How is patient Monitoring Evolving?
It is becoming common for patients that need to monitor their condition to do so via the Internet. This push is being led by diabetes patients. About 37 million Americans are living with diabetes. Devices such as insulin pumps require 24/7 monitoring and are now being connected via Bluetooth to smartphones.
Type 1 Diabetes
There are many benefits to patients with type 1 diabetes having better control over their blood sugar levels. Making the dosing of insulin more accurate is one. Recently, diabetes patients have created a community of patient DIY hackers who are manipulating their devices to better manage their medical needs. There are a significant number of risks as well with monitoring one’s condition over the internet. The main concern is hacking. FDA-approved medical devices, of course, meet a higher standard of security than devices such as fitness devices, but there still is a risk to the patient’s data and the device itself. The FDA has released the occasional warning related to the vulnerability of medical devices. Product makers have also issued recalls related to the vulnerabilities of the devices. Medtronic issued a recall for the MiniMed 600 Series insulin pump in September of 2022. The FDA and the company warned of potential issues that could allow unauthorized access to the devices. This could have detrimental consequences, as the pumps could deliver too much or not enough insulin.
Who Else is Using This Technology?
It isn’t only type 1 diabetes patients who are connecting their devices to Bluetooth devices. 30 million Americans are affected by sleep apnea. C-PAP machines are now able to store and send data to providers without the need for office visits. The popularity of internet-connected devices grew during the COVID pandemic, as a push to treat people at home occurred. As sales of these devices continue, especially for glucose and insulin monitors. Type 2 diabetes patients are now being targeted, as 96 million adults in the US are pre-diabetic.
The Cybersecurity Risk
Industry security experts have created three categories of cybersecurity risks for medical devices. First, the patient’s data. Many devices require patients to set up an online account to download data to the smartphone or computer. These accounts include information such as a patient’s health information and personal information such as their social security number.
Second, the medical device. This risk is seen frequently in headlines such as Medtronics insulin pump. Hackers have been known to change settings creating issues with dosages. There can be fatal consequences from hacks such as these. Palo Alto Networks’ Unit 42, a cybersecurity firm, found that 75% of infusion pumps have a known security gap. Data security is now life or death. When applied to a real-world situation the conditions make it much harder to hack a device than in a laboratory setting, where the tests occurred to obtain the statistic. A Medtronic spokesperson assured the public that their devices are designed to be as safe and secure as possible. The company’s global security office is continuously monitoring the products, the company also monitors cybersecurity and addresses issues or vulnerabilities should one arise. Medtronic released a notice to users on how to eliminate the risk of unintended insulin delivery.
Lastly, is the risk to the network which connects the medical device to the smartphone or computer. Regardless of how devices are connected, they are becoming more connected. The risk of malware is increasing as the connection increases. Malware is a risk in other industries and now may start to affect the medical community. There are no known incidents of a malware attack, yet it is inevitable as older devices are not being updated. Old operating systems leave certain devices vulnerable. One example is in hospitals some machines are still running on Windows 98 without any security patches. There have been situations where MRI and X-ray machines have been hacked to run crypto-mining operations without healthcare providers knowing.
How will the Devices be Regulated?
The key players in health care, along with lawmakers have been pushing for more guidance and regulations on the security around medical devices. In April of 2021, the PATCH Act was introduced by senators. This act requires companies to meet standard cybersecurity standards set by the FDA, as well as maintain updates and security patches. Also, a $1.64 trillion omnibus appropriations bill was passed at the end of 2022, which included medical devices and cybersecurity. The law’s provisions did not cover as much as the PATCH Act but are still useful. The omnibus bill is a big step towards fixing the oversight that the FDA has on cybersecurity. Manufacturers are now required to disclose the device’s potential shortcomings with security, they also must provide updates and security patches that are related to critical and uncontrollable risks that the device may have.
How the Consumer Can Have Control
Patients are starting to take cybersecurity into their own hands. Many are looking at the websites for the devices they are being prescribed for statements about cybersecurity from the manufacturer. They also can and are asking their doctors about security risks, but many providers need more education on the potential risks that these devices can possess. Those whose devices connect to the internet should register with the manufacturer to ensure they are receiving any security updates that arise. An easy thing for patients to do is to make good basic cyber decisions. Use a secure network for devices connected to WiFi, and a strong password for those networks. Patients should create profiles with secure usernames and passwords when registering their devices or making profiles to share data with providers. Also, if accounts are linked across multiple devices, make sure those devices such as phones and laptops are well secured. Some of the smallest and easiest steps patients can take to protect their data can be the most important.
Resources:
If you want to make sure your practice is HIPAA compliant visit: HIPAA Diagnostic® – $100 Challenge
Source:
Sheng, Ellen. “What Diabetes Is Revealing about the Benefits and Risks of Personal Medicine Connected to the Internet.” CNBC, 21 Jan. 2023, https://www.cnbc.com/2023/01/21/the-benefits-and-risks-of-personal-medical-monitoring-on-the-internet.html. Accessed 21 Feb. 2023.