A blood glucose control system using a smartphone and a meter that attaches to the skin.
Ute Grabowsky | photo library | Getty Images
The Internet of Things for remote monitoring and management of common health issues is growing, led by diabetes patients.
About one in ten Americans, or 37 million people, are living with diabetes. Devices like insulin pumps, which are decades old, and continuous glucose meters, which monitor blood glucose levels 24/7, are increasingly being connected to smartphones via Bluetooth. The increased connectivity brings many benefits. People with type 1 diabetes have much better control of their blood sugar levels because they can review weeks of blood sugar and insulin dosing data, making it easier to spot trends and fine-tune dosing. In recent years, diabetes patients have become so adept at remote monitoring that a DIY community of patient hackers have been manipulating devices to better manage their medical needs, and the medical device industry has learned from them.
But the ability to monitor medical conditions over the internet comes with risks, including nefarious hacking. Although medical devices that must go through FDA approval meet a higher standard than fitness equipment, there are still risks to protecting patient data and accessing the device itself. The FDA has regularly warned about the vulnerability of medical devices like insulin pumps to hackers , and product manufacturers have issued recalls related to vulnerabilities. In September that happened to me MedtronicThe MiniMed 600 series insulin pump, which the company and the FDA have warned about, has a potential issue that could allow unauthorized access, putting the pump at risk of delivering too much or too little insulin.
Sleep apnea, type 2 diabetes and remote medical care
Not only in diabetes, the medical device market offers patients new benefits of remote monitoring. For sleep apnea, which is estimated to affect up to 30 million Americans (and a billion people worldwide), C-PAP devices can now store and send data to healthcare providers without the need for a doctor’s visit.
The number of internet-connected medical devices grew during the pandemic as lockdowns sparked a major push towards treating people at home. As the number of virtual care visits increased, “it opened everyone’s eyes to medical devices used in the home to remotely monitor patients,” said Gregg Pessin, Gartner’s senior director of research.
Steady sales of continuous glucose monitors and insulin pumps have helped companies like Dexcom, IsolateMedtronic and Abbott Laboratories, and diabetes tech device sales are expected to increase. According to the Centers for Disease Control and Prevention, in addition to the 37 million people in the US who have diabetes, there are an estimated 96 million adults who are prediabetic. Manufacturers of continuous glucose meters and insulin pumps, which have been the standard of care for type 1 diabetes for years, are increasingly targeting type 2 diabetes patients as well.
Multiple forms of medical cybersecurity risk
Industry security experts categorize the cybersecurity risks of medical devices into three areas.
First, there is the risk to patient data. Many medical devices, such as insulin pumps, require patients to create online accounts in order to download data to a computer or smartphone. These accounts can contain sensitive information, not just sensitive health information but also personal details like social security numbers.
Another risk is to the medical device itself, as evidenced by headlines about the risk that hackers could break into a medical device like Medtronic’s pump and change the dosage settings, with potentially fatal consequences. A report from Unit 42, a cybersecurity company that is part of Palo Alto Networks, found that 75% of infusion pumps – including insulin pumps – had “known security vulnerabilities” that put them at risk of being compromised by attackers. May Wang, chief technology officer of Internet of Things security at Palo Alto Networks, said that in a laboratory experiment, hackers gained access to infusion pumps and changed the dosage of drugs. “So now cybersecurity isn’t just about privacy, it’s not just about data leakage. It’s more of a matter of life or death,” she said.
But Gartner’s Pessin said such risk is small in the real world. In the controlled conditions of a lab, “it’s only a matter of time before you’ll be able to do that,” but in the real world, “it would be a lot harder,” he said.
A Medtronic spokeswoman said the company designs and manufactures medical technology to be as safe as possible, and its global product safety office continuously monitors safety products throughout their lifecycle. The company also monitors the cybersecurity landscape to address vulnerabilities and “take action to protect patients through a coordinated disclosure process and security bulletins.”
In September, Medtronic communicated to users how to eliminate the risk of accidental insulin delivery by disabling the ability to remotely dose from a separate device.
The third cybersecurity risk is the connection between the medical device and the network, be it WiFi or 5G. As medical devices become more connected, they pose an increased risk of malware, a risk that is well known in other industries and could soon emerge in healthcare as well. Wong pointed to a 2014 case where Target leaked sensitive customer data after installing a malware-infected HVAC system.
While there have not yet been any known instances of this happening from medical devices used at home, it could be a matter of time and older devices that are not regularly updated are at greater risk. In hospitals, legacy operating systems have left some medical devices vulnerable to attack. Some medical imaging systems, which can have a life cycle of over 20 years, are still running on Windows 98 without security patches, and there have been incidents where MRI scanners or X-ray machines have been hacked to perform crypto mining operations without any publicity was healthcare provider.
regulation of devices
Legislators and healthcare leaders are pushing for more guidance and regulation on medical device safety.
Last April, senators introduced the PATCH Act to require medical device manufacturers seeking FDA approval to meet certain cybersecurity requirements and maintain updates and security patches. More recently, the $1.65 trillion Omnibus Appropriations Act passed in late 2022 included new cybersecurity requirements for medical devices. Experts said the law’s provisions do not go as far as the requirements of the PATCH Act, but are nonetheless significant.
An FDA spokesman told CNBC that the new cybersecurity provisions in the omnibus act represent a significant step forward in FDA’s oversight of cybersecurity as part of a medical device’s safety and efficacy. Among other things, manufacturers must implement vulnerability disclosure plans and processes. Device manufacturers are also required to provide timely updates and security patches to devices and associated systems for “critical vulnerabilities that pose an uncontrolled risk.”
How to stay in control as a consumer
As doctors increasingly prescribe glucose meters and insulin pumps not only for type 1 diabetes but also for the much more common type 2 diabetes, consumers weighing whether or not to use such a device can first check the manufacturer’s website Seek cybersecurity statements and HIPAA compliance to protect their private health information. They can also question their doctors about safety, although cybersecurity experts say there is still work to be done to increase awareness of these risks among healthcare providers.
Consumers with an internet-connected medical device should register with the manufacturer to ensure they are informed of security updates. Maintaining basic cyber hygiene at home is also crucial as many devices are now connecting to WiFi. Make sure the WiFi network is protected with a strong password and also use a strong company website username and password when sharing or downloading data. More and more consumers are now also choosing to use a password manager to store all their internet login information. Because WiFi allows devices to interact with other devices, make sure laptops and phones are secure at home too.