Blood sugar control system with the help of a smartphone and a meter attached to the skin.
Ute Grabowski | Photo Photo Tech | Getty Images
The Internet of Things, which remotely monitors and manages common health issues, is growing steadily, especially among people with diabetes.
About 1 in 10 Americans, or 37 million people, have diabetes. Devices like insulin pumps that have been around for decades and continuous glucose monitors that monitor blood sugar levels 24/7 are increasingly connecting to smartphones via Bluetooth. Better connectivity has many benefits. Patients with type 1 diabetes can see weeks of blood glucose and insulin dosing data, allowing them to more closely manage their blood glucose levels, making it easier to spot trends and fine-tune dosages. In recent years, diabetics have become so adept at remote monitoring that his DIY community of patient hackers manipulated devices to better manage their medical needs, and the medical device industry learned from them.
However, the ability to monitor medical conditions over the Internet comes with risks such as malicious hacking. Medical devices that require FDA approval meet higher standards than fitness devices, but there are still risks in protecting patient data and access to the device itself. The FDA regularly warns hackers about vulnerabilities in medical devices such as insulin pumps, and product manufacturers issue recalls related to the vulnerabilities. In September it was medtronicThe MiniMed 600 series insulin pumps that the company and the FDA have warned have potential issues that could allow unauthorized access, causing the pump to deliver too much insulin or fail to deliver enough insulin. There was a risk that
sleep apnea, type 2 diabetes, telemedicine
Diabetes isn’t the only area where the medical device market is creating new patient benefits from remote monitoring. With sleep apnea estimated to affect as many as 30 million Americans (and her billion worldwide), C-PAP machines now store data and provide medical care without the need to go to the office. can be sent to anyone.
The number of internet-connected medical devices increased during the pandemic as lockdowns provided a huge boost to treating people at home. Gartner Senior Director Gregg Pessin said:
Continuing steady sales of blood glucose meters and insulin pumps support companies such as: Dexcom, InletMedtronic, Abbott Laboratories, and sales of diabetes technology devices are expected to grow. According to the Centers for Disease Control and Prevention, he has over 37 million diabetics in the United States, and an estimated 96 million adults have prediabetes. For years the standard of care for type 1 diabetes, manufacturers of continuous blood glucose meters and insulin pumps are increasingly targeting people with type 2 diabetes as well.
Multiple Forms of Medical Cybersecurity Risk
Industry security experts classify medical device cybersecurity risks into three buckets.
First, there are risks to patient data. Many medical devices, such as insulin pumps, require patients to create online accounts to download data to their computer or smartphone. These accounts can contain sensitive health data as well as personal information such as social security numbers.
Another risk is to the medical device itself. A hacker breaking into a medical device like Medtronic’s pump and altering the dosage setting could have deadly consequences, as evidenced by headlines.A report by Unit 42, a cybersecurity firm that is part of Palo Alto Networksfound that 75% of infusion pumps, including insulin pumps, have “known security gaps” and are at risk of being compromised by attackers. May Wang, chief technology officer for security at Palo Alto Networks’ Internet of Things, said that in lab experiments, hackers gained access to infusion pumps to alter medication dosages. “So now cybersecurity is not just about privacy, it’s not just about data breaches. It’s a matter of life and death,” she said.
But Gartner’s Pessin says such risks are small in the real world. In controlled lab conditions, “it’s only a matter of time before we can do that,” but in the real world, he said, “it would be much more difficult.”
A Medtronic spokesperson said the company designs and manufactures its medical technology to be as safe and secure as possible, and that its Global Product Security Office continuously monitors security products throughout their lifecycle. The company also monitors its cybersecurity landscape to address vulnerabilities and “take steps to protect patients through coordinated disclosure processes and security bulletins.”
In September, Medtronic’s notice to users explained how to eliminate the risk of unintentional insulin administration by turning off the ability to remotely administer via another device.
A third cybersecurity risk is connectivity between medical devices and networks, whether WiFi or 5G. As medical devices become more connected, the risk of malware increases. This is a well-known risk in other industries and could soon extend to healthcare. Wong pointed to his 2014 instance in which Target leaked confidential customer information after installing his HVAC system infected with malware.
There have not yet been any known incidents of this occurring via medical equipment used in the home, but it is only a matter of time and older devices that are not regularly updated may be more at risk. , some medical devices remain vulnerable to attack due to outdated operating systems. Some medical imaging systems with lifecycles potentially over 20 years run on Windows 98 without security patches. There have also been incidents of MRI scanners and his X-ray machine being hacked to carry out crypto-mining operations. healthcare provider.
Device regulation
Legislators and medical officials have called for more guidance and regulation on medical device security.
Last April, senators introduced the PATCH Act, which requires medical device manufacturers seeking FDA approval to meet certain cybersecurity requirements and maintain updates and security patches. Most recently, the $1.65 trillion Umbrella Appropriations Bill passed at the end of 2022 included cybersecurity requirements for new medical devices. Experts say the law’s provisions haven’t progressed to the requirements of his PATCH Act, but they’re still important.
An FDA spokesperson told CNBC that the new cybersecurity provisions of the Comprehensive Bill represent an important step forward in the FDA’s oversight of cybersecurity as part of the safety and effectiveness of medical devices. . The regulations require manufacturers to have plans and processes in place to disclose vulnerabilities. Device manufacturers must also provide timely updates and security patches to their devices and related systems for “critical vulnerabilities that pose risks beyond their control.”
How to maintain control as a consumer
Physicians are increasingly prescribing glucose monitors and insulin pumps not only for type 1 diabetes, but also for the more common type 2 diabetes, and are considering whether to use such devices. Consumers can start by checking the cybersecurity statements on the manufacturer’s website. Her HIPAA compliance to protect personal medical information. You can also ask your doctor about security, though cybersecurity experts say there is still work to be done to improve education about these risks among health care providers.
Consumers with Internet-connected medical devices should register with their manufacturers to ensure they are notified of security updates. With more devices now connecting to Wi-Fi, it’s also important to follow basic cyber hygiene at home. If you share or download data, make sure your WiFi network is protected with a strong password, and use a strong username and password for his company website as well. More and more consumers are choosing to use a password manager to keep all their internet logins. The device can interact with other devices over his WiFi, so make sure your home laptop and phone are equally secure.
