A blood glucose monitoring system using a smartphone and a meter that is attached to the skin.
Ute Grabowsky | Photo library | Getty Images
The Internet of Things to remotely monitor and manage common health issues is growing steadily, led by diabetes patients.
About one in 10 Americans, or 37 million people, suffers from diabetes. Devices such as insulin pumps, which date back decades, and continuous glucose meters, which monitor blood sugar levels 24/7, are increasingly connected to smartphones via Bluetooth. The increased connectivity has many benefits. People with type 1 diabetes can manage their blood sugar much better because they can view weeks of blood sugar and insulin dosing data, making it easier to spot trends and fine-tune dosing. In recent years, a diabetes patient has become so adept at remote monitoring that a do-it-yourself community of patient hackers manipulated devices to better manage their medical needs, and the medical device industry has learned from them.
But the ability to track medical conditions over the Internet comes with risks, including nefarious hacking. Although medical devices, which must be approved by the FDA, meet a higher standard than fitness devices, there are still risks to the protection of patient data and access to the device itself. The FDA has issued periodic warnings about the vulnerability of medical devices such as insulin pumps to hackers, and product manufacturers have issued recalls regarding vulnerabilities. That happened in September MedtronicThe MiniMed 600 series insulin pump, which the company and the FDA warned about, had a potential problem that allowed unauthorized access, creating the risk of the pump delivering too much or too little insulin.
Sleep apnea, type 2 diabetes and remote care
It’s not just diabetes where the medical device market is offering patients new benefits of remote monitoring. For sleep apnea, which is estimated to affect as many as 30 million Americans (and a billion people worldwide), C-PAP machines can now store and transmit data to healthcare providers without the need for an office visit.
The number of internet-connected medical devices grew during the pandemic as the lockdowns created a great deal of pressure to treat people at home. As the number of virtual care visits increased, “it opened everyone’s eyes to home-based medical devices for monitoring patients remotely,” said Gregg Pessin, a senior research director at Gartner.
Steady sales of continuous glucose meters and insulin pumps have helped companies such as Dexcom, InsulationMedtronic and Abbott Laboratories, and sales of diabetes technology devices are expected to grow. In addition to the 37 million people in the US who have diabetes, according to the Centers for Disease Control and Prevention, an estimated 96 million adults are prediabetic. Manufacturers of continuous glucose meters and insulin pumps, which have been the standard treatment for type 1 diabetes for years, are also increasingly targeting patients with type 2 diabetes.
Multiple forms of medical cybersecurity risk
Industry security experts categorize the cybersecurity risks of medical devices into three categories.
First, there is the risk to patient data. Many medical devices such as insulin pumps require patients to create online accounts to download data to a computer or smartphone. These accounts can contain sensitive information, not only sensitive health data, but also personal details such as social security numbers.
Another risk is to the medical device itself, as evidenced by headlines about the risk of hackers breaking into a medical device like Medtronic’s pump and altering the dosage settings, with potentially fatal consequences. A report from Unit 42, a cybersecurity firm that is part of Palo Alto Networks, found that 75% of infusion pumps – including insulin pumps – had “known security vulnerabilities” that put them at risk of being compromised by attackers. May Wang, chief technology officer of internet of things security at Palo Alto Networks, said hackers in a lab experiment gained access to infusion pumps, changing medication dosages. “So now cybersecurity isn’t just about privacy, it’s not just about data leaks. It’s more about life or death,” she said.
But Gartner’s Pessin said such a risk is small in the real world. In the controlled conditions in a lab, “it’s only a matter of time before you can do it,” but in the real world “it would be much more difficult,” he said.
A Medtronic spokeswoman said the company designs and manufactures medical technologies to be as secure as possible, and the global product security agency continuously monitors security products throughout their lifecycle. The company also monitors the cybersecurity landscape to address vulnerabilities and “take action to protect patients through a coordinated disclosure process and security bulletins.”
In September, Medtronic users showed them how to eliminate the risk of inadvertent insulin delivery by disabling the ability to dose remotely through a separate device.
The third cybersecurity risk is the connection between the medical device and the network, be it Wi-Fi or 5G. As medical devices become more connected, they are at greater risk from malware, a risk well known in other industries and soon healthcare. Wong pointed to a 2014 case where Target leaked sensitive customer information after installing an HVAC system infected with malware.
While there are no known incidents of this happening through medical devices used in the home, it may be a matter of time and older devices that are not regularly updated are more at risk. In hospitals, old operating systems have made certain medical equipment vulnerable to attack. Some medical imaging systems, which can have a lifecycle of more than 20 years, still run on Windows 98 without security patches, and there have been incidents where the MRI scanners or X-ray machines have been hacked to perform cryptomining operations, unbeknownst to healthcare providers.
Regulation of devices
Legislators and healthcare leaders have been pushing for more guidance and regulation around medical device security.
Last April, senators introduced the PATCH bill to require medical device manufacturers applying for FDA approval to meet certain cybersecurity requirements and maintain updates and security patches. More recently, the $1.65 trillion omnibus credit law passed in late 2022 included new requirements for cybersecurity of medical devices. Experts said the law’s provisions did not go as far as the requirements of the PATCH Act, but are still significant.
An FDA spokesperson told TBEN that the new cybersecurity provisions in the Omnibus Act represent a major advance in FDA oversight of cybersecurity as part of the safety and effectiveness of a medical device. Under the provisions, manufacturers will have to put in place plans and processes to disclose vulnerabilities. Device manufacturers will also be required to provide timely updates and security patches to devices and related systems for “critical vulnerabilities that pose an uncontrolled risk.”
How to keep control as a consumer
As doctors increasingly prescribe glucose meters and insulin pumps not only for type 1 diabetes, but also for the much more common type 2 diabetes, consumers considering whether or not to use such a device should first check the manufacturer’s website. look at cybersecurity and HIPAA compliance statements for the protection of their personal healthcare information. They can also ask their doctor about safety, although cybersecurity experts say there is still work to be done to improve education about these risks among healthcare providers.
Consumers with a medical device that is connected to the Internet must register with the manufacturer to ensure they are notified of security updates. Following basic cyber hygiene at home is also essential as many devices now connect to Wi-Fi. Make sure the Wi-Fi network is secured with a strong password, and also use a robust username and password for the company’s website when sharing or downloading data. More consumers are also now choosing to use a password manager to keep track of all of their internet credentials. Since devices can communicate with other devices over Wi-Fi, make sure that laptops and phones at home are also secure.