The use of remote patient monitoring (RPM) solutions increased among U.S. Medicare beneficiaries more than sixfold from 2018 to 2021, according to research findings cited by the Bipartisan Policy Center in its January 2024 “The Future of Remote Patient Monitoring” report. One connected RPM segment is continuous glucose monitor (CGM) devices and insulin pumps—a market that the research firm GlobalData projects will nearly double, from $10.6 billion in 2022 to $20.8 billion in 2033. These and other connected monitoring and dose-delivery devices greatly improve lives and health outcomes but also open the door to safety and security risks in an increasingly dangerous digital world.
Federal governments around the world recognize these dangers and are now sharpening their focus on regulating the cybersecurity of medical devices. During 2023, the U.S. launched a bevy of regulatory and legislative initiatives, starting with its unveiling of the U.S. National Cybersecurity Strategy.
Many legislative and regulatory mandates or guidelines are now moving the industry toward an internet of medical things that builds on proven, multi-layered security strategies. These strategies have already proven successful in applications like diabetes management and medication adherence and can be extended to pacemakers, cardiac monitors and many other safety-critical connected RPM devices.
Many legislative and regulatory mandates or guidelines are built on proven, multi-layered security strategies. (Source: Adobe Stock)
Getting ahead of security threats
There is a growing volume of connected RPM devices in use and a growing variety of ways in which they can be attacked.
A November 2023 study published in Nature magazine cited a World Health Organization estimate that there are more than 2 million different types of medical devices in use. These include MRIs, infusion pumps and other devices that are “intended to maintain or improve health, treat medical conditions or diseases, or facilitate the diagnosis or monitoring of medical conditions.”
The researchers described the vulnerabilities that put these devices at risk of exposing sensitive information or, worse, allowing remote attackers to change or take control of dose delivery. The team searched 92 million public administration records to find purchases of potentially vulnerable medical devices in more than 36 countries within a 12-year range. They found that “numerous medical devices purchased by national health services possessed or still possess 661 distinct vulnerabilities—more than half of which are deemed critical or high-severity. These vulnerabilities enable relatively simple attacks to impact data confidentiality, integrity and accessibility severely.”
Among the many initiatives aimed at addressing these vulnerabilities is the U.S. government’s National Cybersecurity Strategy Implementation Plan, announced in July 2023. It followed late 2022’s new FDA cybersecurity requirements and the April 2023 publication of the ANSI/AAMI SW96:2023 standard for medical device security. The agency also fully endorsed the new ANSI/AAMI standard, including its requirement that more than one method must be used to ensure devices and systems are protected.
By October 2023, the FDA had statutory authority to require that device manufacturers incorporate satisfactory cybersecurity measures into their medical devices before releasing them to the market. They could also “refuse to accept” medical devices and associated systems with cybersecurity concerns.
To support medical device manufacturers who now must meet the FDA’s rigorous criteria and reduce the number of potential refusals, the IEEE Standards Association developed its Certification Program for Medical Device Manufacturers. As the director of conformity assessment for IEEE SA, Ravi Subramaniam, said, this program “is intended and aims to assist manufacturers in aligning with the FDA’s mandate effectively and efficiently while also streamlining the compliance process and minimizing friction associated with FDA evaluations and approvals.”
The certification program is run by the IEEE 2621 Conformity Assessment Committee, which “provides a straightforward evaluation process with a clear definition of scope and test requirements specific to medical devices.”
The IEEE 2621 standard and its precursor, the Diabetes Technology Society’s DTSec cybersecurity assurance standard, have been at the heart of RPM security advances for many years. In October 2018, the Omnipod DASH insulin management system became the first solution of its kind to receive FDA clearance and certification under the DTSec cybersecurity assurance standard and program. In May 2022, the IEEE 2621 standard based on DTSec was issued, and in December 2022, the IEEE 2621 series of standards was adopted into the FDA’s standards catalog.
Also in 2022, Insulet’s Omnipod 5 automated insulin delivery (AID) system received FDA clearance based on these standards. It was the first tubeless AID system in the U.S. with compatible smartphone control and Dexcom G6 CGM system integration that provides automatic insulin adjustments to help protect against high and low glucose ranges.
This FDA clearance, one of the most comprehensive smartphone-centric RPM solutions available, demonstrated to the greater medical device industry where cybersecurity was heading. IEEE 2621 is designed to be extensible to all medical devices.
The IEEE 2621.1-2022 standard takes the first step, providing a framework for connected device security evaluation. The IEEE 2621.2-2022 takes the next step, defining multiple levels of assurance, and IEEE 2621.3-2022 adds recommendations for the use of mobile devices in diabetes contexts.
Medical device security standards can be implemented by adding three basic security layers, whether it is for a diabetes management solution or any other connected RPM solution. (Source: Shutterstock)
Whether for a diabetes management system or any other connected RPM solution, these standards can be implemented by adding three basic security layers. These are generally software layers but can also include hardware.
The first layer protects all system communications at the application layer, incorporating IEEE 2621 security directly into a CGM or other medical device. It protects the communications channel between a smartphone app and an IoT medical device or the cloud, defending against a variety of malware and wireless channel cybersecurity attacks.
The second layer is authentication, which brings trust to all system elements. This software layer denies “root access” to privileges that would enable a hacker to harm the patient. It validates the integrity of the user, smartphone app, cloud, consumables and any associated devices connected to the solution’s communication system.
Using a medication adherence solution as an example, the authentication layer extends trust across all system components in smart blister pack or pillbox solutions, including the smartphone itself. This type of solution might be deployed in an elderly patient’s home along with video-call capabilities, or in a larger facility like a pain clinic, or an addiction treatment center, which provides patients with a safe, take-home dosing option.
For the latter use case, a 2021 study found that the addition of a pillbox-based take-home methadone dosing option during the Covid-19 pandemic enabled opioid use disorder clinics to reorganize their operations to meet social distancing guidelines, with less than 1% of pillbox alerts caused by medication being consumed outside the dosing window and no evidence of actual or attempted methadone diversion.
As promising as this sounds, these solutions are vulnerable to cybersecurity threats. All elements must be authenticated, including the gateway device in the home or facility, all sensors that are harvesting data from the smart pillboxes about each dosing event and the cloud to which sensors are sending this data.
Only with this authentication layer is it possible to ensure that dosage reminders and instructions coming to the patient through the gateway are genuine and that all data being transferred is similarly authentic and the system is defended against the introduction of any counterfeit elements, such as fraudulent medication packages.
This authentication layer can be implemented with software or hardware. Hardware security modules may also be provisioned to medical devices at the factory to give both the medical device and the consumable the cryptographic keys and digital certificates they need to behave like secure elements in the system.
The third RPM security layer ensures that there is always a reliable connection between smartphone apps, connected medical devices and the cloud so that the system can always execute necessary changes in device operations based on the most recent data. This continuous-care requirement can be met in either of two ways.
The first is a software app running in the smartphone’s background that harvests IoT device data whenever the device is near the smartphone. The second approach is to maintain communication between the wearable device and the cloud using “bridge” hardware that can be configured either for continuous operation or for use only when there is a disruption of the primary IoT-to-cloud path.
Third-party software development kits (SDKs) speed and simplify the task of embedding IEEE 2621–compliant, multi-layered security assurance directly into an RPM solution. These SDKs can be used to, for instance, add secure smartphone control to the RPM solution, or perhaps extend coverage and accuracy of a medication adherence solution with either software or hardware gateways.
As connected RPM solutions grow in popularity and adoption, they must not create greater health risks for patients than what their disease already poses. Regulatory and legislative bodies have quickly established a large and growing body of mandates and guidelines to ensure the safety and security of these solutions. In addition, the multi-layered security technologies for complying with them are already here and have been proven in FDA-cleared solutions, and SDKs are available to simplify their implementation.
About the author
Vinay Gokhale is vice president of business development at Thirdwayv, a leading provider of end-to-end connectivity and security solutions for IoT applications. A veteran of the wireless industry for more than 30 years, Gokhale was previously vice president of global IC sales for Impinj, a leading provider of RFID solutions that connect billions of everyday items, from apparel to medical supplies for applications including inventory management, asset tracking and item authentication. Before that, Gokhale was co-founder of an IoT startup, after holding senior executive positions at technology companies including Cadence Design Systems, SiRF Technologies and Conexant Systems. He has a Master of Business Administration degree from Stanford University Graduate School of Business and received his master’s and bachelor’s degree in electrical engineering from the University of California, Irvine.
Advertisement
