult" might impress people who do extremely difficult things as a matter of course (e.g. flatlining BG) and that their adherence to HIPAA somehow magically grants computer system security to their products.