Security at Insulet
Insulet Corporation Security Promise
At Insulet Corporation, the safety and security of our patients and products is paramount in everything we do. We are dedicated to making the lives of people with diabetes and other conditions easier through the use of our Omnipod® product platform. Connected devices have resulted in the emergence of a new set of challenges for patients, healthcare providers, and device developers and manufacturers. There exists the potential for these devices to become targets of cybersecurity attacks. That is why security is at the forefront of our design and integrated into the development process at the very beginning and monitored throughout the lifecycle of our products’ availability.
We align our oversight and management of cybersecurity based on the International Organization for Standardization/International Electrotechnical Commission’s 27000 series (ISO/IEC 27000) and to the NIST “Framework for Improving Critical Infrastructure Cybersecurity” (NIST CSF). We have audited compliance and development programs in place for the devices, systems, and services we sell consistent with applicable medical device regulatory requirements.
Insulet Corporation has established a dedicated, global product security team and coordinated product disclosure program to supplement the robust product security practices that are already in place. This enables Insulet Corporation to embed security considerations into the full product lifecycle. The product security team is integrated into the Insulet Corporation Global Security Office. This team works cross-functionally across the business to provide broad security expertise, governance and oversight on product security issues. They proactively share information across the enterprise to foster a culture of learning and best practices across a global organization. Additionally, the team oversees and manages the coordinated disclosure program.
Externally, Insulet Corporation works closely with government agencies, industry partners and security researchers to enhance security efforts across the medical device and healthcare industries and inform and shape the guidance and regulatory landscape.
Security by Design
Our device security approach is intended to identify all relevant cybersecurity risks in the system and design effective mitigations to address those risks throughout the product development lifecycle. The goals of Insulet’s cybersecurity approach include:
- Develop and maintain a set of common core requirements and activities related to medical device product cybersecurity.
- Ensure that a repeatable Framework for Medical Device Security is implemented and followed.
- Conduct risk-based security analysis to determine appropriate controls, including the development of threat models and maintenance of a Risk Register.
- Ensure that robust and repeatable cybersecurity testing activities are completed for a given product program.
- Ensure that the cybersecurity program aligns with and is compliant with all relevant laws and regulations.
- Promptly and thoroughly monitor and address future potential security vulnerabilities in all of our medical devices.
The Insulet Corporation cybersecurity approach described above is designed to align directly to the NIST CSF, which orients cybersecurity functions across five discrete domains (Identify, Protect, Detect, Respond, and Recover). The Insulet cybersecurity program’s alignment to the NIST CSF is also in alignment with FDA’s Guidance “Content of Premarket Submissions for Management of Cyber Security in Medical Devices” as well as the Agency’s “Postmarket Management of Cybersecurity in Medical Devices.”
Insulet respects the privacy of every one of our patients and is committed to the protection of their personal information. We have dedicated teams that are focused on keeping patient information safe from unauthorized access. Additionally, we partner with industry experts in information protection and cybersecurity who work with us to ensure that we implement the right technology and processes to ensure data privacy.
The future of medical devices is extremely exciting with more opportunities for integrating technologies, such as wearables. As a result of new products and capabilities the security landscape is always changing. Insulet Corporation will continue to monitor the threat landscape for potential issues affecting our products and address these issues with security enhancements.
Throughout the entire product lifecycle, from design, to manufacturing to patient use, Insulet’s team of engineers, specialists and partners strive to make the most secure products possible.
Throughout the lifecycle of a medical device, we continuously monitor for security risks. We assess and test vulnerabilities based on global standards, engage regulators and communicate appropriate mitigations to key stakeholders. For more information about Insulet product updates, notifications and security bulletins, please view our Security Bulletins page.
Coordinated Disclosure Process
We value the contributions of the security research community. If you believe you have identified a potential security vulnerability in one of our products or services, we want to know so we can investigate.
As part of our commitment to the ongoing security of our products we have partnered with HackerOne to enable the submission of potential security vulnerabilities. Please visit our Coordinated Disclosure Process page for more information on submitting a vulnerability report to Insulet Corporation