While still in the early stages of this technology’s adoption, IoT has already proven to be a life-changing advance for many patients. A stroll through a few articles in this very issue presents real world examples of the integration being put into place. From the more obvious world of medical wearables to the expanding home healthcare market, IoT is rapidly making inroads into medical technology and healthcare, something that’s not likely to slow down anytime soon.
As fantastic as IoT is, there is a downside. As illustrated in this issue’s Medtech Musings, managing editor Michael Barbella offers a great look at the impact the latest internet virus, WannaCry, had on medtech. While hospitals and patient data was covered by the mainstream media, the virus’ effect on medical technology in many of those hospitals was not.
Some view the emergence of medical wearables as an opportunity to improve healthcare, address obesity, and monitor chronic diseases; hackers and the creators of malware view them as new potential targets. While at-home testing devices can save patients from unnecessary doctor visits, nefarious individuals see them as new potential gateways to getting to important data. Other connected devices such as drug delivery units or even implantables may be life-preserving technologies to the people who require them, but how long before a truly evil individual views them as hacking challenges they want to conquer? Someone’s going to end up dead from the unauthorized access of a medical device and no company wants its name to be on the hacked device.
So what’s medtech doing about this threat? Unfortunately, not enough. Uncertainty with regard to updating software or putting out patches leads many companies to take little to no action with regard to addressing security vulnerabilities. Fortunately, the FDA issued new guidance (Postmarket Management of Cybersecurity in Medical Devices) late last year that addresses this issue and attempts to clarify what types of updates are permitted without requiring any type of further regulatory review.
There’s also the problem of systems in the field running on outdated Microsoft operating systems. How many medical devices are still using XP? How many are on Vista? Both of these products are no longer supported by Microsoft, meaning patches and updates are no longer available (although the company made a rare exception by issuing a patch to address the WannaCry virus). Should medical device manufacturers look at other options beyond Microsoft products, which come with an end-of-life date essentially at launch (Windows 7 support ends Jan. 14, 2020 and Jan. 10, 2023 for Windows 8.1). Would Linux solutions be a better alternative? These are ultimately questions for the design and software engineers, but it’s certainly something to keep in mind.
In the meantime, what’s a company to do? “Hire a hacker.” That was the response given during a panel discussion at MassMEDIC’s 21st Annual Conference, held in May in Boston, Mass. The question was in regard to the best advice the panel had for addressing cybersecurity in the development of a medical device. When a device’s biocompatibility needs to be verified, a company will often outsource to a laboratory that specializes in that type of test. Why should the software or security of a device be treated any differently? If medtech firms are serious about producing connected technologies that will be interfaced in real-world environments and “speak” with other machines, they need to ensure the technology is properly protected from possible intrusions. Who better to help reveal those potential problem areas than someone who knows how a hacker works?
A white hat hacker is someone who, with a company’s permission (and paid for by the company’s dime), will attempt to breach a device or software by whatever means possible. For medical device companies developing connected medical products, it may be in their best interest to do some digging on the freelance hackers who are available for hire to give their device a true test in an attempt to resolve vulnerabilities before the device goes to market. Even for postmarket products, a hacker can help discover potential issues that could be patched before a worst-case situation occurs.