A blood glucose monitoring system using a skin-mounted smartphone and meter.
Ute Grabowski | Photothek Getty Images
The Internet of Things is steadily growing to remotely monitor and manage common health issues led by diabetes patients.
About one in 10 Americans, or 37 million people, live with diabetes. Devices like decades-old insulin pumps and continuous glucose monitors that monitor blood sugar levels 24/7 are increasingly connected to smartphones via Bluetooth. Increased connectivity comes with many benefits. People with type 1 diabetes can maintain tighter control of their blood sugar levels because they can review weekly blood sugar and insulin dose data, making it easier to spot trends and fine-tune dosage. In recent years, diabetes patients have become so adept at remote monitoring that a DIY community of patient hackers has manipulated the devices to better manage their medical needs, and the medical device industry has learned from them.
But being able to monitor medical conditions over the Internet comes with risks, including malicious hacking. While medical devices that must undergo FDA approval meet higher standards than fitness devices, there are still risks to protecting patient data and accessing the device itself. The FDA has periodically issued warnings about the vulnerability of medical devices such as insulin pumps to hackers, and product manufacturers have issued recalls related to vulnerabilities. It happened in September MedtronicThe company and the FDA warned the MiniMed 600 Series insulin pump had a potential problem that could allow unauthorized access, creating a risk that the pump could deliver too much or not enough insulin.
Sleep apnea, Type 2 diabetes and remote health
It’s not just diabetes where the medical device market is offering patients new benefits of remote monitoring. For sleep apnea, which is estimated to affect 30 million Americans (and one billion people globally), C-PAP machines can now store and send data to healthcare providers without the need to visit the office.
The number of medical devices connected to the internet has increased during the pandemic, as the lockdown has created a huge push for people to treat themselves at home. As virtual care visits increase, “it’s opened everyone’s eyes to home-based medical devices for remote patient monitoring,” said Gregg Pessin, senior research director at Gartner.
It excited companies like continuous glucose monitors and continued sales of insulin pumps Dexcom, InsulationMedtronic and Abbott Laboratories, and diabetes technology device sales are expected to increase. According to the Centers for Disease Control and Prevention, in addition to the 37 million people with diabetes in the United States, an estimated 96 million adults have prediabetes. Manufacturers of continuous glucose monitors and insulin pumps, which have been the standard for type 1 diabetes for years, are increasingly targeting type 2 diabetics as well.
The many forms of medical cybersecurity risk
Industry security experts categorize the cybersecurity risks of medical devices into three buckets.
First, there is the risk to patient data. Many medical devices, such as insulin pumps, require patients to create online accounts to download data to a computer or smartphone. These accounts can include not only sensitive health information, but also personal information such as Social Security numbers.
Another risk is the medical device itself, as evidenced by headlines about the risk of hackers accessing a medical device like a Medtronic pump and changing dose settings, with potentially fatal effects. A report from Unit 42, a cyber security firm it is part of Palo Alto Networks, found that 75% of infusion pumps, including insulin pumps, have “known security vulnerabilities” that are at risk of being compromised by attackers. May Wang, chief technology officer for Internet of Things security at Palo Alto Networks, said in a lab experiment that hackers gained access to infusion pumps by altering drug doses. “So now cyber security is not just about privacy, it’s not just about data leaks. It’s more about life or death,” he said.
But Gartner’s Pessin said in the real world, even that risk is small. “It’s only a matter of time before you can do it” under controlled conditions in the lab, but in the real world “it would be much more difficult,” he said.
A Medtronic spokesperson said the company designs and manufactures medical technologies to be as safe and secure as possible, and its global product safety office continuously monitors safety products throughout their lifecycle. The company is also monitoring its cybersecurity landscape to address vulnerabilities and “take actions to protect patients through a coordinated disclosure process and security bulletins.”
In September, Medtronic’s notice to users explained how to eliminate the risk of unintended insulin delivery by disabling remote dosing via a separate device.
A third cybersecurity risk is the connection between the medical device and the network, whether it’s WiFi or 5G. As medical devices become more interconnected, the risk of malware increases, a risk that is well known in other industries and may soon be in healthcare. Wong pointed to a 2014 case in which Target leaked sensitive customer data after installing a malware-infected HVAC system.
While there have not been any known incidents involving medical devices used at home, it may be a matter of time, and older devices that are not regularly updated are at greater risk. In hospitals, old operating systems have exposed some medical equipment to attack. Some medical imaging systems, which can have a life cycle of more than 20 years, still run on Windows 98 without any security patches, and there have been incidents of MRI scanners or X-ray machines being hacked to carry out cryptocurrency transactions. health care providers.
Adjustment of devices
Legislators and healthcare leaders are demanding more guidance and regulations on medical device safety.
Last April, senators introduced the PATCH Act to require medical device manufacturers applying for FDA approval to meet certain cybersecurity requirements and maintain updates and security patches. More recently, the $1.65 trillion omnibus appropriations bill passed at the end of 2022 included new medical device cybersecurity requirements. The law’s provisions don’t go as far as the PATCH Act’s requirements, but are still significant, experts said.
An FDA spokesperson told CNBC that the new cybersecurity provisions in the omnibus bill are an important step forward in FDA’s oversight of cybersecurity as part of medical device safety and effectiveness. Among the provisions, manufacturers will have to implement plans and processes for disclosing vulnerabilities. Device makers will also have to provide timely updates and security patches to devices and related systems for “critical vulnerabilities that pose uncontrolled risk.”
How to stay in control as a consumer
As doctors increasingly prescribe glucose monitors and insulin pumps not only for type 1 diabetes but also for the more common type 2 diabetes, consumers considering whether to use such a device can start by checking the manufacturer’s website for cybersecurity statements. HIPAA compliance to protect personal health information. While cybersecurity experts say there is still work to be done to improve awareness of these risks among healthcare providers, they may also ask their doctors about security.
Consumers with Internet-connected medical devices must register with the manufacturer to be notified of security updates. It’s also important to practice basic cyber hygiene at home, as many devices now connect to WiFi. Make sure your WiFi network is protected with a strong password and use a valid username and password for the company’s website when sharing or downloading information. More and more consumers now choose to use a password manager to store their online login information. Make sure home laptops and phones are also secure as the devices can communicate with other devices over WiFi.