Left to Their Own Devices: The Promise and Dangers of IoT-Connected Medical Devices

While regulatory agencies haven’t issued any official rules for medical device manufacturers to follow concerning connected devices, manufacturers should begin taking precautions.

ANDONGOB/FREEDIGITALPHOTOS.NET

Connected medical technology has arrived at the most opportune time. Insurance companies, now required to cover people with preexisting conditions, have needed some way to lower the costs of healthcare to balance the expense associated with higher-risk individuals. Connected devices help address this exact problem.

iRhythm, for instance, manufactures a device that monitors cardiac activity and relies on machine learning for analysis. Products like these help providers treat more patients while consuming fewer resources. There are also offerings that help doctors monitor patient condition remotely so both parties can spend less time in expensive hospital rooms. With more patients, the demand for doctors’ time has skyrocketed, putting upward pressure on the prices doctors charge for their services and expertise. Machine learning and connected devices help siphon off some of this excess demand while helping to reducing provider prices.

Normally, the medical device industry is risk-averse and cautious about adopting new technologies because of the critical nature of the products themselves and the regulatory hurdles needed to bring these offerings to market. However, many companies have been relatively quick to embrace Internet of Things (IoT) innovations. This is great news. The industry’s dive into IoT means companies believe the value of embracing this technology outweighs the risks. If medical device manufacturers think insurers will pay for their new devices, it stands to reason that insurers see themselves as saving more than what they are paying for the technology. After all, they wouldn’t purchase products if the costs were greater than the benefits. If insurers are saving money, that lowers healthcare costs for consumers, and the public and industry both benefit.

People can’t sing and dance in the streets celebrating a new era of lower cost health care just yet. In deciding whether to develop connected devices, companies must carefully assess the risks associated with this new technology—a far more complicated task than meets the eye. To calculate risk, one must anticipate the severity and probability of every possible outcome.

That’s something that other industries have found historically challenging. In white papers written in the wake of the 2008 mortgage crisis, financial analysts found many banks and regulatory agencies had models which closely predicted losses of the crisis’s magnitude, but estimated the probability of those losses to be as remote as getting hit by lightning. No one took the risk seriously. Consequently, the financial industry and regulators were blindsided when lightning struck.

This could happen with connected devices, and no one wants to be the Lehman Brothers of the medical device industry. In banking, the trick is predicting how many of loans will default. For medical devices, it’s predicting product failure. For connected devices, this includes an additional unknown variable: cybersecurity threats. The prospect of these threats is particularly frightening with respect to implantables, such as pacemakers, dermally implanted biosensors, and accelerometers used to track movement in patients with Parkinson’s disease or epilepsy.

Learn about IoT Design Strategies at the MD&M Minneapolis Conference & Expo, November 8-9, 2017.

Vulnerable devices have the potential to cause damage beyond the people using them. The 2016 cyberattack that took down the internet across America used a weapon called the Mirai botnet to strike Dyn, a company that controls much of the web’s domain name infrastructure. Mirai took control of hundreds of vulnerable products, including medical devices, to bombard Dyn with traffic and cause its servers to collapse under the strain. The result was a loss in connectivity for millions of Americans.

Certain aspects of IoT’s increasing prominence certainly echo the financial crisis. Regulatory agencies have been quite restrained. FDA merely issued unenforced common-sense guidelines. The Federal Trade Commission (FTC) has said it won’t start regulating the IoT unless there’s an event that causes harm to consumers. It has issued “guidances,” such as a 2015 suggestion that devices require forced password resets, and has publicly pressured IoT companies to inform consumers if their data is sold to marketing companies. Lawmakers in the U.S. House of Representatives’ Committee on Energy and Commerce have written letters calling on the FTC to urge manufacturers to “implement security measures” and “alert consumers to the security risks posed by continuing to use default passwords on [IoT] devices.” Still, none of these guidances have been aggressively enforced.

Early in 2017, the FTC took its most active stance yet. The agency held a contest awarding $25,000 to whomever could create the best solution to IoT cyber security threats. The winner proposed a mobile app, called “IoT Watchdog,” which would help people with IoT devices in their homes by flagging out-of-date software and other common vulnerabilities and by providing instructions for updating and addressing the identified weaknesses. The contest runner-up designed a program that uses virtual networks to isolate IoT-connected devices on home networks so consumers can easily monitor and manage those products. This is great news for the consumer electronics industry, but it doesn’t address connected medical devices. In addition, expecting IoT users to monitor their own devices might be realistic for tech-savvy consumers, but it’s not a viable approach for other consumers who are not as proficient with technologies, such as senior citizens.

The lack of action by regulatory agencies doesn’t mean the medical device industry should charge forward cavalierly. If anything, this is the perfect opportunity for the market to solve problems the government has been slow to address. It is the medical device companies that stand to lose the most if harm befalls consumers; a security debacle could lead to millions of dollars in losses in lawsuits and brand reputation damage. Serious connected device security breaches could turn consumers off to using these products entirely, and diminish the value of the vast resources manufacturers have invested in designing and bringing these products to market.

Consumer fears already exist. Former Vice President Dick Cheney ordered changes made to his IoT-connected pacemaker to safeguard it from hackers. His fears have merit. In 2015, researchers hacked into a pacemaker in iStan, a simulated human that mimics respiratory, cardiovascular, and neurological systems. They did so with a combination of a denial of service (DoS) attack and a program called Reaver to crack the passwords.

The Mirai botnet annoyed people across the country, but attacks could be far more severe. The WannaCry ransomware attacks impacted two hospitals in May of 2017, and also hit Bayer radiology devices used for MRIs. Fortunately, the attack didn’t result in any severe damage. However, imagine what could have happened if hackers infiltrated a more integral part of the hospital? Could an entire hospital be brought to a screeching halt through vulnerabilities in connected devices throughout the organization? Could a hospital's servers be overwhelmed by a botnet and jeopardize life-saving care for hundreds of people?

While regulatory agencies haven’t issued any official rules for medical device manufacturers to follow concerning connected devices, manufacturers should begin taking precautions. Industries shouldn’t rely on regulatory agencies to force them to address risk. At some point, an adverse event will happen and regulatory bodies worldwide will inevitably issue rules. Medtech companies might as well anticipate those rules and start planning now.

They can start with the basics: keep software up to date, encrypt data, and only allow authenticated programmers to link to vital implantable devices, such as pacemakers. They should also have systems set up to patch vulnerabilities discovered down the line. Additionally, if medical device manufacturers use the cloud or are planning to move to the cloud, they should be mindful of the cloud provider's cybersecurity precautions.

Connected medical devices are here. Barring any catastrophic hacking incidents, they might be here to stay. Until the industry and regulators get their cybersecurity strategies together, my loved ones and I will be steering clear of connected medical devices.

Catherine Wagner

Catherine Wagner

Catherine Wagner is a life sciences analyst at Santa Barbara, CA-based enterprise resource planning (ERP) software company QAD, Inc. (NASDAQ: QADA/QADB). She can be reached at c3w@qad.com.

 

500 characters remaining