Addressing the Need for Protecting Cybersecurity in Connected Diabetes Devices

IEEE 2621™ Series Defines a Foundational Security Framework and Specifies Requirements for Cybersecurity Assurance

Array

IEEE Standards Association (IEEE SA) has published a series of standards that will help manufacturers of connected diabetes devices (CDDs) develop more secure and therefore safer products. The new standards also will provide grounds for confidence to stakeholders, including patients and consumers, that a CDD device meets its cybersecurity claims.

The Growing Need for Protecting Patient Data

A growing number of people with diabetes are turning to wireless diabetes devices to monitor and manage their condition in an automated fashion, with wireless automatic transfer of data and treatment commands. As part of the digital revolution, currently designed CDDs are capable of reporting information. CDDs include blood glucose monitors, continuous glucose monitors, insulin pumps, smart insulin injection pens, and automated insulin dosing systems.

For example, data generated by a continuous glucose monitor is wirelessly transmitted to an app on a smartphone, smartwatch, or other devices, or to a cloud platform. Not only is this device used to issue alerts when glucose levels are out of range, but the continuing flow of data enables patients and healthcare professionals to see trends and patterns, which provide a more complete, nuanced picture of an individual’s status.

For automated insulin dosing systems, the data is also used to direct a CDD worn by the patient to dispense insulin in controlled amounts at certain times.

As interconnections and data exchanges increase among CDDs, smart devices, and networks via wireless protocols, there is also an increased risk to safety and privacy of the patient.

However, as interconnections and data exchanges increase among CDDs, smart devices, and networks via wireless protocols, there also is an increased risk to safety and privacy of the patient, as well as to the integrity and availability of data shared with the healthcare professional.

In some cases, the smartphone or other device which hosts the CDD app may be an older model that may lack important security capabilities and updates. Although this has not been reported, someone then might be able to maliciously hack into it, intercept glucose readings and alter them, or send inappropriate commands to an insulin pump. Another example of a potential cybersecurity shortcoming occurs when a patient combines CDD components having disparate security protocols into a system.

Thus, there is now a need for better ways to more safely control how a patient’s data is collected, stored, and used, while still maintaining CDD functionality. There is also a need to address the different needs of stakeholders in CDDs and manufacturers’ cybersecurity claims.

The recently published IEEE 2621™ series of standards defines the concept of cybersecurity assurance for wireless diabetes devices, specifies security requirements, and provides instructions on how to achieve that assurance.

IEEE 2621 Standards Series Specifies a Comprehensive, Multi-Level Approach to Wireless Diabetes Device Cybersecurity

Developed by a diverse group of IEEE SA volunteers in an open, collaborative process in concert with the IEEE Engineering in Medicine and Biology Society (EMBS), the IEEE 2621 series addresses the needs of a broad set of diverse stakeholders.

Their recommendations are directed at device manufacturers and testing laboratories, and also provide useful guidance to clinicians, regulators, certification bodies, independent cybersecurity and privacy experts, software developers, healthcare organizations, and payers.

The IEEE 2621 series helps manufacturers to identify relevant threats, establish appropriate security objectives to counter them, and create security requirements.

It will help diabetes device manufacturers better balance the need for security with the need for usability and safe clinical application of a device, and allows for multiple levels of assurance requirements in order to inform and satisfy the needs of stakeholders. It encompasses basic, enhanced-basic, and moderate levels of assurance, and addresses both medical devices and mobile applications that control medical device technology, which each have stringent real-time, high-availability requirements.

Furthermore, the IEEE 2621 series provides instructions for manufacturers on how to document the security of connected medical devices and their interoperable components so that they can be used safely with consumer mobile devices such as smartphones in the control of CDDs.

Because of the increased attention paid to cybersecurity vulnerabilities by regulatory bodies, the development of cybersecurity standards and conformity assessment programs, such as the IEEE 2621 Conformity Assessment Program, may lead to a more consistent and robust approach to developing and supporting security in diabetes devices.

This series of standards will support secure communication for wireless diabetes devices such as blood glucose monitors, continuous glucose monitors, insulin pumps, smart insulin pens, and automated insulin dosing systems. The IEEE 2621 series include the following standards:

Get Involved in the Conformity Assessment Program to Access Complimentary IEEE 2621 Standards

The IEEE 2621 series is the first set of medical device cybersecurity standards that embodies both performance requirements and a program for confidence that those requirements have been met. As such, it may serve as a best practice model that could be tailored for use with other types of connected medical devices and used as part of an integrated risk-management program.

Participants of the IEEE 2621 Conformity Assessment Committee (CAC) will receive complimentary copies of the IEEE 2621 series of standards.

Get Involved Today

Authors:

  • David Kleidermacher, Co-Chair, IEEE 2621™ Healthcare Device Security Assurance Working Group; VP Engineering, Android Security and Privacy at Google
  • Dr. David Klonoff, Co-Chair, IEEE 2621™ Healthcare Device Security Assurance Working Group; Medical Director, Diabetes Research Institute at Mills-Peninsula Medical Center, Clinical Professor of Medicine at UC San Francisco
  • Kevin Nguyen, IEEE 2621™ Healthcare Device Security Assurance Working Group; Bioengineering Administrator at Diabetes Technology Society
  • Naomi Schwartz, IEEE 2621™ Healthcare Device Security Assurance Working Group; Scientific Reviewer at the U.S. Food and Drug Administration (FDA)
  • Nicole Xu, Secretary, IEEE 2621™ Healthcare Device Security Assurance Working Group; Cybersecurity Administrator at Diabetes Technology Society

Share this Article