Guest Column | August 31, 2017

Should Every Device Be Connected? Weighing the Risks and Benefits of Medical Device Connectivity

mHealth App Privacy

By Clark Fortney, Battelle

Consumers are flocking to Internet of Things (IoT) technologies, from “smart” smoke detectors to connected speaker systems. However, when the connected devices are medical in nature, sometimes the benefits don’t justify the potential threats to patient safety or data. Medical device manufacturers that are considering adding or expanding connectivity options should think carefully about what they are trying to achieve, and develop a strategy that balances the risks and rewards.

Are We Connecting Medical Devices For the Right Reasons?

Connected medical devices are at the heart of some of today’s most exciting advances in healthcare. From mHealth apps that help patients manage chronic conditions at home to smart sensors that alert caretakers when attention is needed, connected devices are making healthcare more personal, more responsive, and hopefully more effective. However, it does not necessarily follow that more connectivity always is better, or that every medical device should connect to other devices or networks.

In considering the benefits of connecting a medical device — to other devices, to a web portal, or to a hospital network — manufacturers should make sure they have clearly established the potential benefits of connectivity. In particular, they should define who benefits and how. Consider:

  • Will connecting the medical device have a direct health benefit for the patient? How will it enable better care or better outcomes?
  • Does connectivity add convenience for the end user? Does it make the device easier to use? Could connectivity help to improve patient adherence?
  • Will connecting the device provide better or faster data to doctors or healthcare providers? Will that data enable better diagnostic or care decisions?
  • Does connectivity improve healthcare efficiency? Will it enable cost savings for patients or healthcare providers?  
  • Will data collected by the device be used for a business or marketing purpose? Does connectivity further the company’s business goals?

Connectivity is clearly beneficial for patients and care providers in many cases. Wearable medical sensors can transmit real-time data and alert care providers if immediate attention is needed. Connected mHealth apps can help patients track blood sugar levels, drug doses, blood pressure, weight, and other readings, so patients can better manage chronic conditions and communicate with doctors and care providers.

Some forms of connectivity directly benefit both patients and companies. For example, a drug delivery device connected to a mobile app or web portal can be programmed to automatically order refills from the patient’s pharmacy at the right time. This reduces the risk that patients will run out of critical medication, while at the same time helping companies meet business goals. Other forms of data collection may not have any direct benefit for the patient, but provide valuable data for product development or enable marketing opportunities.

Increasingly, the move towards greater connectivity is being driven by perceived consumer demand and competitive pressure, rather than carefully considered medical benefits. Manufacturers may believe that adding a mobile app for a medical device used in the home will make it more appealing or usable for patients. In reality, many of these apps are loaded with rarely used extra features that add little medical value. This echoes similar issues seen in the world of consumer IoT: many people have found that their “smart” thermostats and light bulbs do not provide enough added value to justify their added cost and complexity. Before rushing to connect for connection’s sake, companies should carefully consider what they are trying to achieve and weigh the potential downside of connectivity.

Balancing Benefits and Risks for Connected Medical Devices

Cybersecurity is a critical concern for every medical device that uses software. Connecting devices to the internet, hospital networks or other devices makes them vulnerable to cybersecurity threats, including both deliberate attacks and undirected malware. Hackers may attempt to break into a medical device with the intent of causing harm to users, stealing patient information, or pivoting into a hospital network to steal data or conduct a ransomware attack. Commodity malware is an even bigger threat for most medical devices; even if the device is not specifically targeted, malware can disrupt device operation in ways that can put patients or data at risk.

When considering adding options for connectivity, medical device developers should carefully evaluate the potential threats and risks at the very beginning of the process, during device conceptualization. Key questions to ask include:

  • What is the potential for patient harm if the device fails to operate as expected? What happens if the device shuts down and stops working entirely? What happens if data is changed or erased, either deliberately (by a hacker) or unintentionally (as a side effect of malware)?
  • What kinds of data will be stored, transmitted, or accessed by the device? Does the data include sensitive medical information? Financial information? Can it be linked to the personal identity of the patient?
  • What are the potential business risks of connecting the device? Could it be used to pivot into hospital networks? Does it provide an access point into the developer’s web-based systems?

Each medical device will have its own unique cybersecurity threat and risk profile, as well as its own benefits. Drug delivery devices and life support devices, such as ventilators, have a very high risk of patient harm if they malfunction or stop working entirely. For other devices, such as a connected blood pressure monitor, the direct risk of patient harm may be very small.  Medical device developers must balance the potential worst-case scenarios —especially risks to patient safety — against the benefits gained by adding or increasing device connectivity.

Strategies for Safely Connecting Medical Devices

Of course, in many cases, the potential benefits of connectivity are well worth it. Connected medical devices can provide added functionality that improves care and leads to better patient outcomes. In addition, they open up new opportunities for data aggregation and analysis that are invaluable for both medical researchers and business developers.

While no connected device will ever be 100 percent secure, there are steps that developers can take to reduce cybersecurity risks. A good cybersecurity plan encompasses every stage of device development, from initial concept to postmarket updates. At each stage, there are choices to be made that can either increase or decrease device security. These choices must be carefully balanced against usability, functionality, and cost considerations.

Medical device developers who do not have extensive cybersecurity expertise on staff should consider bringing in outside experts to assist with requirement development, software architecture decisions, risk analysis, and vulnerability testing.

Some strategies that medical developers can use include:

  • Follow a well-defined and rigorous process for system and software design.  Use best practices in software design and system architecture.
  • Establish cybersecurity design policies and design procedures for your company.  The National Institute of Standards and Technology (NIST) has developed a cybersecurity framework that provides an excellent starting point.
  • Carefully consider how much and what kind of connectivity is needed in order to achieve the desired functionality. Each form of connectivity (e.g., Bluetooth, Wi-Fi, Ethernet, direct connection to another device) opens up a different set of potential threats. If the device only needs to connect to another device to function — for example, a drug delivery device connected to a sensor — it is safer to connect them directly than to have both devices connect through a cloud-based web portal.
  • Limit the scope of device functionality that can be controlled by the connected device.  For instance, don’t give your smart phone app the ability to change the dosing parameters of your drug delivery device.
  • Limit the data stored, transmitted, or used by the device to only the essentials required to provide the benefit desired. Do not use personally identifying information if it is not needed. Build appropriate memory protection into your software architecture.
  • Choose the right type and level of encryption for the data you need to protect. Encryption should be used any time patient data is transmitted between the device and another device, network, or system. The more sensitive the data, or the greater the risk to patients if data is corrupted, the higher the level of encryption needed. Encryption decisions must also consider the impact on interoperability, usability, and cost.
  • Search for known vulnerabilities in third-party hardware and software components, such as operating systems, libraries, or applications. The National Vulnerability Database and manufacturer errata sheets can provide helpful information. If the search turns up unacceptable risks, consider using a more secure alternative or adding risk controls to reduce the probability of a problem. 
  • Use security controls appropriate to the threat profile of the device, the intended users, and the environment in which it will be used. Password protection, security badges, biometric security, and other types of security controls all have their own pros and cons. The level of security needed and the best approach to controlling access will be unique to the device.
  • Conduct thorough vulnerability assessment testing and cybersecurity risk analysis prior to release. This may include penetration testing, fuzz testing, and evaluation of security controls. The greater the potential for harm if the device is compromised, the more effort should be spent on vulnerability assessment.
  • Have a postmarket cybersecurity strategy, including a responsible disclosure policy and a plan for securely updating the device as new security threats are identified.

The IoT is here to stay, for medical devices as well as consumer products, and we can expect to see greater levels of connectivity between medical devices and consumer products, such as smart phones and tablets. In most cases, the benefits for users — in terms of greater convenience, easier adherence, improved insights, and better health outcomes — will be well worth the risks. But consumers will not be able to make those calculations themselves. It is up to the medical device industry to make careful, strategic cybersecurity choices to minimize those risks.

About the Author

Clark Fortney, principal electrical engineer for embedded systems at Battelle, has 20 years of experience with medical device software development. He has a broad background in electrical engineering, with an emphasis on embedded system/software design, and has served in software leadership roles for a wide variety of medical devices, including drug delivery devices and associated app development.