Cybersecurity concerns seem to accost us in an endless loop these days. Among a deluge of reports of data breaches, violated privacy agreements, and cyber attacks in the private and public sectors, it can be hard to determine what’s really safe.
And after a couple of insulin pump hacking scares a few years back, we can’t help but wonder: just where do we stand regarding the safety of our diabetes devices (and the information they contain) in 2019?
The thing with risk is that it’s sometimes real, and sometimes perceived. Addressing real risk leads to safety. While obsessing over perceived risk leads to fear. So what is real here? And what exactly is being done to address diabetes tech cybersecurity concerns?
Progress on Medical Cybersecurity Standards
In October 2018, the US Food and Drug Administration (FDA) issued
According to a Health Canada news release, among the med device cybersecurity recommendations in their draft guidance are: 1) incorporating cybersecurity measures into risk management processes for all devices with a software component, 2) establishing frameworks for managing cybersecurity risks on an enterprise level, and 3) verification and validation of all cybersecurity risk control processes. They specifically recommend measures such as implementation of the UL 2900 cybersecurity standard to mitigate risks and vulnerabilities.
Ken Pilgrim, Senior Regulatory Affairs & Quality Assurance consultant at Emergo Group in Vancouver, said the new guidance should prove valuable to medical device manufacturers not only in Canada but also other jurisdictions developing similar cybersecurity requirements.
Meanwhile, measures to address cybersecurity of diabetes devices specifically are rolling forward in the United States.
In late October, the Diabetes Technology Society (DTS) announced that the OmniPod DASH had become the first FDA-cleared insulin pump to receive certification under DTS’s “Standard for Wireless Diabetes Device Security” cybersecurity assurance standard and program, known as DTSec.
DTS was founded in 2001 by Dr. David Klonoff with the purpose of promoting the use and development of diabetes technology. DTSec is essentially the first organized security standard for diabetes tech. Think of it as kind of a seal of safety, similar to how we see an https web address. The standard was established in 2016 after research and input from academia, industry, government, and clinical centers. Like most standards, it’s a voluntary guidance for manufacturers to consider adopting and following.
Since then the organization has continued pushing cybersecurity research and risk assessment, hosting conferences, and developing more in-depth protections.
Last June, a few months before the announcement was made regarding OmniPod following DTSec, the group released new security guidance called DTMoSt, short for “Use of Mobile Devices in Diabetes Control Contexts.”
According to Klonoff, Medical Director of the Diabetes Research Institute at Mills-Peninsula Medical Center, San Mateo, CA, the DTMoSt guidelines build on DTSec by becoming the first standard with both performance requirements and assurance requirements for manufacturers of connected medical devices controlled by a mobile platform.
DTMoSt identifies threats, such as malicious remote and app-based attacks and “resource starvation,” to the safe operation of mobile device-enabled solutions and offers guidance to developers, regulators, and other stakeholders to help manage these risks.
Security Measures Shouldn’t Hinder Use
Today, one’s glucometer, CGM, and diabetes smartphone app may all be connected to the Internet, and therefore open to some level of risk.
Yet despite the continued talk of the dangers of the Internet of Things, experts caution that the actual risk to the public is quite low. When it comes to security, bad people are just not that interested in somebody’s blood glucose data (as compared to their bank account password).
That being said, investments in cybersecurity are necessary as preventative measures to threats and ensuring basic security of users and customers.
But the downside is that implementing cybersecurity measures can sometimes mean making a system very hard or impossible to use for data-sharing in the way intended. The trick in the equation is not limiting the ability of operation and access by intended people.
And what about privacy? Again and again we see that while people say they prioritize privacy, they seem to act in a contradictory manner, by consenting, scrolling, initialing, signing, and giving access to information and data with very little real thought or concern. The truth is, we consumers usually don’t read privacy policies very carefully, if at all. We just hit the ‘next’ button.
Offsetting Fear and Trepidation
Many in the industry caution the adverse side of cybersecurity: a focus on fear that borders on obsession, stymies research, and could ultimately cost lives. These are people who recognize that the cyberworld, and our diabetes devices, are open to risk, but feel that overreaction is potentially more dangerous.
“The whole issue of ‘cybersecurity in devices’ gets far more attention than it deserves,” says Adam Brown, senior editor at diaTribe and author of Bright Spots & Landmines: The Diabetes Guide I Wish Someone Had Handed Me. “We need companies to move faster than they are, and cybersecurity can prompt unnecessary fear. Meanwhile, people are out there winging it with no data, no connectivity, no automation, and no support.”
Howard Look, CEO of Tidepool, D-Dad, and a key force behind the #WeAreNotWaiting movement, sees both sides of the issue, but agrees with Brown and other industry experts who fear checks on the rate of medical advancement.
“Certainly, device companies (including software as a medical device companies, like Tidepool) must take cybersecurity very, very seriously,” says Look. “We certainly do not want to create a situation where there is a risk of a mass attack on devices or apps that could harm people. But pictures of ‘hackers in hoodies’ with skull and crossbones on computer screens just scare people who don’t really understand what’s at stake. It causes device companies to slow down, because they are scared. It does not help them understand the right thing to do.” Look was referring to Powerpoint slides shown in diabetes medical conferences with eerie images purporting cyber-dangers.
The OpenAPS and Loop do-it-yourself closed loop systems that have become popular are technically based on a “vulnerability” in older Medtronic pumps that allows for wireless remote control of these pumps. To hack the pumps, you need to know the serial number, and you need to be close to the pump for 20 seconds. “There are way easier ways to kill someone if that’s what you want to do,” says Look.
Many argue that this proposed “vulnerability” in security, as scary as it might be in theory, is a huge benefit as it has allowed thousands of people to run OpenAPS and Loop, saving lives and improving quality of life and public health for those using them.
A Measured Approach to Risks
Organizations such DTS are doing important work. Device security matters. And research and conferences presentations on the topic are constants of the industry – diabetes tech and cybersecurity will be a focus of several elements of the 12th International Conference on Advanced Technologies & Treatments for Diabetes (ATTD 2019) being held later this month in Berlin. But those truths continue to exist alongside the reality that people need better tools that are less expensive, and we need them quickly.
“The hallmark of great devices is continuous improvement, not perfection,” Brown says. “That requires connectivity, interoperability, and remote software updating.”
While devices are open to risks, experts seem to agree that they are generally quite safe and secure. Going forward throughout 2019 and beyond, the consensus appears to be that while keeping an eye on cyber-risk is important, that risk is often overrated, and potentially pales against the health risks of not having advanced diabetes tools.