• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • AI
    • Blockchain
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage
  • Life Sciences
  • Research

3 Major Problems With the Medical Device and Wearables Market in 2019

by HITC Staff 05/29/2019 Leave a Comment

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

3 Major Problems With the Medical Device and Wearables Market in 2019

Technology can improve human life in significant ways and aid in the fight against troublesome illnesses. Unfortunately, no technology is perfect — and newer technologies are especially prone to growing pains.

There are three major problems in today’s medical devices and wearables market: potential sabotage of the devices themselves, devices as a backdoor into networks and patient data, and device manufacturers taking advantage of regulatory loopholes to get their products on the market.

1. Many Devices Are Vulnerable to Tampering

When the Department of Homeland Security issues a warning about the security of a medical device, you know there’s cause for alarm. That was the case recently with implantable cardioverter defibrillators (ICDs) from Medtronic.

According to the DHS report, some of the potential for misuse and patient harm seem to represent an entirely new category of cybercrime:

– In addition to implantable defibrillators, the DHS warning also extended to pacemakers.

– These products provide doctors with the means to use radio wave connectivity to make remote changes to patient implants.

The DHS warning indicates that cybercriminals with “low-level” skills could access these devices and make changes to how they function. The only mitigating factor is that the would-be cybercrime would have to take place from within close proximity to the patient.

One solution to this problem began to take shape at the beginning of 2019. In light of this and other worries, the U.S. Food and Drug Administration will begin allowing the public to study previously secret files detailing known problems with medical device functionality and potential vulnerabilities. These “alternative summary reports” contain information on two million cases where patients or physicians reported “problematic” behavior or functionality in medical devices.

Brian Saucier, security architect for infrastructure, cloud, and security at NTT DATA Services, told HIT Consultant that, while the FDA requires a Premarket Approval (PMA) process for any medical devices that could pose significant risk of injury or illness, the FDA does not prescribe specific cybersecurity standards for device manufacturers to follow.

“[I]instead [the FDA] publishes guidance describing how software enabled (and especially network capable) medical device manufacturers or resellers can successfully navigate the PMA process,” Saucier says. “The core element of the guidance is the NIST cybersecurity framework.”

However, Saucier points out that “The NIST framework also does not specify specific controls or security protocols but establishes a comprehensive approach to managing cybersecurity risk.” This approach, he says, involves identifying and understanding the risks associated with software enabled medical devices, establishing detection controls to identify cybersecurity events and enabling recovery capabilities in the event of a cybersecurity issue.

In addition to these official channels, independent security researchers continue to study and report on the problem of cyber-vulnerabilities in medical devices broadly and Medtronic devices specifically. Billy Rios and Jonathan Butts, two cybersecurity researchers, raised alarm over insulin pumps and other devices remaining open to potential attack.

At the end of 2018, in light of these findings, the FDA issued warnings to doctors and Medtronic. In response, Medtronic issued a software update, but not before acknowledging they had taken “entirely too long to process, validate and mitigate” the researchers’ findings.

“Medical devices and wearables operate in a unique technology space with roots in standard enterprise Information technology (IT), industrial/operational technology (OT), and Internet-of-things (IoT) technology,” Saucier says. “The medical technology field inherited challenges from all three of these sectors.”

2. Unprotected Networks and Devices Provide a Back Door for Ransomware Attacks

Each year, the medical devices market grows by about 20%. But tampering with intent to cause bodily harm is just one type of potential misuse. Some of the others are familiar to any internet user. Patient monitoring tools, telemedicine portals, and wearable health devices all represent potential endpoints for cyber attacks — including fraud and ransomware.

“Ransomware is a challenge across all industries today including healthcare,” says Ross Carevic, director of technology sourcing at Vizient, where he leads the company’s Medical Device Cybersecurity Task Force. “From a health care perspective, it’s particularly challenging given the thousands of different device types create a much broader attack surface for hackers.”

In a hospital setting, any poorly protected terminal, Wi-Fi network or medical device could be used to grant access to the wider network. This puts patient health information (PHI) at extraordinary risk for health care systems. For black market data brokers, health information is even more valuable than credit card information. Instead of inflicting direct financial harm, thieves can use patient records to file fraudulent insurance claims, order prescriptions and more. Compared with financial credentials, which tend to be reported to banks quickly, medical information is sometimes still in use by hackers long after a known breach.

“In the case of medical devices,” says Carevic, “some of the types of vulnerability assessments that suppliers should be regularly implementing include port scanning, penetration testing, fuzz testing, and reverse engineering of critical binaries to ensure the software is doing what it was designed to do and nothing else. In addition, where possible the devices should be running commercial antivirus software to quickly identify and prevent malicious activity on the device before it’s impacted by something unintended like ransomware.”

As for ransomware, in 2018, some 18% of health care entities reported experiencing ransomware attacks or malware attacks made through their devices in the previous 18 months. For patients and health care systems, this is a wakeup call.

With these findings in mind, the FDA and DHS have new information-sharing processes in place to help device manufacturers and regulators communicate more effectively about cybersecurity issues. In what they call a memorandum of understanding, the DHS will coordinate communications between “stakeholders” — including the DHS, the FDA, medical device companies, researchers and others. The goal is to speed up coordination between parties and alert physicians and the public about problems more quickly than was possible before.

Another necessary step began taking shape in October 2018, when the FDA also issued its “premarket cybersecurity guidance” with the goal of encouraging security-mindedness long before devices become available for purchase.

3. Imperfect or Incomplete Approval Processes

Finally, we arrive at what, in some cases, might be the proximate cause of patient harm as a result of cyber-vulnerabilities.

The FDA’s approval process for medical devices has slowly been compromised by lobbying over the years to the point where device manufacturers don’t have to furnish proof that their devices actually do what they claim. Several loopholes also make it easy for device makers to get their products on the market even without proper testing.

Even some high-risk devices like surgical meshes and gastric balloons made headlines recently due to questions about their safety and effectiveness. Adding fuel to the fire is a 2008 Supreme Court decision which barred patients and their families from suing device manufacturers in some circumstances.

There is generally no way to conduct deliberate, detailed and large-scale surveillance for device safety and functionality. It can take years for safety issues to become common knowledge, and manufacturers generally under-report problems with their devices.

Philips demonstrates one way to investigate how products are performing, how they’re used and how they undergo repairs after the initial sale. Medical device manufacturers must demonstrate similar interest in proactively seeking and acting on data regarding the real-world performance of high-risk devices.

In most cases, the FDA provides a “self-registration” process — not an approval process. Thanks to this distinction, companies frequently misclassify their devices as similar to existing products using the “501(k)” process, which exempts the company from providing evidence of its efficacy. This is true even for “Class II” medical devices, which are considered “high-risk” if misused or if they malfunction.

To solve the problem of exploitable oversights in the approval process, lawmakers and the public need to be more wary of changes to the law promising to “speed innovation.” There’s abundant proof — one physician likened the situation to a massive cover-up — that device manufacturers frequently overstate the effectiveness of their products in their desire to get to the market before competitors.

As we’ve seen, though, each of these major problems with the health care device market has captured the attention of regulators and concerned citizens. With the efforts outlined here, including improved information-sharing, wider attention from concerned journalists and the exposure of previously hidden reports, we’re laying the framework for a safer and more transparent industry.

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Tagged With: behavior, cloud, connected medical device, Cybercriminals, Cybersecurity, FDA, HIT, HIT Consultant, insulin, IoT, Malware, Medical Device, Medical Device Cybersecurity, Medical Devices, medical technology, Medtronic, NTT DATA Services, Pacemakers, Patient Monitoring, PHI, Philips, physicians, Ransomware Attacks, risk, telemedicine, Wearables, Wearables Market

Tap Native

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Featured Insights

2025 EMR Software Pricing Guide

2025 EMR Software Pricing Guide

Featured Interview

Kinetik CEO Sufian Chowdhury on Fighting NEMT Fraud & Waste

Most-Read

2019 MedTech Breakthrough Award Category Winners Announced

MedTech Breakthrough Announces 2025 MedTech Breakthrough Award Winners

WeightWatchers Files for Bankruptcy to Eliminate $1.15B in Debt

WeightWatchers Files for Bankruptcy to Eliminate $1.15B in Debt

KLAS: Epic Dominates 2024 EHR Market Share Amid Focus on Vendor Partnership; Oracle Health Sees Losses Despite Tech Advances

KLAS: Epic Dominates 2024 EHR Market Share Amid Focus on Vendor Partnership; Oracle Health Sees Losses Despite Tech Advances

'Cranky Index' Reveals EHR Alert Frustration Peaks Midweek, Highest Among Admin Staff

‘Cranky Index’ Reveals EHR Alert Frustration Peaks Midweek, Highest Among Admin Staff

Madison Dearborn Partners to Acquire Significant Stake in NextGen Healthcare

Madison Dearborn Partners to Acquire Significant Stake in NextGen Healthcare

Wandercraft Begins Clinical Trials for Physical AI-Powered Personal Exoskeleton

Wandercraft Begins Clinical Trials for Physical AI-Powered Personal Exoskeleton

Chipiron Secures $17M to Transform MRI Access with Portable Scanner

Chipiron Secures $17M to Transform MRI Access with Portable Scanner

Abbott to Integrate FreeStyle Libre Glucose Data with Epic EHR

Abbott to Integrate FreeStyle Libre Glucose Data with Epic EHR

5 Ways New Trump Administration Tariffs Are Impacting U.S. Healthcare Now

5 Ways Trump Administration Tariffs Are Impacting U.S. Healthcare Now

iCAD, GE HealthCare Integrate to Advance Breast Cancer Detection with AI

RadNet to Acquire iCAD for $103M in All-Stock Transaction

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2025. HIT Consultant Media. All Rights Reserved. Privacy Policy |