The advantages and risks of personal medical monitoring on the internet
A blood glucose monitoring system using a smartphone and a reader attached to the skin.Ute Grabowsky | Photo library | Getty ImagesThe Internet of Things to remotely monitor and manage common health conditions has steadily grown, led by diabetes patients.About one in 10 Americans, or 37 million people, lives with diabetes. Devices such as insulin pumps, which date back decades, and continuous glucose meters, which monitor blood sugar 24/7, are increasingly being connected to smartphones via Bluetooth. The increased connectivity has many benefits. People with type 1 diabetes can have much tighter control over their blood sugar because they are able to review weeks of blood sugar and insulin dosage data, making it easier to spot trends and dose adjustment. In recent years, diabetic patients have become so adept at remote monitoring that a DIY community of patient-hackers have manipulated devices to better manage their medical needs, and the medical device industry has learned from this. But the ability to monitor medical conditions on the Internet comes with risks, including infamous hacking. Although medical devices, which must go through FDA approval, meet a higher standard than fitness equipment, the protection of patient data and access to the device itself always present risks. The FDA has issued periodic warnings about the vulnerability of medical devices such as insulin pumps to hackers, and product manufacturers have issued recalls related to the vulnerabilities. In September, it happened with MedtronicThe MiniMed 600 series insulin pump, which the company and the FDA have warned has a potential issue that could allow unauthorized access, creating a risk that the pump could deliver too much or too little insulin.Sleep apnea, type 2 diabetes and remote careIt’s not just diabetes where the medical device market is offering patients new benefits through remote monitoring. For sleep apnea, which is believed to affect up to 30 million Americans (and one billion people worldwide), C-PAP machines can now store and send data to healthcare providers without the need for get to the office. The number of internet-connected medical devices has increased during the pandemic as shutdowns have created a strong push to treat people from home. As virtual care visits increased, “it opened everyone’s eyes to in-home medical devices for remote patient monitoring,” said Gregg Pessin, senior research director at Gartner.Steady sales of continuous blood glucose monitors and insulin pumps have boosted companies such as Dexcom, IsolateMedtronic and Abbott Laboratories, and sales of diabetes technology devices are expected to increase. According to the Centers for Disease Control and Prevention, beyond the 37 million people with diabetes in the United States, an estimated 96 million adults are pre-diabetic. Manufacturers of continuous glucose monitors and insulin pumps, which have been the standard of care for type 1 diabetes for years, are also increasingly targeting patients with type 2 diabetes.Multiple forms of medical cybersecurity riskIndustry security experts categorize medical device cybersecurity risks into three categories. First, there is the risk to patient data. Many medical devices such as insulin pumps require patients to create online accounts to upload data to a computer or smartphone. These accounts can contain sensitive information, not just sensitive health data, but also personal details such as social security numbers. Another risk involves the medical device itself, as evidenced by headlines about the risk of hackers breaking into a medical device like Medtronic’s pump and changing the dosing settings, with potentially fatal effects. A report from Unit 42, a cybersecurity firm that is part of Palo Alto Networks, found that 75% of infusion pumps, including insulin pumps, had “known security vulnerabilities” that put them at risk of being compromised by attackers. May Wang, technology manager for Internet of Things security at Palo Alto Networks, said that during a lab experiment, hackers gained access to infusion pumps, altering drug dosages. “So now cybersecurity is not just about privacy, not just about data leakage. It’s more about life and death,” she said.But Gartner’s Pessin said such risk is low in the real world. Under the controlled conditions of a lab, “it’s only a matter of time before you can do it,” but in the real world, “it would be much more difficult,” he said.A Medtronic spokeswoman said the company designs and manufactures medical technologies that are as safe and secure as possible, and that its Global Product Safety Office continuously monitors safety products throughout their life cycle. The company is also monitoring the cybersecurity landscape to address vulnerabilities and “taking steps to protect patients through a coordinated disclosure process and security bulletins.” In September, Medtronic’s advisory to users told them how to eliminate the risk of unintended insulin delivery by disabling the ability to remotely dose via a separate device.The third cybersecurity risk is the connection between the medical device and the network, whether WiFi or 5G. As medical devices become more connected, they come with an increased risk of malware, a well-known risk in other industries that could soon be healthcare. Wong referred to a case in 2014 in which Target leaked sensitive customer information after installing a malware-infected HVAC system. Although there is no known incident yet of this happening with medical devices used at home, it could be a matter of time, and older devices that are not updated regularly are more at risk. In hospitals, older operating systems have made some medical equipment vulnerable to attack. Some medical imaging systems, which may have a lifecycle of over 20 years, are still running Windows 98 without any security patches and there have been incidents where MRI scanners or X-ray machines have been hacked to perform crypto-mining operations, without the knowledge of healthcare providers.Device regulationLawmakers and health officials have pushed for more guidance and regulations regarding medical device safety. In April last year, senators introduced the PATCH Act to require medical device manufacturers seeking FDA approval to meet certain cybersecurity requirements and maintain security updates and patches. More recently, the $1.65 trillion omnibus appropriations bill passed in late 2022 included new cybersecurity requirements for medical devices. Experts said the provisions of the law did not go as far as the requirements of the PATCH Act, but they were still important. An FDA spokesperson told CNBC that the new cybersecurity provisions in the omnibus bill represent a significant step forward in FDA’s oversight of cybersecurity as part of the safety and effectiveness of a medical device. Among the provisions, manufacturers will have to put plans and processes in place to disclose vulnerabilities. Device makers will also have to provide security updates and patches to devices and associated systems for “critical vulnerabilities that pose an uncontrolled risk” in a timely manner.How to stay in control as a consumerAs doctors increasingly prescribe blood glucose meters and insulin pumps not only for type 1 diabetes, but also for the much more common type 2 diabetes, consumers who are left wondering whether or not to use such a device can start by checking the manufacturer’s website for statements on cybersecurity and HIPAA compliance for the protection of their private health information. They can also ask their doctors about safety, though cybersecurity experts say more work needs to be done to improve education about these risks among healthcare providers.Consumers with an internet-connected medical device should register with the manufacturer to ensure they are informed of security updates. It is also essential to follow basic cyber hygiene at home, as many devices now connect to WiFi. Make sure the Wi-Fi network is protected by a strong password and also use a strong company website username and password if you are sharing or uploading data. More and more consumers are now opting for use a password manager keep all their Internet connection information. Since devices can interact with other devices over Wi-Fi, make sure laptops and home phones are also secure.