About one out of every 10 Americans, or 37 million people, are living with diabetes. Devices such as insulin pumps, which go back decades, and continuous glucose monitors, which monitor blood sugar levels 24/7, are increasingly connected to smartphones via Bluetooth. The increased connectivity comes with many benefits. People with type 1 diabetes can have much tighter control over their blood sugar levels because they’re able to review weeks of blood sugar and insulin dosing data, making it easier to spot trends and fine-tune dosing. In recent years, diabetes patient became so adept at remote monitoring that a DIY community of patient-hackers manipulated devices to better manage their medical needs, and the medical device industry has learned from them.
But the ability to monitor medical conditions over the internet comes with risks, including nefarious hacking. Though medical devices, which must go through FDA approval, meet a higher standard than fitness devices, there are still risks to protecting patient data and access to the device itself. The FDA has issued periodic warnings about the vulnerability of medical devices such as insulin pumps to hackers, and product makers have issued recalls related to vulnerabilities. In September, that occurred with Medtronic‘s MiniMed 600 Series insulin pump, which the company and FDA warned had a potential issue that could allow unauthorized access, creating a risk that the pump could deliver too much or not enough insulin.
Sleep apnea, Type 2 diabetes and remote health care
It’s not just diabetes where the medical device market is offering patients new benefits from remote monitoring. For sleep apnea, which is estimated to affect as many as 30 million Americans (and one billion people globally) C-PAP machines can now store and send data to health-care providers without needing an office visit.
The number of internet-connected medical devices grew during the pandemic, as lockdowns created a big push to treat people at home. As virtual care visits rose, “it opened everybody’s eyes to home-based medical devices for remote patient monitoring,” said Gregg Pessin, a senior director of research at Gartner.
Steady sales of continuous glucose monitors and insulin pumps have buoyed companies such as Dexcom, Insulet, Medtronic and Abbott Laboratories, and diabetes tech device sales are expected to grow. According to the Centers for Disease Control and Prevention, beyond the 37 million people in the U.S. that have diabetes, there are 96 million adults are estimated to be pre-diabetic. Manufacturers of continuous glucose monitors and insulin pumps, which have been the standard of care for type 1 diabetes for years, are increasingly targeting type 2 diabetes patients as well.
Multiple forms of medical cybersecurity risk
Industry security experts categorize cybersecurity risks of medical devices into three buckets.
First, there’s the risk to patient data. Many medical devices such as insulin pumps require patients to create online accounts to download data to a computer or smartphone. These accounts could include sensitive information, not just sensitive health data but personal details such as Social Security numbers.
Another risk is to the medical device itself, as evidenced by the headlines around the risk of hackers getting into a medical device like Medtronic’s pump and changing dosage settings, with potentially fatal effects. A report by Unit 42, a cybersecurity firm that is part of Palo Alto Networks, found that 75% of infusion pumps — which include insulin pumps — had “known security gaps” that put them at risk of being compromised by attackers. May Wang, chief technology officer of internet of things security at Palo Alto Networks, said that in a lab experiment hackers gained access to infusion pumps, changing medication dosages. “So now cybersecurity is not just about privacy, not just about data leakage. It’s more about life or death,” she said.
But Gartner’s Pessin said that such risk is slight in the real world. In the controlled conditions in a laboratory, “it’s just a matter of time before you’ll be able to do it,” but in the real world, “it’d be much more difficult,” he said.
A Medtronic spokeswoman said the company designs and manufacturers medical technologies to be as safe and secure as possible, and that its global product security office continuously monitors the security products throughout their lifecycle. The company also monitors the cybersecurity landscape to address vulnerabilities and to “take action to protect patients through a coordinated disclosure process and security bulletins.”
In September, Medtronic’s notice to users walked them through how to eliminate the risk of unintended insulin delivery by turning off the ability to dose remotely through a separate device.
The third cybersecurity risk is the connection between the medical device and network, whether it’s WiFi or 5G. As medical devices become more connected, they come with increased risk of malware, a risk well-known in other industries that could soon be in health care. Wong pointed to a case in 2014 in which Target leaked sensitive customer information after installing an HVAC system that was infected with malware.
While there aren’t any known incidents yet of this happening through medical devices used at home, it could be a matter of time, and older devices that are not updated regularly more at risk. In hospitals, old operating systems have left some medical equipment vulnerable to attack. Some medical imaging systems, which can have a lifecycle of over 20 years, are still running on Windows 98 without any security patches and there have been incidents where the MRI scanners or X-ray machines have been hacked to run crypto mining operations, unbeknownst to health-care providers.
Regulation of devices
Lawmakers and health-care leaders have been pushing for more guidance and regulations around medical device security.
In April of last year, senators introduced the PATCH Act to require medical device makers that are applying for FDA approval to meet certain cybersecurity requirements and maintain updates and security patches. More recently, the $1.65 trillion omnibus appropriations bill passed at the end of 2022 included new medical device cybersecurity requirements. Experts said the law’s provisions did not go as far as the PATCH Act requirements, but are still significant.
An FDA spokesperson told CNBC that the new cybersecurity provisions in the omnibus bill represent a significant step forward in FDA’s oversight of cybersecurity as part of a medical device’s safety and effectiveness. Among the provisions, manufacturers will have to put plans and processes in place to disclose vulnerabilities. Device manufacturers will also have to provide updates and security patches to devices and related systems for “critical vulnerabilities that present uncontrolled risk,” in a timely manner.
How to maintain control as a consumer
As doctors are increasingly prescribing glucose monitors and insulin pumps for not just type 1 diabetes but the much more common type 2 diabetes as well, consumers weighing whether or not to use such a device can start by looking on the manufacturer’s website for statements about cybersecurity and HIPAA compliance for protection of their private health-care information. They can also ask their doctors about security, although cybersecurity experts say there is still work to be done to improve education about these risks among health-care providers.
Consumers with a medical device connected to the internet should register with the manufacturer to ensure they are notified about security updates. Following basic cyber hygiene at home is also key, since many devices now connect to WiFi. Make sure the WiFi network is protected with a strong password and also use a robust username and password for the company’s website if sharing or downloading data. More consumers are now also opting to use a password manager to hold all of their internet login information. Because devices can interact with other devices over WiFi, make sure home laptops and phones are secure as well.