Information security - mylife Diabetescare

Digitalisation has become a ubiquitous part of our lives and offers tremendous potential for advancements in healthcare. With the rise of connected devices and the ongoing development of a wide range of systems, it is vital to ensure that these networked systems are secure in the virtual world. As a manufacturer, Ypsomed understands how important it is to maintain confidentiality, integrity, and the availability of the systems and data, and is constantly working to prepare for potential cyber-attacks and associated risks.

Since we operate in a strictly regulated environment in the healthcare sector, it is essential that personal data is handled carefully. We have gained a wealth of experience in this field, allowing us to focus on two main aspects: patient safety and technical security. We are committed to offering state-of-the-art security and secure interoperability, without compromising on the safety and comfort of our customers.

Safety, security and privacy by design

At Ypsomed, we prioritise safety, security, and privacy by design in our product development process. By taking these aspects into account from the outset, we aim to mitigate potential risks and ensure that our products are safe, secure, and respect privacy. To achieve this, we conduct regular security risk analyses and threat-modelling exercises to identify potential threats and vulnerabilities at an early stage. We take care to define the system architecture and integrate appropriate security controls and privacy-enhancing measures throughout the development process.

No compromises when it comes to security

During the product development process, all stakeholders work closely together, including product management, usability, systems engineering, and risk management teams, as well as internal and external security experts. We endeavour to maintain the highest industry standards and refuse to compromise when it comes to the security of our customer data.

User data is the most valuable asset we protect

We protect the privacy of our product users and ensure that they stay safe at all times. Compliance with the applicable regulations (such as the GDPR) and data protection laws is a matter of course for Ypsomed. Our data protection agreements are extremely clear (Privacy Policy) and we obtain consent from our users to handle their data. Ypsomed maintains comprehensive transparency and ensures this in all of its processes.

Continuous monitoring and improvement to maintain security

We continuously monitor and improve our products in order to maintain security. We carry out regular internal and external penetration tests, stay up-to-date with the latest threats, and are committed to ongoing training and improvement. Our approach allows us to proactively address potential risks and maintain the highest standards of security and privacy.

We learn from our partners and exchange ideas

Our broad product portfolio is also based on cooperation with our partners. The interaction between external and internal development departments is crucial: the flow and exchange of information within these cross-functional teams and across companies is extremely important and standardised processes are essential throughout the entire product life cycle. Thanks to open and transparent communication between all parties, security updates can be implemented rapidly. We work together with leading specialist partners to enhance our data security.

We listen to the opinions of our customers

User feedback is also vitally important for Ypsomed as it allows us to continuously improve ourselves and our products. Whether ideas, suggestions for improvement or complaints, all feedback is welcomed, recorded and analysed. We also offer ongoing training and 24/7 customer support worldwide for our insulin pump system.

Regulations and standards with a focus on information security

We don't just talk about what we intend to do, we do it. We base the monitoring and management of our infrastructure cyber security on the following applicable guidelines and standards (not exhaustive):

EU 2016/679: Regulation (EU) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR / DSGVO)
IEC 62304: Medical Device Software – Software Life Cycle Processes
IEC 81001-5-1: Health Software and health IT systems safety, effectiveness and security – Part 5-1: Security —Activities in the product life cycle
IEC TR 60601-4-5: Technical Report (TR) on Medical electrical equipment — Part 4-5 Guidance and interpretation— Safety related technical security specifications for medical devices.
IEC 82304-1: Health software — Part 1: General requirements for product safety

mylife YpsoPump cyber security made simple

The downloaded app is approved by the security server to be from a trusted source. A connection between the mylife YpsoPump and the smartphone is established via Bluetooth. The correct insulin pump is selected with the help of the serial number and a 6-digit passkey code displayed on the pump. Due to the security function, the mylife YpsoPump can only be connected to one smartphone at a time.

The correct insulin pump is selected with the help of the serial number and a 6 digit passkey code displayed on the insulin pump

All communication between the insulin pump and the app is secured end-to-end via authenticated encryption. The security server vouches for the app's authenticity. All communication between the security server and the insulin pump is further safeguarded end-to-end by authenticated encryption. Even though the app acts as an intermediary, it cannot interfere with the communication. Communication between all components is also secured by Bluetooth and TLS encryption. All communication between the app and the mylife YpsoPump insulin pump is safeguarded by encryption specific to the app and insulin pump pair. For example, as an insulin pump cannot read commands directed at another insulin pump, retargeting attacks are impossible.