By Clark Fortney, Battelle
By Clark Fortney, Battelle
Consumers are flocking to Internet of Things (IoT) technologies, from “smart” smoke detectors to connected speaker systems. However, when the connected devices are medical in nature, sometimes the benefits don’t justify the potential threats to patient safety or data. Medical device manufacturers that are considering adding or expanding connectivity options should think carefully about what they are trying to achieve, and develop a strategy that balances the risks and rewards.
Connected medical devices are at the heart of some of today’s most exciting advances in healthcare. From mHealth apps that help patients manage chronic conditions at home to smart sensors that alert caretakers when attention is needed, connected devices are making healthcare more personal, more responsive, and hopefully more effective. However, it does not necessarily follow that more connectivity always is better, or that every medical device should connect to other devices or networks.
In considering the benefits of connecting a medical device — to other devices, to a web portal, or to a hospital network — manufacturers should make sure they have clearly established the potential benefits of connectivity. In particular, they should define who benefits and how. Consider:
Connectivity is clearly beneficial for patients and care providers in many cases. Wearable medical sensors can transmit real-time data and alert care providers if immediate attention is needed. Connected mHealth apps can help patients track blood sugar levels, drug doses, blood pressure, weight, and other readings, so patients can better manage chronic conditions and communicate with doctors and care providers.
Some forms of connectivity directly benefit both patients and companies. For example, a drug delivery device connected to a mobile app or web portal can be programmed to automatically order refills from the patient’s pharmacy at the right time. This reduces the risk that patients will run out of critical medication, while at the same time helping companies meet business goals. Other forms of data collection may not have any direct benefit for the patient, but provide valuable data for product development or enable marketing opportunities.
Increasingly, the move towards greater connectivity is being driven by perceived consumer demand and competitive pressure, rather than carefully considered medical benefits. Manufacturers may believe that adding a mobile app for a medical device used in the home will make it more appealing or usable for patients. In reality, many of these apps are loaded with rarely used extra features that add little medical value. This echoes similar issues seen in the world of consumer IoT: many people have found that their “smart” thermostats and light bulbs do not provide enough added value to justify their added cost and complexity. Before rushing to connect for connection’s sake, companies should carefully consider what they are trying to achieve and weigh the potential downside of connectivity.
Cybersecurity is a critical concern for every medical device that uses software. Connecting devices to the internet, hospital networks or other devices makes them vulnerable to cybersecurity threats, including both deliberate attacks and undirected malware. Hackers may attempt to break into a medical device with the intent of causing harm to users, stealing patient information, or pivoting into a hospital network to steal data or conduct a ransomware attack. Commodity malware is an even bigger threat for most medical devices; even if the device is not specifically targeted, malware can disrupt device operation in ways that can put patients or data at risk.
When considering adding options for connectivity, medical device developers should carefully evaluate the potential threats and risks at the very beginning of the process, during device conceptualization. Key questions to ask include:
Each medical device will have its own unique cybersecurity threat and risk profile, as well as its own benefits. Drug delivery devices and life support devices, such as ventilators, have a very high risk of patient harm if they malfunction or stop working entirely. For other devices, such as a connected blood pressure monitor, the direct risk of patient harm may be very small. Medical device developers must balance the potential worst-case scenarios —especially risks to patient safety — against the benefits gained by adding or increasing device connectivity.
Of course, in many cases, the potential benefits of connectivity are well worth it. Connected medical devices can provide added functionality that improves care and leads to better patient outcomes. In addition, they open up new opportunities for data aggregation and analysis that are invaluable for both medical researchers and business developers.
While no connected device will ever be 100 percent secure, there are steps that developers can take to reduce cybersecurity risks. A good cybersecurity plan encompasses every stage of device development, from initial concept to postmarket updates. At each stage, there are choices to be made that can either increase or decrease device security. These choices must be carefully balanced against usability, functionality, and cost considerations.
Medical device developers who do not have extensive cybersecurity expertise on staff should consider bringing in outside experts to assist with requirement development, software architecture decisions, risk analysis, and vulnerability testing.
Some strategies that medical developers can use include:
The IoT is here to stay, for medical devices as well as consumer products, and we can expect to see greater levels of connectivity between medical devices and consumer products, such as smart phones and tablets. In most cases, the benefits for users — in terms of greater convenience, easier adherence, improved insights, and better health outcomes — will be well worth the risks. But consumers will not be able to make those calculations themselves. It is up to the medical device industry to make careful, strategic cybersecurity choices to minimize those risks.
About the Author
Clark Fortney, principal electrical engineer for embedded systems at Battelle, has 20 years of experience with medical device software development. He has a broad background in electrical engineering, with an emphasis on embedded system/software design, and has served in software leadership roles for a wide variety of medical devices, including drug delivery devices and associated app development.