A blood glucose control system with the assistance of a smartphone and a meter that’s fixed to the skin.
Ute Grabowsky | Photothek | Getty Images
The web of things to distant monitor and manage common health issues has been growing steadily, led by diabetes patients.
About one out of each 10 Americans, or 37 million people, live with diabetes. Devices equivalent to insulin pumps, which return many years, and continuous glucose monitors, which monitor blood sugar levels 24/7, are increasingly connected to smartphones via Bluetooth. The increased connectivity comes with many advantages. Individuals with type 1 diabetes can have much tighter control over their blood sugar levels because they’re capable of review weeks of blood sugar and insulin dosing data, making it easier to identify trends and fine-tune dosing. In recent times, diabetes patient became so adept at distant monitoring that a DIY community of patient-hackers manipulated devices to raised manage their medical needs, and the medical device industry has learned from them.
But the flexibility to watch medical conditions over the web comes with risks, including nefarious hacking. Though medical devices, which must undergo FDA approval, meet a better standard than fitness devices, there are still risks to protecting patient data and access to the device itself. The FDA has issued periodic warnings concerning the vulnerability of medical devices equivalent to insulin pumps to hackers, and product makers have issued recalls related to vulnerabilities. In September, that occurred with Medtronic‘s MiniMed 600 Series insulin pump, which the corporate and FDA warned had a possible issue that would allow unauthorized access, making a risk that the pump could deliver an excessive amount of or not enough insulin.
Sleep apnea, Type 2 diabetes and distant health care
It isn’t just diabetes where the medical device market is offering patients recent advantages from distant monitoring. For sleep apnea, which is estimated to affect as many as 30 million Americans (and one billion people globally) C-PAP machines can now store and send data to health-care providers with no need an office visit.
The variety of internet-connected medical devices grew through the pandemic, as lockdowns created an enormous push to treat people at home. As virtual care visits rose, “it opened everybody’s eyes to home-based medical devices for distant patient monitoring,” said Gregg Pessin, a senior director of research at Gartner.
Regular sales of continuous glucose monitors and insulin pumps have buoyed corporations equivalent to Dexcom, Insulet, Medtronic and Abbott Laboratories, and diabetes tech device sales are expected to grow. In response to the Centers for Disease Control and Prevention, beyond the 37 million people within the U.S. which have diabetes, there are 96 million adults are estimated to be pre-diabetic. Manufacturers of continuous glucose monitors and insulin pumps, which have been the usual of look after type 1 diabetes for years, are increasingly targeting type 2 diabetes patients as well.
Multiple types of medical cybersecurity risk
Industry security experts categorize cybersecurity risks of medical devices into three buckets.
First, there’s the chance to patient data. Many medical devices equivalent to insulin pumps require patients to create online accounts to download data to a pc or smartphone. These accounts could include sensitive information, not only sensitive health data but personal details equivalent to Social Security numbers.
One other risk is to the medical device itself, as evidenced by the headlines around the chance of hackers entering into a medical device like Medtronic’s pump and changing dosage settings, with potentially fatal effects. A report by Unit 42, a cybersecurity firm that is an element of Palo Alto Networks, found that 75% of infusion pumps — which include insulin pumps — had “known security gaps” that put them liable to being compromised by attackers. May Wang, chief technology officer of web of things security at Palo Alto Networks, said that in a lab experiment hackers gained access to infusion pumps, changing medication dosages. “So now cybersecurity shouldn’t be nearly privacy, not nearly data leakage. It’s more about life or death,” she said.
But Gartner’s Pessin said that such risk is slight in the actual world. Within the controlled conditions in a laboratory, “it’s only a matter of time before you may have the opportunity to do it,” but in the actual world, “it would be way more difficult,” he said.
A Medtronic spokeswoman said the corporate designs and manufacturers medical technologies to be as protected and secure as possible, and that its global product security office repeatedly monitors the safety products throughout their lifecycle. The corporate also monitors the cybersecurity landscape to handle vulnerabilities and to “take motion to guard patients through a coordinated disclosure process and security bulletins.”
In September, Medtronic’s notice to users walked them through eliminate the chance of unintended insulin delivery by turning off the flexibility to dose remotely through a separate device.
The third cybersecurity risk is the connection between the medical device and network, whether it’s WiFi or 5G. As medical devices develop into more connected, they arrive with increased risk of malware, a risk well-known in other industries that would soon be in health care. Wong pointed to a case in 2014 during which Goal leaked sensitive customer information after installing an HVAC system that was infected with malware.
While there are not any known incidents yet of this happening through medical devices used at home, it could possibly be a matter of time, and older devices that will not be updated recurrently more in danger. In hospitals, old operating systems have left some medical equipment vulnerable to attack. Some medical imaging systems, which might have a lifecycle of over 20 years, are still running on Windows 98 with none security patches and there have been incidents where the MRI scanners or X-ray machines have been hacked to run crypto mining operations, unbeknownst to health-care providers.
Regulation of devices
Lawmakers and health-care leaders have been pushing for more guidance and regulations around medical device security.
In April of last 12 months, senators introduced the PATCH Act to require medical device makers which might be applying for FDA approval to fulfill certain cybersecurity requirements and maintain updates and security patches. More recently, the $1.65 trillion omnibus appropriations bill passed at the tip of 2022 included recent medical device cybersecurity requirements. Experts said the law’s provisions didn’t go so far as the PATCH Act requirements, but are still significant.
An FDA spokesperson told CNBC that the brand new cybersecurity provisions within the omnibus bill represent a big step forward in FDA’s oversight of cybersecurity as a part of a medical device’s safety and effectiveness. Among the many provisions, manufacturers can have to place plans and processes in place to reveal vulnerabilities. Device manufacturers can even have to offer updates and security patches to devices and related systems for “critical vulnerabilities that present uncontrolled risk,” in a timely manner.
The right way to maintain control as a consumer
As doctors are increasingly prescribing glucose monitors and insulin pumps for not only type 1 diabetes however the way more common type 2 diabetes as well, consumers weighing whether or not to make use of such a tool can start by looking on the manufacturer’s website for statements about cybersecurity and HIPAA compliance for cover of their private health-care information. They may also ask their doctors about security, although cybersecurity experts say there continues to be work to be done to enhance education about these risks amongst health-care providers.
Consumers with a medical device connected to the web should register with the manufacturer to make sure they’re notified about security updates. Following basic cyber hygiene at home can be key, since many devices now hook up with WiFi. Ensure the WiFi network is protected with a robust password and likewise use a sturdy username and password for the corporate’s website if sharing or downloading data. More consumers are actually also opting to make use of a password manager to carry all of their web login information. Because devices can interact with other devices over WiFi, ensure home laptops and phones are secure as well.