Many medical devices in use today were developed before the time of smartphones and IoT-connected devices. Medical device security, historically, has been built around an understanding that physical security is what you’re trying to achieve - focusing on gating the physical access to the device, removing the user controls, relying on a medical professional to reprogram device settings. Previously, if you were holding it, you were trained and qualified to use it, but that doesn’t apply in an electronically connected world.
Machines as we know them today don’t exist on an island. Medical devices serving the healthcare landscape of the future will be connected to networks and to other devices, and securing devices like these is far more complex. As we connect these machines to other aspects of our lives, we have to have a reexamination of what security is.
When companies took the first steps of adding wireless capabilities to their products without taking the time to do that reexamination, they opened up the possibility of people tampering with these things at a distance. My own DIY efforts to build better tools to manage my wife and son’s type 1 diabetes and others in the broader DIY diabetes movement exploited this blindness on the part of medical device companies and highlighted new opportunities for leveraging the world around us to use a smartphone and the internet to propagate data, store data, and fit these devices into a broader world.
Consumers are now increasingly demanding connected treatment systems that are intuitive and easy-to-use the way that consumer technologies are, but without robust security, systems like these will be a nonstarter. The reality is that any connected device has the potential to be targeted by hackers. Keeping these attacks at bay takes a reimagining of medical device design - a strategy session that begins on day one - and partnerships with forward-looking entities who understand the security challenges of connected platforms.
At Bigfoot, we have challenged ourselves to engineer a system that includes things we do not control. While traditional device manufacturers are taking a design that was built to be a standalone system and attempting to add a phone or network to it, we are designing systems understood from the outset to be part of a larger technology ecosystem. That requires us to make decisions about how to enable that design - where the security and intelligence lie - with the phone in mind from the beginning. We have had to build a dynamic system that will be changing because the world around us is changing.
To be successful at this, it requires that your team know the constraints and limitations of commercial off-the-shelf smartphone ecosystems and the impacts they have on life-critical medical device systems that utilize them. It presupposes that you understand how change happens and is managed through updates and new operating systems. It requires that you develop technologies so that you are always able to maintain secure operations throughout the ongoing lifecycle of mobile devices and their ecosystems.
Designing with cybersecurity top of mind – and working with the right partners to get it right - is one of the most important aspects of our product development.
Partners in Security
Over the years, there has been a chorus of voices saying the Food and Drug Administration had fallen far behind the times and lacks the expertise to properly analyze digital health products or put a security framework in place for connected devices.
That is no longer the case. The agency has been issuing new guidances on digital health and mobile medical applications, launching new initiatives and plans to streamline the regulatory process and--most recently--announcing it will enhance and modernize their approach on the crucial matter of ensuring security for connected devices.
There are also other partners beyond regulatory agencies that device developers need to seek out if they want to take a modern approach to security.
Diabetes Technology Society (DTS), a nonprofit organization promoting development and use of technology in diabetes, is developing a cybersecurity standard called the Diabetes Technology Society Mobile Platform Controlling a Diabetes Device Security and Safety Standard (DTMoSt). I am pleased to hold a seat on this steering committee as we focus on creating guidance for diabetes device mobile platform security and safety standards that builds upon the original work of the DTSec security profiles.
Since Bigfoot Biomedical’s insulin delivery solutions will leverage the capabilities of smartphones, we also work with the companies that develop mobile phones and the operating systems that power them.
We are particularly honored to have been invited to demonstrate a use case in a session at Google I/O 2018, Google’s annual developers conference, to show how we could use the Android Protected Confirmation API to secure communications within our system. This potential use case for Android’s enhanced security features, alongside use cases such as financial institution security, is something Google is ready to explore as healthcare becomes an increasingly connected landscape.
Understanding both the potential and the vulnerabilities of a connected landscape through our work with these various stakeholders has been critical in designing systems we intend to offer to millions of people managing insulin-requiring diabetes and do so with the confidence that our systems are as secure as they can be from unauthorized entry.
It Takes a New Mindset
A new mindset is a major effort, and it begins in-house.
At Bigfoot Biomedical, we’ve assembled an impressive team from a range of different backgrounds. We have an internal clinical team that understands the challenges of implementation in the care environment and directly informs the product development and engineering team members with a significant track record securing IoT devices and networks. Since our systems need to be intuitive and easy to use for broad adoption, we have team members with experience in designing connected consumer technologies, systems that need to be simple to use across a broad population.
Bringing together experts from diverse backgrounds and getting them to work together for a common goal is a huge undertaking, but just as we have sought out partnerships with other innovators, we feel it is the only way to solve the hard problem we’ve set out to solve. At the end of the day, we believe our approaches to security in the foundational design of our systems will result in systems that will make life easier for millions of people managing insulin-requiring diabetes.