A blood sugar control system with the help of a smartphone and a meter affixed to the skin.
Ute Grabowski | Photography | Getty Images
IoT for remote monitoring and management of common health issues has been growing steadily, led by diabetics.
About one in 10 Americans, or 37 million people, has diabetes. Devices such as decades-old insulin pumps and continuous glucose monitors, which monitor blood sugar levels around the clock, increasingly connect to smartphones via Bluetooth. Increased connectivity brings many benefits. People with type 1 diabetes can more tightly control their blood sugar levels because they are able to review weeks of blood sugar and insulin dosing data, making it easier to spot trends and fine-tune dosing. In recent years, diabetics have become so adept at remote monitoring that a DIY community of patient hackers has manipulated devices to better manage their medical needs, and the medical device industry has learned a lesson.
But the ability to monitor medical conditions over the internet comes with risks, including malicious hacking. While medical devices must meet higher standards than fitness equipment, FDA-approved medical devices still present risks in protecting patient data and accessing the devices themselves. The FDA regularly issues warnings about medical devices such as insulin pumps that are vulnerable to hacking, and product manufacturers have issued recalls related to vulnerabilities.In September, that happened in MedtronicThe company and the FDA warned of potential problems with the MiniMed 600 Series insulin pumps that could allow unauthorized access, creating a risk that the pumps could deliver too much or not enough insulin.
Sleep Apnea, Type 2 Diabetes, and Telehealth
Not just diabetes, the medical device market is offering patients new benefits from remote monitoring. For sleep apnea, which is estimated to affect as many as 30 million Americans (and 1 billion people worldwide), C-PAP machines can now store and send data to healthcare providers without requiring an office visit.
The number of connected medical devices has increased during the pandemic, as lockdowns have boosted people to treat at home. Gregg Pessin, senior research director at Gartner, said that with the increase in virtual care visits, “it’s putting home medical devices for remote patient monitoring on everyone’s radar.”
Steady sales of continuous glucose monitors and insulin pumps boosted companies such as Dekang, isolationMedtronic and Abbott LaboratoriesSales of and diabetes technology equipment are expected to grow. In addition to the 37 million Americans with diabetes, an estimated 96 million adults are prediabetic, according to the Centers for Disease Control and Prevention. Manufacturers of continuous glucose monitors and insulin pumps that have been the standard of care for type 1 diabetes for years are also increasingly targeting type 2 diabetes patients.
Healthcare Cybersecurity Risks in Many Forms
Industry security experts categorize cybersecurity risks for medical devices into three categories.
First, patient data is at risk. Many medical devices, such as insulin pumps, require patients to create an online account in order to download data to a computer or smartphone. These accounts may contain sensitive information, not only sensitive health data but also personal details such as social security numbers.
Another risk is the medical device itself, as evidenced by headlines about the risk of hackers breaking into medical devices such as Medtronic pumps and changing dosage settings, with potentially deadly consequences. A report by Unit 42, a cybersecurity firm that is part of Palo Alto Networks, found that 75 percent of infusion pumps, including insulin pumps, have “known security vulnerabilities,” putting them at risk of being compromised by attackers. In lab experiments, hackers gained access to infusion pumps to alter drug doses, said May Wang, chief technology officer for IoT security at Palo Alto Networks. “So now cybersecurity is not just about privacy, it’s not just about data breaches. It’s more about life and death,” she said.
But Gartner’s Pessin says that risk is small in the real world. Under controlled conditions in the lab, “it’s only a matter of time before you can do it,” but in the real world, “it’s much harder,” he said.
A Medtronic spokesman said the company designs and manufactures medical technologies that are as safe and reliable as possible, and that its global product safety office continuously monitors safe products throughout their lifecycles. The company also monitors the state of cybersecurity to address vulnerabilities and “acts to protect patients through a coordinated disclosure process and security bulletins.”
In September, Medtronic notified users how they could eliminate the risk of accidental insulin delivery by turning off the ability to administer medication remotely through a separate device.
A third cybersecurity risk is the connection between the medical device and the network, whether it’s WiFi or 5G. As medical devices become more connected, they are also at greater risk of malware attacks, a well-known risk in other industries and soon to be in healthcare. Wong pointed to a 2014 case in which Target leaked sensitive customer information after installing a malware-infected HVAC system.
While there haven’t been any known incidents of this happening through medical devices used in the home, it’s likely only a matter of time, and older devices that aren’t regularly updated are at greater risk. In hospitals, old operating systems left some medical devices vulnerable. Some medical imaging systems, which may be more than 20 years old, still run on Windows 98 without any security patches, and there have been incidents of MRI scanners or X-ray machines being hacked to run cryptocurrency mining operations by people who didn’t The healthcare facility is unknown.
Lawmakers and healthcare leaders have been pushing for more guidance and regulations on medical device safety.
Last April, senators introduced the PATCH Act, which would require manufacturers of medical devices applying for FDA approval to meet certain cybersecurity requirements and maintain updates and security patches. Most recently, the $1.65 trillion omnibus appropriations bill passed by the end of 2022 included new medical device cybersecurity requirements. Experts say the law’s provisions fall short of what the PATCH Act requires, but are still important.
An FDA spokesperson told CNBC that the new cybersecurity provisions in the omnibus bill represent an important step forward in FDA’s efforts to include cybersecurity as part of its oversight of medical device safety and effectiveness. Among these regulations, manufacturers must have a plan and process in place for disclosing vulnerabilities. Device makers must also provide timely updates and security patches for devices and related systems to address “critical vulnerabilities with uncontrollable risks.”
How to stay in control as a consumer
As doctors increasingly prescribe glucose monitors and insulin pumps for type 1 and, more commonly, type 2 diabetes, consumers weighing whether to use such devices can start by checking the manufacturer’s website for information on cybersecurity and HIPAA. compliance to protect their private healthcare information. They can also ask their doctors safety questions, though cybersecurity experts say there is still work to be done to improve healthcare provider education about these risks.
Consumers with internet-connected medical devices should register with the manufacturer to ensure they receive notifications about security updates. Practicing basic internet hygiene at home is also key, as many devices are now connected to WiFi. Make sure your WiFi network is protected by a strong password, and if sharing or downloading data, use a strong username and password for your company website. More consumers are also now choosing to use a password manager to keep all their internet logins. Keep home laptops and phones safe as devices can interact with other devices over WiFi.