A system for controlling blood glucose with the help of a smartphone and a skin-mounted meter.
Ut Grabowski | Photothik Getty Images
The Internet of Things for remote monitoring and management of common health problems is growing steadily, led by people with diabetes.
One in 10 Americans, or 37 million people, has diabetes. Devices like insulin pumps, which are decades old, and continuous glucose monitors, which monitor blood sugar levels 24/7, are increasingly connected to smartphones via Bluetooth. Increased connection comes with many benefits. People with type 1 diabetes can more tightly control their blood sugar levels because they are able to review weeks of blood sugar and insulin dose data, making it easier to identify trends and adjust doses. In recent years, diabetics have become so adept at remote monitoring that a DIY community of patient hackers has tinkered with the devices to better manage their medical needs, and the medical device industry has learned from them.
But the ability to monitor medical conditions online comes with risks, including the infamous hacking. Although medical devices, which must undergo FDA approval, meet higher standards than fitness devices, there are still risks to protecting patient data and access to the device itself. The US Food and Drug Administration (FDA) has issued periodic warnings about vulnerabilities in medical devices like insulin pumps to hackers, and product makers have issued recalls related to the vulnerabilities. In September, it happened with MedtronicThe MiniMed 600 Series insulin pump, which the company has warned the FDA has a potential issue that could allow unauthorized access, creating a risk that the pump could release too much or not enough insulin.
Sleep apnea, type 2 diabetes, and telehealth
It’s not just diabetes that the medical device market is offering patients new benefits of remote monitoring. For sleep apnea, which is estimated to affect up to 30 million Americans (and 1 billion people globally), C-PAP devices can now store and send data to healthcare providers without having to visit the office.
The number of internet-connected medical devices has grown during the pandemic, as lockdowns have led to a huge push to treat people at home. With the increase in virtual care visits, “everyone’s eyes have been opened to home medical devices to monitor patients remotely,” said Greg Bissen, senior director of research at Gartner.
Steady sales of continuous glucose monitors and insulin pumps have bolstered such companies dexcomAnd Insoland Medtronic Abbott LaboratoriesSales of diabetes technology devices are expected to grow. According to the Centers for Disease Control and Prevention, of the more than 37 million people in the United States who have diabetes, there are an estimated 96 million adults who are at some stage of prediabetes. Manufacturers of continuous glucose monitors and insulin pumps, which have been the standard of care for type 1 diabetes for years, are increasingly targeting people with type 2 diabetes as well.
Multiple forms of medical cybersecurity risks
Industry security experts classify medical device cybersecurity risks into three groups.
First, there is a risk to patient data. Many medical devices such as insulin pumps require patients to create online accounts to download data to a computer or smartphone. These accounts can include sensitive information, not only sensitive health data but personal details such as social security numbers.
Another risk is with the medical device itself, as evidenced by the headlines surrounding the risk of hackers accessing a medical device such as a Medtronic pump and altering dosing settings, with potentially fatal effects. A report issued by Unit 42, a cybersecurity company that is part of Palo Alto Networks, found that 75% of infusion pumps – which includes insulin pumps – had “known security vulnerabilities” that put them at risk of being hacked by attackers. May Wang, chief technology officer for IoT security at Palo Alto Networks, said that in a lab experiment, hackers gained access to infusion pumps, altering drug doses. “So cybersecurity now isn’t just about privacy, it’s not just about data leaks. It’s more about life or death,” she said.
But Pessen of Gartner said such risks are negligible in the real world. Under controlled conditions in the lab, “it’s only a matter of time before you can do that,” he said, but in the real world, “it’s going to be much more difficult.”
A Medtronic spokeswoman said the company designs and manufactures medical technologies to be as safe and secure as possible, and that the Global Product Security Office continually monitors security products throughout their lifecycle. The company also monitors the cybersecurity landscape to address vulnerabilities and “takes action to protect patients through a coordinated disclosure process and security bulletins.”
In September, a Medtronic notification told users how to eliminate the risk of accidental insulin delivery by turning off the ability to take a dose remotely through a separate device.
The third cyber security risk is the connection between the medical device and the network, whether it is WiFi or 5G. As medical devices become more connected, so does an increased risk of malware, risks well known in other industries that could soon be healthcare. Wong referred to a case in 2014 in which Target leaked sensitive customer information after installing an HVAC system infected with malware.
While there are not yet any known incidents of this happening with medical devices used at home, it may be a matter of time, and older devices that are not regularly updated are more vulnerable. In hospitals, outdated operating systems left some medical equipment vulnerable to attack. Some medical imaging systems, which can have a life cycle of more than 20 years, still run on Windows 98 without any security patches, and there have been incidents where MRI scanners or X-ray machines have been hacked to run crypto mining operations, without Knowledge of healthcare providers.
Organizing devices
Legislators and health care leaders are pushing for more guidance and regulations on medical device security.
In April of last year, senators introduced the PATCH Act to require medical device manufacturers who apply for FDA approval to meet certain cybersecurity requirements and maintain updates and security patches. Most recently, the $1.65 trillion blanket appropriations bill at the end of 2022 included new cybersecurity requirements for medical devices. Experts said that the provisions of the law have not reached the requirements of the Correction Act, but they are still important.
An FDA spokesperson told CNBC that the new cybersecurity provisions in the sweeping bill represent an important step forward in the FDA’s oversight of cybersecurity as part of medical device safety and effectiveness. Among the provisions, manufacturers will have to put in place plans and processes to detect vulnerabilities. Device manufacturers will also have to provide security updates and patches for related devices and systems for “critical vulnerabilities that pose uncontrolled risks” in a timely manner.
How do you maintain control as a consumer?
As doctors increasingly prescribe glucose monitors and insulin pumps not only for type 1 diabetes but also for the more common type 2 diabetes, consumers weighing whether to use such a device can start by perusing the manufacturer’s website for data on Cybersecurity and HIPAA compliance to protect their healthcare information. They can also ask their doctors about security, although cybersecurity experts say there is still work to be done to improve education about these risks among healthcare providers.
Consumers with a medical device connected to the Internet should register with the manufacturer to ensure they are notified of security updates. Following basic electronic hygiene at home is also key, since many devices now connect to WiFi. Make sure to protect your WiFi with a strong password, and also use a strong username and password for your company website if you share or download data. More consumers are now also choosing to use a password manager to keep all of their internet login information. Since devices can interact with other devices over WiFi, make sure that your laptops and home phones are also secure.