A blood glucose monitoring system with the help of a smartphone and a meter that is attached to the skin.
Ute Grabowsky | Photo Library | fake images
The Internet of Things for remotely monitoring and managing common health problems has been growing steadily, led by diabetes patients.
About one in 10 Americans, or 37 million people, are living with diabetes. Devices like insulin pumps, which date back decades, and continuous glucose monitors, which monitor blood sugar levels 24/7, are increasingly being connected to phones. Smart via Bluetooth. The increased connectivity comes with many benefits. People with type 1 diabetes can have much tighter control over their blood sugar levels because they can review weeks of blood sugar and insulin dosing data, making it easier to spot trends and adjust dosing. In recent years, diabetes patients have become so adept at remote monitoring that a community of patient hackers have tampered with devices to better manage their medical needs, and the medical device industry has learned from them.
But the ability to monitor medical conditions over the Internet comes with risks, including the infamous hacking. Although medical devices, which must go through FDA approval, meet a higher standard than fitness devices, there are still risks to protecting patient data and access to the device itself. The FDA has issued regular warnings about the vulnerability of medical devices, such as insulin pumps, to hackers, and product manufacturers have issued recalls related to the vulnerabilities. In September, that happened with MedtronicThe company’s MiniMed 600 Series insulin pump and the FDA warned it had a potential problem that could allow unauthorized access, creating a risk that the pump could deliver too much or not enough insulin.
Sleep Apnea, Type 2 Diabetes, and Remote Medical Care
It’s not just diabetes where the medical device market is offering patients new benefits of remote monitoring. For sleep apnea, which is estimated to affect an estimated 30 million Americans (and 1 billion people worldwide), C-PAP machines can now store and send data to healthcare providers without the need for a office visit.
The number of internet-connected medical devices grew during the pandemic, as lockdowns created a huge push to treat people at home. As virtual care visits increased, it “opened everyone’s eyes to in-home medical devices for remote patient monitoring,” said Gregg Pessin, a senior director of research at Gartner.
Steady sales of continuous glucose monitors and insulin pumps have spurred companies like dexcom, IsolateMedtronic and Abbott Laboratories, and sales of diabetes technology devices are expected to grow. According to the Centers for Disease Control and Prevention, beyond the 37 million people in the US who have diabetes, an estimated 96 million adults are pre-diabetic. Manufacturers of continuous glucose monitors and insulin pumps, which have been the standard of care for type 1 diabetes for years, are also increasingly targeting patients with type 2 diabetes.
Multiple forms of medical cybersecurity risk
Industry security experts classify medical device cybersecurity risks into three groups.
First, there is the risk to patient data. Many medical devices, such as insulin pumps, require patients to create online accounts to download data to a computer or smartphone. These accounts could include sensitive information, not just sensitive health data, but also personal details such as Social Security numbers.
Another risk is to the medical device itself, as evidenced by headlines about the risk of hackers accessing a medical device like the Medtronic pump and changing the dosage settings, with potentially fatal effects. A report from Unit 42, a cybersecurity firm that is part of Palo Alto Networks, found that 75% of infusion pumps, which include insulin pumps, had “known security breaches” that put them at risk of being compromised by attackers. May Wang, technology director for Internet of Things security at Palo Alto Networks, said that in a laboratory experiment, hackers gained access to infusion pumps, changing the dosages of the drugs. “So now cyber security is not just about privacy, not just about data leakage. It’s more about life and death,” she said.
But Gartner’s Pessin said that risk is slight in the real world. In the controlled conditions of a laboratory, “it’s only a matter of time before you can do it,” but in the real world, “it would be much more difficult,” he said.
A Medtronic spokeswoman said the company designs and manufactures medical technologies to be as safe as possible, and its global product safety office continuously monitors safety products throughout their lifecycle. The company also monitors the cybersecurity landscape to address vulnerabilities and “take steps to protect patients through a coordinated disclosure process and security bulletins.”
In September, Medtronic’s notice to users explained how to eliminate the risk of unwanted insulin delivery by disabling the ability to remotely dose through a separate device.
The third cybersecurity risk is the connection between the medical device and the network, be it WiFi or 5G. As medical devices become more connected, the risk of malware increases, a well-known risk in other industries that could soon be in healthcare. Wong pointed to a case in 2014 in which Target leaked sensitive customer information after installing an HVAC system that was infected with malware.
While there are no known incidents of this happening via home-used medical devices yet, it could be a matter of time, and older devices that aren’t regularly updated are more at risk. In hospitals, old operating systems have left some medical equipment vulnerable to attack. Some medical imaging systems, which can have a life cycle of more than 20 years, still run on Windows 98 without any security patch and there have been incidents where MRI scanners or X-ray machines have been hacked to run crypto mining operations, without their knowledge. health service providers.
Lawmakers and healthcare leaders have been pushing for more guidance and regulations on medical device safety.
In April of last year, senators introduced the PATCH Act to require medical device manufacturers seeking FDA approval to meet certain cybersecurity requirements and maintain security updates and patches. Most recently, the $1.65 trillion appropriations bill passed in late 2022 included new cybersecurity requirements for medical devices. Experts said the law’s provisions don’t go as far as the PATCH Act requirements, but they’re still important.
An FDA spokesperson told CNBC that the new cybersecurity provisions in the omnibus bill represent a significant step forward in FDA’s oversight of cybersecurity as part of the safety and efficacy of a medical device. . Among the provisions, manufacturers must implement plans and processes to disclose vulnerabilities. Device manufacturers will also need to provide security updates and patches to devices and related systems for “critical vulnerabilities that present an uncontrolled risk” in a timely manner.
How to stay in control as a consumer
With doctors increasingly prescribing glucose monitors and insulin pumps not only for type 1 diabetes, but also for the much more common type 2 diabetes, consumers weighing whether or not to use such a device You can start by searching the manufacturer’s website for statements about cybersecurity and HIPAA Compliance for the protection of your private health care information. They can also ask their doctors about security, though cybersecurity experts say there is still work to be done to improve education about these risks among healthcare providers.
Consumers with an Internet-connected medical device should register with the manufacturer to ensure they receive notifications of security updates. Following basic cyber hygiene at home is also key, as many devices now connect to WiFi. Make sure the WiFi network is protected with a strong password and also use a strong username and password for the company website if you are sharing or downloading data. More consumers are now also choosing to use a password manager to save all of their internet login information. Since devices can interact with other devices over WiFi, make sure laptops and home phones are secure too.