- Medical devices including diabetes and sleep management, from insulin pumps and continuous glucose monitors to C-PAP machines, are increasingly connected to the Internet.
- Insulin pumps and glucose meters can now be connected to smartphones via Bluetooth, while C-PAP machines can store and send data to healthcare providers without an office visit.
- The Internet of Things has many benefits for personal health, and the world of remote patient monitoring is growing, but it also comes with greater scrutiny of cybersecurity risks from the FDA.
A blood glucose monitoring system using a smartphone and a skin-mounted meter.
Ute Grabowski |: Photo library |: Getty Images:
Internet of Things devices for remote monitoring and management of common health issues are growing steadily, led by diabetes patients.
One in 10 Americans, or 37 million people, lives with diabetes. Devices like insulin pumps that date back decades and continuous glucose monitors that monitor blood sugar levels 24/7 are increasingly connecting to smartphones via Bluetooth. Added connectivity has many benefits. People with type 1 diabetes can control their blood sugar much more tightly because they are able to review weeks of blood sugar and insulin dosing data, making it easier to spot trends and dose accurately. In recent years, diabetes patients have become so adept at remote monitoring that the patient-hacker community has embraced the devices to better manage their medical needs, and the medical device industry has learned from them.
But being able to monitor medical conditions over the Internet comes with risks, including nefarious hacking attacks. While medical devices that must pass FDA approval meet higher standards than fitness devices, there are still risks associated with patient data protection and device access. The FDA has issued periodic warnings to hackers about vulnerabilities in medical devices such as insulin pumps, and product manufacturers have issued recalls related to vulnerabilities. In September, that happened with Medtronic’s MiniMed 600 Series insulin pump, which the company and the FDA warned was a potential problem that could allow unauthorized access, creating the risk that the pump could deliver too much or not enough insulin. :
Sleep apnea, type 2 diabetes and telehealth
It’s not just diabetes where the medical device market is offering patients new benefits from remote monitoring. For sleep apnea, which is estimated to affect 30 million Americans (and one billion people worldwide), C-PAP machines can now store data and send it to healthcare providers without the need for an office visit.
The number of medical devices connected to the Internet has increased during the pandemic, as lockdowns have created a strong incentive for people to treat themselves at home. As virtual care visits increased, “it opened everyone’s eyes to home medical devices for remote patient monitoring,” said Greg Pessin, senior research director at Gartner.
Steady sales of continuous glucose monitors and insulin pumps have boosted companies such as Dexcom, Insulet, Medtronic and Abbott Laboratories, and sales of diabetes devices are expected to grow. According to the Centers for Disease Control and Prevention, in addition to the 37 million people with diabetes in the United States, 96 million adults are estimated to be prediabetic. Manufacturers of continuous glucose monitors and insulin pumps, which have been the standard of care for type 1 diabetes for years, are increasingly targeting patients with type 2 diabetes as well.
The Many Forms of Medical Cybersecurity Risk
Security experts categorize medical device cybersecurity risks into three buckets.
First, there is a risk to patient data. Many medical devices, such as insulin pumps, require patients to create online accounts to download data to a computer or smartphone. These accounts may contain sensitive information, not just sensitive health data, but personal information such as Social Security numbers.
Another threat is to the medical device itself, as evidenced by headlines about hackers breaking into a medical device like a Medtronic pump and changing dosage settings, with potentially fatal consequences. A report by cybersecurity firm Unit 42, part of Palo Alto Networks, found that 75% of infusion pumps, which include insulin pumps, had “known security holes” that could be compromised by attackers. Mei Wang, Chief Technology Officer of Internet of Things Security at Palo Alto Networks, said in a lab experiment, hackers accessed infusion pumps by changing drug dosages. “So now cyber security is not just about privacy, it’s not just about data leaks, it’s more about life or death,” he said.
But Gartner’s Pessin said that such risk in the real world is negligible. Under controlled conditions in the lab, “it’s just a matter of time before you can do it,” but in the real world, “it would be much more difficult,” he said.
A Medtronic spokesperson said the company designs and manufactures medical technology to be as safe and secure as possible, and that the Global Product Safety Office continuously monitors safety products throughout their lifecycle. The company also monitors the cybersecurity landscape to address vulnerabilities and “take action to protect patients through a coordinated disclosure process and security bulletins.”
In September, a Medtronic notice showed users how to eliminate the risk of unintended insulin delivery by turning off the ability to receive a remote dose using a separate device.
A third cybersecurity threat is the connection between the medical device and the network, whether WiFi or 5G. As medical devices become more connected, so does the threat of malware that is known in other industries and may soon enter the healthcare industry. Wang pointed to a case in 2014 in which Target leaked sensitive customer information after installing an HVAC system that was infected with malware.
While there are no known incidents involving medical devices used in the home yet, it could be a matter of time, and older devices that are not regularly updated are at greater risk. In hospitals, older operating systems left some medical equipment vulnerable to attack. Some medical imaging systems, which can have a life cycle of more than 20 years, still run Windows 98 without security patches, and there have been incidents where MRI scanners or X-ray machines have been hacked to perform crypto mining operations without knowing. health care providers.
Setting up devices
Legislators and healthcare leaders have pushed for more guidelines and regulations on medical device safety.
Last April, senators introduced the PATCH Act, which requires medical device manufacturers applying for FDA approval to meet certain cybersecurity requirements and maintain updates and security patches. The recently passed $1.65 trillion general appropriations bill through late 2022 included new cybersecurity requirements for medical devices. Experts say the law’s provisions fall short of the PATCH Act’s requirements, but are still important.
An FDA spokesperson told CNBC that the new cybersecurity provisions in the omnibus bill represent a significant advance in the FDA’s oversight of cybersecurity as part of medical device safety and efficacy. Among the provisions, manufacturers must put in place plans and processes for identifying vulnerabilities. Device manufacturers must also provide timely updates and security patches to devices and related systems for “critical vulnerabilities that pose an uncontrolled risk.”
How to stay in control as a consumer
As doctors increasingly prescribe glucose monitors and insulin pumps not only for type 1 diabetes but also for the much more common type 2 diabetes, consumers weighing whether or not to use such a device can start by looking at the manufacturer’s website. Cyber Security and Cybersecurity Statements. HIPAA compliance to protect their personal health information. They can also ask their doctors about security, although cybersecurity experts say there is still work to be done to improve education about these risks among health care providers.
Consumers with Internet-connected medical devices should register with the manufacturer to ensure they are informed of security updates. Maintaining basic cyber hygiene at home is also important as many devices now connect to WiFi. Make sure the WiFi network is protected with a strong password, and use a reliable username and password for the company website if you share or download data. More consumers now also prefer to use a password manager to store all of their Internet access information. Since the devices can interact with other devices via WiFi, make sure laptops and phones at home are also secure.