Difference between revisions of "Smart device"

From Clinfowiki
Jump to: navigation, search
(References)
 
(5 intermediate revisions by 2 users not shown)
Line 40: Line 40:
 
==Cybersecurity==
 
==Cybersecurity==
  
High-value clinical data is easily transmitted to the hospital facilities by smart devices via mobile using Bluetooth, smartphone, or the internet after manual or automatic downloads. However, when a wireless communication mode is active, smart devices and the clinical data they store become visible to the outside healthcare environment. Simultaneously, these devices represent an unsecured channel through which attackers can tamper with previously acquired messages, steal data, disable or manipulate device functions as well as clinical data [1]. Worse, for an attacker, the smart devices provide a gateway to hospital networks to modify or monitor information stored in or connected to hospital facilities, network computers, without ever needing the attacker to be physically close to the smart devices or the devices’ carrier [2].
+
High-value clinical data is easily transmitted to the hospital facilities by smart devices via mobile using Bluetooth, smartphone, or the internet after manual or automatic downloads. However, when a wireless communication mode is active, smart devices and the clinical data they store become visible to the outside healthcare environment. Simultaneously, these devices represent an unsecured channel through which attackers can tamper with previously acquired messages, steal data, disable or manipulate device functions as well as clinical data. Worse, for an attacker, the smart devices provide a gateway to hospital networks to modify or monitor information stored in or connected to hospital facilities, network computers, without ever needing the attacker to be physically close to the smart devices or the devices’ carrier.
  
There are two types of cyberattacks conducted on smart devices: passive and active. A passive attack gains sensitive information by accessing the messages exchanged between the smart devices and the healthcare network during an insecure transmission. Valuable information, such as implant types, model, serial number, patient’s demographics and clinical history, electrical therapies, and battery status, as well as the devices’ hardware and software information, is transmitted. A classic example of a passive attack is interception that results in confidentiality and privacy violations. An active attack involves the attacker able to actively change diagnostic information or settings, such as activating or deactivating pacing or antiarrhythmic therapies or continuously requesting information to elicit an early discharge battery attack. Active cyber-attacks cause alternation, falsifications, sabotage, and interruption. Theoretically, an active attacker can reprogram smart devices for malicious purposes. However, the attacker will need to be armed with IT skills, device knowledge, and familiarity with human physiology. Fortunately, such a type of attacker profile is uncommon [3, 4].
+
There are two types of cyberattacks conducted on smart devices: passive and active. A passive attack gains sensitive information by accessing the messages exchanged between the smart devices and the healthcare network during an insecure transmission. Valuable information, such as implant types, model, serial number, patient’s demographics and clinical history, electrical therapies, and battery status, as well as the devices’ hardware and software information, is transmitted. A classic example of a passive attack is interception that results in confidentiality and privacy violations. An active attack involves the attacker able to actively change diagnostic information or settings, such as activating or deactivating pacing or antiarrhythmic therapies or continuously requesting information to elicit an early discharge battery attack. Active cyber-attacks cause alternation, falsifications, sabotage, and interruption. Theoretically, an active attacker can reprogram smart devices for malicious purposes. However, the attacker will need to be armed with IT skills, device knowledge, and familiarity with human physiology. Fortunately, such a type of attacker profile is uncommon.
  
Unlike smartphones and computers, smart devices do not get regular security updates because changes to the software will require the FDA's recertification. The FDA focused on reliability, user safety, and ease of use but not on protecting against malicious attacks, and therefore deferred cybersecurity responsibility to the manufacturers [5, 6]. From then forward, when a cybersecurity problem is identified, the first step is to report to the manufacture for its confirmation. Then, the manufacturer initiates risk mitigation operations in collaboration with the regulatory authorities (i.e., FDA) to develop appropriate software updates.   
+
Unlike smartphones and computers, smart devices do not get regular security updates because changes to the software will require the FDA's recertification. The FDA focused on reliability, user safety, and ease of use but not on protecting against malicious attacks, and therefore deferred cybersecurity responsibility to the manufacturers. From then forward, when a cybersecurity problem is identified, the first step is to report to the manufacture for its confirmation. Then, the manufacturer initiates risk mitigation operations in collaboration with the regulatory authorities (i.e., FDA) to develop appropriate software updates.
 +
 
 +
References
 +
 +
1. Halperin D, Heydt-Benjamin TS, Ransford B, et al. Pacemakers and implantable cardiac defibrillators: software radio attacks and zero-power defenses. 2008 IEEE Symposium on Security and Privacy; Computer Science Department Faculty Publication Series, 2008;68: 129–142.
 +
2. Coventry L, Branley D. Cybersecurity in healthcare: A narrative review of trends, threats and ways forward. Maturitas. 2018;113:48–52.
 +
3. Camara C, Peris-Lopez P, Tapiador JE. Security and privacy issues in implantable medical devices: A comprehensive survey. J Biomed Inform; 2015. Vol. 55, 272–289.
 +
4. Fotopoulou K, Flynn BW Optimum antenna coil structure for inductive powering of passive RFID tags. 2007;71-77. IEEE International Conference on RFID; TX, USA: Grapevine. 2007 Mar 26-28.
 +
5. Tse ZT, Xu S, Fung IC, Wood BJ. Cyber-attack risk low for medical devices. Science. 2015 Mar 20;347(6228):1323-4. doi: 10.1126/science.347.6228.1323-b. Epub 2015 Mar 19. PMID: 25792321; PMCID: PMC6663473.
 +
6. Clery D. The privacy arms race. Could your pacemaker be hackable? Science. 2015 Jan 30;347(6221):499. doi: 10.1126/science.347.6221.499. PMID: 25635085.
 +
   
  
 
Submitted by (Emily J Kuo)
 
Submitted by (Emily J Kuo)
[[Category:BMI512-SPRING-20]]
+
[[Category:BMI512-FALL-20]]
  
 
== Regulation of Medical Devices, including "Smart" Medical Devices ==
 
== Regulation of Medical Devices, including "Smart" Medical Devices ==

Latest revision as of 00:58, 16 December 2020

Smart devices are mechanical devices that have been integrated with semiconductor computer chips (CPUs, memory and/or logic computer chips) in order to allow them to interface and communicate with other devices or with the Internet, in general.


Introduction

Over the past several years, the world’s consumer markets have been transformed with the design and release of smart devices. The most notable example of this is the now-ubiquitous smartphone, but it also includes other devices such as tablets, “phablets” and a large number of “wearables” like FitBits™. In the wake of this technological transformation on how people communicate and interact with the world, the healthcare industry has started to adopt this technology for its own, specific uses. Medical devices are rapidly being upgraded (or designed initially) to have these capabilities to leverage existing IT infrastructures with the goal of providing more comprehensive and real-time monitoring, sharing and analysis of medical data.

Internet of Things

The Internet of Things refers to ever-growing number of smart devices, ranging from “smart appliances” to smartphones/tablets to wearable devices that are all talking to each other at all times. Although smartphones were the innovators driving the initial development, companies that develop products for healthcare have been quick to leverage the technology and increase the scope of the Internet of Things. Hospital and Health Networks has offered a functional definition of what qualifies a device to be considered part of the Internet of Things: a device must be aware, a device must be autonomous and a device must be actionable [1]. A device that is aware is essentially a sensor of some sort. For healthcare purposes, it might be measuring something like heart rate or body temperature. A device that is autonomous essentially performs a data transmission function on its own, based on whatever parameters with which it is programmed. For healthcare purposes, this might be, on an hourly basis, sending heart rate or temperature data that it has measured to a central database somewhere. Finally, a device that is actionable means that it is monitoring something with a specific action to be taken when a parameter enters a certain range. For healthcare purposes, it might be transmitting a warning alert to a patient’s doctor or family members when body temperature gets too high or, worse, heart rate goes to zero.

Right now, the Internet of Things in healthcare is very much in its infancy, but it has already had a significant impact on healthcare. Examples of this technology already in use include things like the consumer-based devices (FitBits), wearable devices like insulin pumps, implanted devices like pacemakers and bodily function sensors and stationary monitors like IV pumps and fetal monitors. While impressive, these initial devices still have a very limited scope of use. However, new devices that will be part of the Internet of Things are going to be released over the next several years that are going to greatly increase this scope and very likely transform healthcare.

A major topic of interest in Informatics is smart device integration with electronic medical record (EMR) systems. Smart device integration has been discussed by Rausch and Judd in 2006 (Conf Proc IEEE Eng Med Biol Soc. 2006;Suppl:6740-3) [2]. These authors mention that "interoperability between medical devices and electronic medical records (EMR) is one key to developing a system of higher quality, safety and efficient healthcare delivery."

The integration of these smart chips with medical devices can be one-way (for example, from device to EMR) or two-way communication. There are use cases for both. For example, in the case of a pulse-oximeter, one way posting of data to the EMR from the device may be all that is necessary to automate the documentation and monitoring functions provided by the device itself. On the other hand, two-way communication via wireless networks between the EMR and smart infusion pumps has been proposed and successfully implemented, albeit in very few locations to date.

Impact on Healthcare Cost and Efficiency

In 2015, the Congressional Budget Office (CBO) estimated healthcare expenditures at 17.6% of GDP [3]. As a result, there have been increasing levels of pressure placed on the U.S. healthcare system to bring the cost growth down to more in line with inflation and to bring the overall cost of healthcare per capita more in line with other industrialized nations. As a result, healthcare organizations now have a much stronger incentive to be a lot more productive and efficient with their resources. The increasing use of smart device technology in healthcare will enable these organizations to make many of their processes more efficient and effective, which will allow them to see lower costs and better outcomes.

The adoption of managing chronic illness utilizing mobile phone technology may ultimately lead to a reduction in hospital admissions and subsequently a reduction in healthcare dollars being spent. For the complex management of chronic disease, usability and user-interface design are of prime importance. New touch interfaces, such as the iPhone, are a considerable improvement in terms of usability. As mobile phone technology improves, the ‘average phone’ will be equipped with optimal device features such as SMS/MMS, glucometers, air sensors and GPS. Smith, Joshua C., and Bruce R. Schatz. "Feasibility of Mobile Phone-Based Management of Chronic Illness." Proc. of AMIA 2010 Symposium, Washington, D.C. Web. 20 Jan. 2011.

Improving preventive care has always been one of the staples of any strategy geared towards improving overall health outcomes and lowering the cost of health care. In turn, one of the staples of any strategy to improve preventive care has always been to better engage people to take a more active role in their own care. Over the past several years, one of the most dramatic transitions that has occurred that encompasses both is the increasing number of people using personal fitness devices to track their heart rates and activity levels. The best-known of these devices is probably the FitBit™ [4], although there are a multitude of products already released in this market space.

One of the things to which healthcare organizations are turning in order to increase productivity and efficiency is data. The potential for these improvements exist in all facets of data use. As such, health care organizations are looking for better ways to collect data, transfer data, store data, analyze data, access data and share and leverage data. Smart devices greatly assist this effort my automating more data collection, transmission and storage, making these data processes cheaper and quicker and more efficient.

Device integration can be one-way (from device to EMR) or two-way communication. There are use cases for both. For example, in the case of a pulse-oximeter, one way posting of data to the EMR from the device may be all that is necessary to automate the documentation and monitoring functions provided by the device itself. On the other hand, two-way communication via wireless networks between the EMR and smart infusion pumps has been proposed and successfully implemented, albeit in very few locations to date.

Impact on Macroscopic Healthcare

Moving beyond the patient-specific and object-specific applicability of data obtained by smart devices, there is another, very powerful application available to the healthcare industry associated with this technology. This is the massively-parallel aggregation of smart device information to form ultra-large data sets on medical information. There is already an existing precursor to this in a non-healthcare function. This is real-time data updates on traffic conditions. There is information on the Internet that is interfaced via web browsers, smartphones or automobile navigation systems that shows areas of traffic congestion. Although not the sole source of this data, a lot of this data comes from the aggregation of drivers’ and riders’ GPS data. When analytic software fed with this data sees clusters of slow-moving smartphones along highways, it designates that as an area with traffic congestion and then makes calculations to figure out just how bad the situation is. The results of these calculations are then made available on the Internet so that anyone using a traffic app can see this data in real time. Localized apps (in car or on a web page) take this a step further by providing alternate routes, also in real time.

Similarly, healthcare organizations will be leveraging medical smart devices in similar, but much larger-scale fashion. Imagine the medical data sets that could be generated by millions (billions?) of smart devices/sensors that collect any and all manner of medical data with GPS-location and time stamps and then provide them to centralized data warehouses for everyone to access. As long as the system addressed general privacy and patient-specific confidentiality issues by stripping out any information that could link a specific data point to a specific person, the impact on healthcare would be profound. These data sets could provide insights on gender-, race-, age-, location- and any other reasonable specific characteristics associated with any medical data that these devices measure. This data would allow policy makers and healthcare organizations to more accurately target resources for treatment and research that would potentially result in far more (overall) positive healthcare outcomes than could be ordinarily achieved. Imagine an outbreak of a dangerous disease with well-defined symptoms. A network of smart devices that measure these symptoms could provide real-time data to the proper authorities and allow containment to be achieved much more quickly, which could save many lives that would otherwise be lost. Even at a smaller scale, there would be many benefits. Imagine a hospital completely empowered with these devices combined with smart, trained people being supported by advanced analytic software. Hospital operations could potentially see a greatly increased level of efficiency and greatly improved health outcomes, thereby reducing costs and, in turn and in aggregate, reducing the healthcare cost burden on the entire economy.

Speculation about the Future of Smart Devices in Healthcare

While the market for patient (wearable and implantable) smart devices begins to grow, the healthcare market for smart devices that are associated with objects and not people will continue to grow as well. The non-healthcare market has already created a footprint with things such as Internet-linked televisions, cameras and miscellaneous devices. The healthcare market is poised to follow by applying this technology. Smart devices like a refrigerator that checks inventory and orders proper food online automatically can help take the inconvenience out of maintaining a healthy diet. A device like a smart medicine cabinet can track your medicinal inventories and prescriptions and promptly refill quantities, as needed. Other items like beds or sofas or car seats could do things like monitor bodily vitals or monitor the quality of sleep (alerting possible apnea cases) and provide this data to a person’s health provider, adding more useful data to their health records. In addition, one needs to keep machines such as automobiles and airplanes in mind. Although they are a bit out of scope in a pure healthcare discussion, the positive effect on health outcomes (i.e. less crash injuries and fatalities) for these smart, connected vehicles cannot be overlooked. Automobiles, in particular, have moved in lock-step with the smartphone revolution providing interfacing with smartphones and all of their functionality. Of course, there have also been unintended, negative health-related consequences of the intersection of automobiles with smartphones (i.e. texting while driving).

Cybersecurity

High-value clinical data is easily transmitted to the hospital facilities by smart devices via mobile using Bluetooth, smartphone, or the internet after manual or automatic downloads. However, when a wireless communication mode is active, smart devices and the clinical data they store become visible to the outside healthcare environment. Simultaneously, these devices represent an unsecured channel through which attackers can tamper with previously acquired messages, steal data, disable or manipulate device functions as well as clinical data. Worse, for an attacker, the smart devices provide a gateway to hospital networks to modify or monitor information stored in or connected to hospital facilities, network computers, without ever needing the attacker to be physically close to the smart devices or the devices’ carrier.

There are two types of cyberattacks conducted on smart devices: passive and active. A passive attack gains sensitive information by accessing the messages exchanged between the smart devices and the healthcare network during an insecure transmission. Valuable information, such as implant types, model, serial number, patient’s demographics and clinical history, electrical therapies, and battery status, as well as the devices’ hardware and software information, is transmitted. A classic example of a passive attack is interception that results in confidentiality and privacy violations. An active attack involves the attacker able to actively change diagnostic information or settings, such as activating or deactivating pacing or antiarrhythmic therapies or continuously requesting information to elicit an early discharge battery attack. Active cyber-attacks cause alternation, falsifications, sabotage, and interruption. Theoretically, an active attacker can reprogram smart devices for malicious purposes. However, the attacker will need to be armed with IT skills, device knowledge, and familiarity with human physiology. Fortunately, such a type of attacker profile is uncommon.

Unlike smartphones and computers, smart devices do not get regular security updates because changes to the software will require the FDA's recertification. The FDA focused on reliability, user safety, and ease of use but not on protecting against malicious attacks, and therefore deferred cybersecurity responsibility to the manufacturers. From then forward, when a cybersecurity problem is identified, the first step is to report to the manufacture for its confirmation. Then, the manufacturer initiates risk mitigation operations in collaboration with the regulatory authorities (i.e., FDA) to develop appropriate software updates.

References

1. Halperin D, Heydt-Benjamin TS, Ransford B, et al. Pacemakers and implantable cardiac defibrillators: software radio attacks and zero-power defenses. 2008 IEEE Symposium on Security and Privacy; Computer Science Department Faculty Publication Series, 2008;68: 129–142. 2. Coventry L, Branley D. Cybersecurity in healthcare: A narrative review of trends, threats and ways forward. Maturitas. 2018;113:48–52. 3. Camara C, Peris-Lopez P, Tapiador JE. Security and privacy issues in implantable medical devices: A comprehensive survey. J Biomed Inform; 2015. Vol. 55, 272–289. 4. Fotopoulou K, Flynn BW Optimum antenna coil structure for inductive powering of passive RFID tags. 2007;71-77. IEEE International Conference on RFID; TX, USA: Grapevine. 2007 Mar 26-28. 5. Tse ZT, Xu S, Fung IC, Wood BJ. Cyber-attack risk low for medical devices. Science. 2015 Mar 20;347(6228):1323-4. doi: 10.1126/science.347.6228.1323-b. Epub 2015 Mar 19. PMID: 25792321; PMCID: PMC6663473. 6. Clery D. The privacy arms race. Could your pacemaker be hackable? Science. 2015 Jan 30;347(6221):499. doi: 10.1126/science.347.6221.499. PMID: 25635085.


Submitted by (Emily J Kuo)

Regulation of Medical Devices, including "Smart" Medical Devices

In the United States, the Food and Drug Administration provides regulatory oversight for medical devices, including some "smart" devices such as smart infusion pumps (see www.fda.gov/CDRH/510khome.html#download)[5] .

The FDA program governing these devices takes its name from section 510(k) of the Food, Drug and Cosmetic Act which requires manufacturers to register and notify FDA before marketing a medical device. 510(k) is known also as Premarket Notification (PMN).

Specific Examples

Related Articles

References

  1. Glaser, John. How The Internet of Things Will Affect Health Care. http://www.hhnmag.com/Daily/2015/June/internet-of-things-health-care-glaser
  2. Judd, TM and Rausch, TL. The Development of an Interoperable Roadmap for Medical Devices (2006). Conf Proc IEEE Eng Med Biol Soc;Suppl:6740-3 http://www.ncbi.nlm.nih.gov/pubmed/17959500
  3. National Health Expenditures Data. Centers for Medicare and Medicaid Services. https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/NationalHealthExpendData/NationalHealthAccountsHistorical.html
  4. https://www.fitbit.com/
  5. U.S. Food and Drug Administration. http://www.fda.gov/CDRH/510khome.html


Submitted by Shannon Barksdale