Benefits and risks of personal medical monitoring on the Internet

Blood glucose control system with the help of a smartphone and a meter attached to the skin.

Ute Grabowski | Phototheque | Getty Images

The Internet of Things continues to grow to remotely monitor and manage common health problems, led by diabetes patients.

About one out of every 10 Americans, or 37 million people, are living with diabetes. Devices such as insulin pumps, which are decades old, and continuous glucose monitors, which monitor blood sugar levels 24/7, are increasingly being linked to smartphones via Bluetooth. The increased connectivity comes with many benefits. People with type 1 diabetes can keep much tighter control of their blood sugar levels because they are able to review weeks of blood sugar and insulin dosage data, making it easier to spot trends and adjust dosages. In recent years, diabetes patients have become so adept at remote monitoring that a DIY community of patient-hackers have manipulated devices to better manage their medical needs, and the medical device industry has learned from them. .

But the ability to monitor medical conditions over the Internet comes with risks, including nefarious hacking. Although medical devices, which must go through FDA approval, meet a higher standard than fitness devices, there are still risks to the security of patient data and access to the device. The FDA has issued periodic warnings about the vulnerability of medical devices such as insulin pumps to hackers, and product manufacturers have issued recalls related to the vulnerabilities. in September, happened with MedtronicMinimed 600 Series insulin pump, which the company and the FDA warned had a potential problem that could allow unauthorized access, creating a risk that the pump could deliver too much insulin or not enough insulin Is.

Sleep Apnea, Type 2 Diabetes and Remote Health Care

It’s not just diabetes where the medical device market is offering patients new benefits from remote monitoring. For sleep apnea, which is estimated to affect 30 million Americans (and one billion people globally), C-PAP machines can now store and send data to health care providers without the need for an office visit.

The number of internet-connected medical devices increased during the pandemic, as lockdowns led to a big push for people to be treated at home. As virtual care visits increased, “it opened everyone’s eyes to home-based medical devices for remote patient monitoring,” said Greg Pessin, a senior director of research at Gartner.

Steady sales of continuous glucose monitors and insulin pumps have encouraged companies such as Dexcom, insulatingMedtronic and Abbott Laboratories, and diabetes tech device sales are expected to increase. According to the Centers for Disease Control and Prevention, in addition to the 37 million people with diabetes in the US, 96 million adults are estimated to have prediabetes. Manufacturers of continuous glucose monitors and insulin pumps, which have been the standard of care for type 1 diabetes for years, are increasingly targeting type 2 diabetes patients as well.

The Many Forms Of Medical Cyber ​​Security Risks

Industry security experts categorize cyber security risks of medical devices into three buckets.

First, there is risk to patient data. Many medical devices such as insulin pumps require patients to create online accounts to download data to a computer or smartphone. These accounts can contain sensitive information, not only sensitive health data but also personal details like Social Security numbers.

Another risk is to medical devices themselves, as evidenced by the headlines surrounding the risk of hackers breaking into medical devices like Medtronic’s pumps and changing dosage settings, with potentially fatal effects. A report from Unit 42, a cyber security firm that is part of Palo Alto Networks, found that 75% of infusion pumps – which includes insulin pumps – had “known security gaps” that put them at risk of being compromised by attackers. May Wang, chief technology officer for Internet of Things security at Palo Alto Networks, said that in one lab experiment, hackers gained access to infusion pumps, changing drug dosages. “So now cyber security is not only about privacy, not only about data leakage. It is more about life or death,” she said.

But Gartner’s Pesin said such a risk is minor in the real world. In controlled conditions in a lab, “it’s only a matter of time before you’ll be able to do it,” but in the real world, “it will be much more difficult,” he said.

A Medtronic spokeswoman said the company designs and manufactures medical technologies to be as safe and secure as possible, and that its Global Product Safety Office continually monitors safety products throughout their lifecycle. The company also monitors the cyber security landscape to address vulnerabilities and “take action to protect patients through a coordinated disclosure process and security bulletins”.

In September, Medtronic’s notice to users went through how to eliminate the risk of unintended insulin delivery by turning off the ability to dose remotely via a separate device.

The third cyber security risk is the connection between the medical device and the network, be it WiFi or 5G. As medical devices become more connected, they come with an increased risk of malware, a risk well-known in other industries that may soon be in healthcare. Wong pointed to a case in 2014 in which Target leaked sensitive customer information after installing an HVAC system infected with malware.

While there are no known incidents yet of this happening through medical equipment used in the home, it may be a matter of time, and older equipment that is not regularly updated has a higher risk. In hospitals, outdated operating systems have left some medical equipment vulnerable to attack. Some medical imaging systems, which can have a lifecycle of more than 20 years, are still running on Windows 98 without any security patches and there have been incidents where MRI scanners or X-ray machines have been hacked to run crypto mining operations. Has been done, about which there is no information. health care providers.

equipment regulation

Lawmakers and health care leaders are pushing for more guidance and regulations around medical device safety.

Last April, senators introduced the PATCH Act to require medical device makers applying for FDA approval to meet certain cybersecurity requirements and maintain updates and security patches. More recently, new medical device cybersecurity requirements were included in a $1.65 trillion omnibus appropriations bill passed in late 2022. Experts said the provisions of the law were not in line with the requirements of the PATCH Act, but were still important.

An FDA spokesperson told CNBC that the new cybersecurity provisions in the omnibus bill represent a significant step forward in the FDA’s oversight of cybersecurity as part of the safety and effectiveness of a medical device. Among the provisions, manufacturers will have to implement plans and procedures for disclosing vulnerabilities. Device manufacturers must periodically provide updates and security patches to devices and related systems for “critical vulnerabilities that present uncontrolled risks.”

How to Maintain Control as a Consumer

As doctors are increasingly prescribing glucose monitors and insulin pumps not only for type 1 diabetes but also for the much more common type 2 diabetes, consumers are weighing whether or not to use such equipment. You can start by looking on the manufacturer’s website for statements. HIPAA compliant to protect their personal health care information. They can also ask their doctors about protections, although cybersecurity experts say there is still work to be done to improve education about these risks among health care providers.

Consumers with Internet-connected medical devices should register with the manufacturer to ensure that they are notified of security updates. It is also important to follow basic cyber hygiene at home, as many devices are now connected to WiFi. Make sure the WiFi network is secured with a strong password and also use a strong username and password for the company website when sharing or downloading data. More consumers are also now choosing to use a password manager to hold all of their Internet login information. Because the devices can interact with other devices over WiFi, make sure laptops and phones in the house are protected as well.

,

Leave a Comment