The Internet of Medical Things (IoMT) space is growing rapidly – it’s projected to grow to $187.60 billion by 2028. As this rapid growth continues, there are a number of key considerations manufacturers of medical devices should consider when building IoT-enabled medical devices, including privacy and security.
And with healthcare innovation also growing at an incredible rate, the use of IoMT enables 24/7 health monitoring of patients no matter how severe their conditions are, says Tony Pietrocola, president and co-founder of AgileBlue, an autonomous security operations center and SOAR provider.
“IoMT can provide doctors and healthcare workers with more accurate information faster about the immediate conditions, which should allow for more effective and timely treatments,” Pietrocola says.
Here are the top five factors manufacturers should consider for IoMT development
Incorporate Predictive Analytics
The intersection of predictive analytics enabled by artificial intelligence and the IoMT (an offshoot of the Internet Of Things) holds immense promise, says Chad Holmes, healthcare sector vice president of Launch Consulting Group.
“In addition to helping hospitals improve operations by becoming more automated, predictive, and less costly, IoMT solutions that incorporate biometrics and predictive maintenance will help free up nurses to spend more time with patients, personalize care, and spend less time managing equipment and interpreting diagnostics, which is critical given the estimated shortage of 500,000 nurses in the U.S. by 2025,” Holmes says.
Identification/Verification Capabilities
Identification and verification capabilities are important aspects of IoMT device design as they address multiple facets of security, privacy, and accuracy, says Nathan Robbins, senior director of corporate strategy for Syniverse, a telecommunications company.
“These features ensure that if a device is taking any sort of test/reading, it will be able to confirm the identity of the person being tested to generate accurate results,” he says. “It also protects confidential information from other people that might come in contact with the device, i.e., not seeing the results from the person who used it before.”
Additionally, suppose there’s integration with a medical health record. In that case, these capabilities allow for a secure connection, ensuring that information is not compromised and confirming that the results are synced with the proper patient’s records, Robbins explains.
Proactively Consider Device Security/Protection
According to Robbins, manufacturers should also proactively consider device security and protection so that sensitive data doesn’t fall into the wrong hands.
He says they should utilize encryption protocols to protect data for IoMT devices in transit to ensure that the data is transmitted securely, reducing the risk of interception and unauthorized access during transmission. This will also ensure that a given device produces accurate results and/or diagnoses.
“For example, if a person is using data collected from an IoMT device to make medical decisions, such as medication quantity based on the results they get, an IoMT device secured with data encryption prevents the possibility of generating incorrect or purposely false results,” Robbins says.
Shiva Nathan, CEO and founder of Onymos Inc., developer of a features-as-a-service platform, says vulnerabilities in a medical device or the ecosystem that the medical device is part of threaten both patient privacy and patient safety.
“From the ground up, a medical device cannot be thought of as a single entity,” Nathan says. “The entire ecosystem, which a medical device is part of, needs to be reviewed for security and compliance.”
A compromised IoMT immediately impacts direct patient care, Nathan says. While a hacker’s intent might not be to directly affect patient care, the unscrupulous action of a hacker who performs a ransomware attack on a software system can negatively affect the patient.
“The hacker might not even know that the hospital system that was targeted was connected to a patient, where the impact is real,” he says. “It is no longer just [the stuff of movies] that a hacker can control the pacemaker of a patient on a plane.”
And remote patient monitoring devices, such as glucose monitors and smart watches for people with chronic diseases and long-term conditions, pose additional risks for the manufacturers of these medical devices, says Paul Schmeltzer, senior attorney, Clark Hill LLP.
“Because patients typically connect to their home internet networks, which can be unsecured, the developers should determine if their devices contain any critical vulnerabilities that could be accessed on a patient’s open network,” he says.
Risks/Benefits of Incorporating Augmented Intelligence
Given the current state of artificial intelligence and machine learning, including generative AI and large language models, no medical technology evaluation would be complete without considering the risks and benefits of incorporating augmented intelligence, says Sue Boisvert, senior patient safety risk manager at The Doctors Company, a physician-owned medical malpractice insurance company.
“Connected medical devices create a continuous data stream, which providers are responsible for parsing and acting upon,” she says. “Augmented intelligence is already being used to parse some of these data flows – notably in remote patient monitoring and hospital-at-home settings.
She adds that the downside of massive data creation and distribution is its attractiveness to cyber criminals.
“Generative AI can potentially re-identify de-identified patient information, representing a grave threat to individual privacy,” Boisvert says. “Device developers and manufacturers must implement the best security and privacy protections and continuously anticipate what is coming next.”
Ensure Devices Comply With Privacy/Regulatory Requirements
The developers of IoMT devices need to consider whether their devices comply with countless state and federal privacy laws, according to Schmeltzer.
“The manufacturer should ensure that the collection and sharing of confidential health data from the medical device conforms with privacy laws, including the Health Insurance Portability and Accountability Act, the California Consumer Privacy Act, as amended recently by the California Privacy Rights Act, and the federal Health Information Technology for Economic and Clinical Health Act,” he says.
Sean Lord, cybersecurity product marketing director at SHI International Corp., a technology solutions provider, agrees that compliance with regulations is critical.
“Manufacturers must also be mindful of the global IoT regulatory landscape,” he says. “Consolidating your compliance efforts, keeping up to date with constantly evolving compliance mandates, and aligning your practices accordingly ensures legal adherence and bolsters overall security.”
There is also the concern that vulnerable unpatched medical devices could be used in hospitals well beyond the period that medical device manufacturers offer updates and patches, Schmeltzer adds.
In an effort to regulate the proliferation of new medical devices lacking periodic updates or patches to address security vulnerabilities, Congress passed a $1.7 trillion omnibus package in December 2022 that gave the U.S. Food and Drug Administration (FDA) authority to introduce regulations on medical device security for manufacturers, he explains.
The FDA now mandates that makers of new medical devices submit schematics to the government that offer proof that their devices can be updated, patched, and adapted as needed, as well as detail their security controls.
“Then after the device reaches the market, manufacturers must provide ongoing evidence that they are monitoring potential vulnerabilities and have a cybersecurity plan in place to remediate any potential issues that arise,” Schmeltzer says.
Lord says that manufacturers should consider when and how to update these devices at the beginning of the software development lifecycle.
“Containing devices is prudent if legacy devices can’t be updated, replaced, or switched off,” he adds. “Containment could include limiting functionality and blocking particular communication types performing additional inspection of traffic from IoMT devices.”
Interoperability
Building software-enabled devices for the Internet of Medical Things requires a comprehensive approach, according to Cameron van Orman, chief strategy officer at Planview, a portfolio management software provider.
“In addition to the essential considerations of privacy, security, and regulatory compliance, interoperability is paramount to ensure seamless integration with various healthcare systems and personal devices,” he says.
Neglecting interoperability can result in wasted resources, slow innovation cycles, low adoption, and frustrated end users, van Orman adds.
“Time-to-market is critical. Delays in the software ideation, planning, and delivery process impede the swift delivery of life-saving or life-altering solutions,” he says. “As a father of a type 1 diabetic, I have a personal connection to the significance of these factors, witnessing firsthand the transformative power of digitalization in medical devices, underscoring the urgency of addressing these issues to improve patient outcomes and quality of life.”
The Bottom Line
Healthcare technology exists in a complex digital ecosystem, says The Doctor Company’s Boisvert. Changes or failures in one space may ripple out, disrupting other spaces.
“Creators and healthcare professionals are responsible for evaluating the risk, likelihood, and severity of potential failure modes and developing prevention and response strategies,” Boisvert says.
“[Consequently], responsibilities for manufacturers include device safety, security, interoperability, and regulatory compliance.”