What diabetes reveals about the benefits and risks of Internet-connected personal medicine

The internet of things to remotely monitor and manage common health issues is constantly growing, driven by diabetic patients.

About one in 10 Americans, or 37 million people, live with diabetes. Devices like insulin pumps, which date back decades, and continuous glucose monitors, which monitor blood sugar levels 24/7, are increasingly connected to smartphones via Bluetooth. The increased connectivity has many benefits. People with type 1 diabetes can have much tighter control over their blood sugar levels because they are able to review weeks of blood glucose and insulin dosing data, making it easier to spot trends and fine-tune dosage . In recent years, diabetic patients have become so adept at remote monitoring that a DIY community of patient hackers have rigged the devices to better manage their medical needs, and the medical device industry has learned from them.

But the ability to track medical conditions over the Internet comes with risks, including nefarious hacking. While medical devices, which must be approved by the FDA, meet a higher standard than fitness devices, there are still risks to the protection of patient data and access to the device itself. The FDA has issued periodic warnings about the vulnerability of medical devices such as insulin pumps to hackers, and product manufacturers have issued recalls related to the vulnerabilities. In September, this occurred with Medtronic’s MiniMed 600 series insulin pump, which the company and the FDA warned had a potential problem that could allow unauthorized access, creating the risk that the pump could deliver too much or not enough insulin.

Sleep apnea, type 2 diabetes and remote healthcare

It’s not just for diabetes that the medical device market is offering patients new benefits from remote monitoring. For sleep apnea, which is estimated to affect up to 30 million Americans (and one billion people worldwide), C-PAP machines can now store and send data to healthcare professionals without needing an office visit.

The number of internet-connected medical devices has grown during the pandemic, as lockdowns have created a big push to treat people at home. With the increase in virtual care visits, it “opened everyone’s eyes to home medical devices for remote patient monitoring,” said Gregg Pessin, senior director of research at Gartner.

Steady sales of continuous glucose meters and insulin pumps have buoyed companies like Dexcom, Insulet, Medtronic and Abbott Laboratories, and sales of diabetes tech devices are expected to grow. According to the Centers for Disease Control and Prevention, in addition to the 37 million people in the United States who have diabetes, an estimated 96 million adults are pre-diabetic. Manufacturers of continuous glucose meters and insulin pumps, which have been the standard of care for type 1 diabetes for years, are also increasingly targeting patients with type 2 diabetes.

Multiple forms of medical cybersecurity risk

Industry security experts classify the cybersecurity risks of medical devices into three categories.

First, there’s the risk to patient data. Many medical devices such as insulin pumps require patients to create online accounts to download data to a computer or smartphone. These accounts could include sensitive information, not just sensitive health data but personal details such as social security numbers.

Another risk is to the medical device itself, as evidenced by headlines about the risk of hackers breaking into a medical device like Medtronic’s pump and changing dosage settings, with potentially fatal effects. A report by Unit 42, a cybersecurity firm that is part of Palo Alto Networks, found that 75 percent of infusion pumps that include insulin pumps had “known security holes” that put them at risk of being compromised by attackers. May Wang, chief technology officer of Internet of Things Security at Palo Alto Networks, said that in a lab experiment, hackers gained access to infusion pumps, changing drug dosages. “So now cybersecurity is not just about privacy, not just about data leakage. It’s more about life or death,” she said.

But Gartner’s Pessin said that risk is minimal in the real world. Under controlled conditions in a lab, “it’s only a matter of time before you can do that,” but in the real world, “it would be a lot more difficult,” he said.

A Medtronic spokesperson said the company designs and manufactures medical technologies to be as safe and secure as possible and that its Global Product Safety Office continuously monitors products for safety throughout their lifecycle. The company also monitors the cybersecurity landscape to address vulnerabilities and “take action to protect patients through a coordinated disclosure process and security bulletins.”

In September, Medtronic’s advisory to users taught them how to eliminate the risk of inadvertent insulin administration by turning off the ability to remotely dose via a separate device.

The third cybersecurity risk is the connection between the medical device and the network, be it WiFi or 5G. As medical devices become more connected, they carry an increased risk of malware, a well-known risk in other industries that could soon affect healthcare. Wang pointed to a case in 2014 where Target leaked sensitive customer information after installing a malware-infected HVAC system.

While there are no known incidents yet where this occurs through medical devices used at home, it could be a matter of time and older devices that aren’t updated regularly are more at risk. In hospitals, older operating systems have left some medical equipment vulnerable to attack. Some medical imaging systems, which can have a life cycle of over 20 years, are still running on Windows 98 without any security patches, and there have been incidents where MRI scanners or X-ray machines have been hacked to perform crypto mining operations, without the knowledge of healthcare providers.

Adjustment of devices

Regulators and healthcare industry leaders have pushed for more guidelines and regulations on medical device safety.

In April of last year, Senators introduced the PATCH Act to require medical device manufacturers seeking FDA approval to meet certain cybersecurity requirements and maintain security updates and patches. Most recently, the $1.65 trillion omnibus appropriations bill passed in late 2022 included new cybersecurity requirements for medical devices. Experts said the law’s provisions didn’t quite meet the requirements of the PATCH Act, but were significant nonetheless.

An FDA spokesperson told CNBC that the new cybersecurity provisions in the omnibus bill represent a significant step forward in the FDA’s oversight of cybersecurity as part of a medical device’s safety and efficacy. Among the provisions, manufacturers will have to put plans and processes in place to disclose vulnerabilities. Device manufacturers will also be required to promptly deliver updates and security patches to devices and related systems for “critical vulnerabilities that present uncontrolled risk.”

How to stay in control as a consumer

As doctors are increasingly prescribing glucose meters and insulin pumps for not only type 1 diabetes, but also the much more common type 2 diabetes, consumers considering whether or not to use such a device can start by searching the site. Manufacturer’s web information security statements and HIPAA compliance for the protection of their private health information. They can also ask their doctors about safety, although cybersecurity experts say there is still work to be done to improve education about these risks among healthcare professionals.

Consumers with an Internet-connected medical device should register with the manufacturer to ensure they are notified of safety updates. Following basic cyber hygiene at home is also crucial, as many devices now connect to WiFi. Make sure your WiFi network is secured with a strong password, and also use a strong username and password for the company website if you share or download data. More and more consumers are now also choosing to use a password manager to keep all of their internet login information. Since devices can interact with other devices over Wi-Fi, make sure your home laptops and phones are protected as well.