Medtronic—Your Information Security is Garbage

My wife is a Type 1 diabetic, and uses a Medtronic insulin pump to maintain her blood sugar at healthy levels. While the device performs its job adequately, the surrounding software has always been a total disaster. Whether it’s requiring outdated operating systems or browsers, or the use of Java, Kelly has always had great difficulties getting the data off of her pump and onto a computer.

dumpster-garbage-fire-gif.0

There is a really great open source project that Scott Hanselman (b|t) uses, called NightScout, but Kelly likes the comfort of using Medtronic as it is widely supported by her doctors.

If I were building something like this, I’d want a Kindle experience, where there was a single use cellular chip, that always uploaded data to a secure cloud service. Recently, Medtronic has improved this upload process, and it sucks far less than it did in the past.

However, last night something happened with a medical care professional that made me flip out. I was talking with Kelly, and she mentioned that the nurse couldn’t completely see her data through the professional portal (which uses delegated permissions) and then the nurse asked Kelly for her username and password. As you can imagine I was livid, and I assumed the nurse was using the portal incorrectly. I told Kelly, that this was likely a HIPAA violation (or on the edge of one) and she should follow up with Medtronic about it. This was the email she received:

Hi Kelly,

I’m sorry that you are uncomfortable with the system Medtronic uses for your 670G follow-up. Medtronic is hippa compliant and certainly does not share this information. We always ASK for your username and password and access your reports with your permission. We use Professional CareLink but access through your Personal (this is the same way your doctor is able to view your reports).

You can certainly change your password and my access is eliminated.

My first comment is that the Medtronic employee can’t spell HIPAA correctly. But it’s really Medtronic’s business process to ask for your username and password? Does anyone at that company realize how terrible of a security policy this is (I don’t care if this is health data or data about lawn mowing, it’s awful)? I’m completely taken aback that a major health care company has such shit security, and claims compliance. All that said, after looking at their software, I’m not surprised.

Medtronic, do your damn job. And hire better dev and architecture staff.

%d bloggers like this: