State of Diabetes Device Cybersecurity in 2019

Cybersecurity concerns seem to accost us in an endless loop these days. Among a deluge of reports of data breaches, violated privacy agreements, and cyber attacks in the private and public sectors, it can be hard to determine what’s really safe.

And after a couple of insulin pump hacking scares a few years back, we can’t help but wonder: just where do we stand regarding the safety of our diabetes devices (and the information they contain) in 2019?

The thing with risk is that it’s sometimes real, and sometimes perceived. Addressing real risk leads to safety. While obsessing over perceived risk leads to fear. So what is real here? And what exactly is being done to address diabetes tech cybersecurity concerns?

Progress on Medical Cybersecurity Standards

According to a Health Canada news release, among the med device cybersecurity recommendations in their draft guidance are: 1) incorporating cybersecurity measures into risk management processes for all devices with a software component, 2) establishing frameworks for managing cybersecurity risks on an enterprise level, and 3) verification and validation of all cybersecurity risk control processes. They specifically recommend measures such as implementation of the UL 2900 cybersecurity standard to mitigate risks and vulnerabilities.

Ken Pilgrim, Senior Regulatory Affairs & Quality Assurance consultant at Emergo Group in Vancouver, said the new guidance should prove valuable to medical device manufacturers not only in Canada but also other jurisdictions developing similar cybersecurity requirements.

Meanwhile, measures to address cybersecurity of diabetes devices specifically are rolling forward in the United States.

DTS was founded in 2001 by Dr. David Klonoff with the purpose of promoting the use and development of diabetes technology. DTSec is essentially the first organized security standard for diabetes tech. Think of it as kind of a seal of safety, similar to how we see an https web address. The standard was established in 2016 after research and input from academia, industry, government, and clinical centers. Like most standards, it’s a voluntary guidance for manufacturers to consider adopting and following.

Since then the organization has continued pushing cybersecurity research and risk assessment, hosting conferences, and developing more in-depth protections.

According to Klonoff, Medical Director of the Diabetes Research Institute at Mills-Peninsula Medical Center, San Mateo, CA, the DTMoSt guidelines build on DTSec by becoming the first standard with both performance requirements and assurance requirements for manufacturers of connected medical devices controlled by a mobile platform.

DTMoSt identifies threats, such as malicious remote and app-based attacks and “resource starvation,” to the safe operation of mobile device-enabled solutions and offers guidance to developers, regulators, and other stakeholders to help manage these risks.

Security Measures Shouldn’t Hinder Use

Today, one’s glucometer, CGM, and diabetes smartphone app may all be connected to the Internet, and therefore open to some level of risk.

Yet despite the continued talk of the dangers of the Internet of Things, experts caution that the actual risk to the public is quite low. When it comes to security, bad people are just not that interested in somebody’s blood glucose data (as compared to their bank account password).

That being said, investments in cybersecurity are necessary as preventative measures to threats and ensuring basic security of users and customers.

But the downside is that implementing cybersecurity measures can sometimes mean making a system very hard or impossible to use for data-sharing in the way intended. The trick in the equation is not limiting the ability of operation and access by intended people.

Offsetting Fear and Trepidation

Many in the industry caution the adverse side of cybersecurity: a focus on fear that borders on obsession, stymies research, and could ultimately cost lives. These are people who recognize that the cyberworld, and our diabetes devices, are open to risk, but feel that overreaction is potentially more dangerous.

Howard Look, CEO of Tidepool, D-Dad, and a key force behind the #WeAreNotWaiting movement, sees both sides of the issue, but agrees with Brown and other industry experts who fear checks on the rate of medical advancement.

“Certainly, device companies (including software as a medical device companies, like Tidepool) must take cybersecurity very, very seriously,” says Look. “We certainly do not want to create a situation where there is a risk of a mass attack on devices or apps that could harm people. But pictures of ‘hackers in hoodies’ with skull and crossbones on computer screens just scare people who don’t really understand what’s at stake. It causes device companies to slow down, because they are scared. It does not help them understand the right thing to do.” Look was referring to Powerpoint slides shown in diabetes medical conferences with eerie images purporting cyber-dangers.

The OpenAPS and Loop do-it-yourself closed loop systems that have become popular are technically based on a “vulnerability” in older Medtronic pumps that allows for wireless remote control of these pumps. To hack the pumps, you need to know the serial number, and you need to be close to the pump for 20 seconds. “There are way easier ways to kill someone if that’s what you want to do,” says Look.

Many argue that this proposed “vulnerability” in security, as scary as it might be in theory, is a huge benefit as it has allowed thousands of people to run OpenAPS and Loop, saving lives and improving quality of life and public health for those using them.

A Measured Approach to Risks

Organizations such DTS are doing important work. Device security matters. And research and conferences presentations on the topic are constants of the industry – diabetes tech and cybersecurity will be a focus of several elements of the 12th International Conference on Advanced Technologies & Treatments for Diabetes (ATTD 2019) being held later this month in Berlin. But those truths continue to exist alongside the reality that people need better tools that are less expensive, and we need them quickly.

“The hallmark of great devices is continuous improvement, not perfection,” Brown says. “That requires connectivity, interoperability, and remote software updating.”

While devices are open to risks, experts seem to agree that they are generally quite safe and secure. Going forward throughout 2019 and beyond, the consensus appears to be that while keeping an eye on cyber-risk is important, that risk is often overrated, and potentially pales against the health risks of not having advanced diabetes tools.

This content is created for Diabetes Mine, a leading consumer health blog focused on the diabetes community that joined ishonest Media in 2015. The Diabetes Mine team is made up of informed patient advocates who are also trained journalists. We focus on providing content that informs and inspires people affected by diabetes.

Read more on: diabetesmine