- A growing number of people with diabetes are turning to wireless diabetes devices to monitor and manage their condition.
- As wireless interconnections and data exchanges increase among connected diabetes devices (CDDs), smart devices, and networks, there also is an increased risk to safety and privacy of the patient.
- The IEEE 2621™ series of standards will contribute to a more consistent and robust approach to developing and supporting security in diabetes devices.
- Participants of the IEEE 2621 Conformity Assessment Program will receive complimentary copies of the IEEE 2621 series.
IEEE Standards Association (IEEE SA) has published a series of standards that will help manufacturers of connected diabetes devices (CDDs) develop more secure and therefore safer products. The new standards also will provide grounds for confidence to stakeholders, including patients and consumers, that a CDD device meets its cybersecurity claims.
The Growing Need for Protecting Patient Data
A growing number of people with diabetes are turning to wireless diabetes devices to monitor and manage their condition in an automated fashion, with wireless automatic transfer of data and treatment commands. As part of the digital revolution, currently designed CDDs are capable of reporting information. CDDs include blood glucose monitors, continuous glucose monitors, insulin pumps, smart insulin injection pens, and automated insulin dosing systems.
For example, data generated by a continuous glucose monitor is wirelessly transmitted to an app on a smartphone, smartwatch, or other devices, or to a cloud platform. Not only is this device used to issue alerts when glucose levels are out of range, but the continuing flow of data enables patients and healthcare professionals to see trends and patterns, which provide a more complete, nuanced picture of an individual’s status.
For automated insulin dosing systems, the data is also used to direct a CDD worn by the patient to dispense insulin in controlled amounts at certain times.
However, as interconnections and data exchanges increase among CDDs, smart devices, and networks via wireless protocols, there also is an increased risk to safety and privacy of the patient, as well as to the integrity and availability of data shared with the healthcare professional.
In some cases, the smartphone or other device which hosts the CDD app may be an older model that may lack important security capabilities and updates. Although this has not been reported, someone then might be able to maliciously hack into it, intercept glucose readings and alter them, or send inappropriate commands to an insulin pump. Another example of a potential cybersecurity shortcoming occurs when a patient combines CDD components having disparate security protocols into a system.
Thus, there is now a need for better ways to more safely control how a patient’s data is collected, stored, and used, while still maintaining CDD functionality. There is also a need to address the different needs of stakeholders in CDDs and manufacturers’ cybersecurity claims.
The recently published IEEE 2621™ series of standards defines the concept of cybersecurity assurance for wireless diabetes devices, specifies security requirements, and provides instructions on how to achieve that assurance.
IEEE 2621 Standards Series Specifies a Comprehensive, Multi-Level Approach to Wireless Diabetes Device Cybersecurity
Developed by a diverse group of IEEE SA volunteers in an open, collaborative process in concert with the IEEE Engineering in Medicine and Biology Society (EMBS), the IEEE 2621 series addresses the needs of a broad set of diverse stakeholders.
Their recommendations are directed at device manufacturers and testing laboratories, and also provide useful guidance to clinicians, regulators, certification bodies, independent cybersecurity and privacy experts, software developers, healthcare organizations, and payers.
The IEEE 2621 series helps manufacturers to identify relevant threats, establish appropriate security objectives to counter them, and create security requirements that meet those objectives. It will help diabetes device manufacturers better balance the need for security with the need for usability and safe clinical application of a device, and allows for multiple levels of assurance requirements in order to inform and satisfy the needs of stakeholders. It encompasses basic, enhanced-basic, and moderate levels of assurance, and addresses both medical devices and mobile applications that control medical device technology, which each have stringent real-time, high-availability requirements.
Furthermore, the IEEE 2621 series provides instructions for manufacturers on how to document the security of connected medical devices and their interoperable components so that they can be used safely with consumer mobile devices such as smartphones in the control of CDDs.
Because of the increased attention paid to cybersecurity vulnerabilities by regulatory bodies, the development of cybersecurity standards and conformity assessment programs, such as the IEEE 2621 Conformity Assessment Program, may lead to a more consistent and robust approach to developing and supporting security in diabetes devices.
This series of standards will support secure communication for wireless diabetes devices such as blood glucose monitors, continuous glucose monitors, insulin pumps, smart insulin pens, and automated insulin dosing systems. The IEEE 2621 series include the following standards:
- IEEE 2621.1™-2022, Standard for Wireless Diabetes Device Security Assurance Evaluation: Connected Electronic Product Security Evaluation Programs, defines a framework for a connected device security evaluation program. It incorporates best practices related to the use of CDDs in medical contexts and will help connected electronic products deliver the security protections deemed necessary and sufficient by an appropriate set of stakeholders.
- IEEE 2621.2™-2022, Standard for Wireless Diabetes Device Security: Information Security Requirements for Connected Diabetes Solutions, describes CDD functional requirements intended to be used within a security evaluation program. The standard provides guidance on how to identify and counter relevant threats, and to differentiate between mandatory and optional security requirements. It defines multiple levels of assurance, helping product developers and certification bodies to address the varying and evolving needs of disparate situations, deployments, treatment criticalities, and device types.
- IEEE 2621.3™-2022, Recommended Practice for Wireless Diabetes Device Security: Use of Mobile Devices in Diabetes Control Contexts, defines recommendations for the use of mobile devices in diabetes contexts, as deemed necessary and sufficient by an appropriate set of stakeholders. These recommendations are intended to be used within a security evaluation program.
Get Involved in the Conformity Assessment Program to Access Complimentary IEEE 2621 Standards
The IEEE 2621 series is the first set of medical device cybersecurity standards that embodies both performance requirements and a program for confidence that those requirements have been met. As such, it may serve as a best practice model that could be tailored for use with other types of connected medical devices and used as part of an integrated risk-management program.
Participants of the IEEE 2621 Conformity Assessment Committee (CAC) will receive complimentary copies of the IEEE 2621 series of standards. Get involved today.
- David Kleidermacher, Co-Chair, IEEE 2621™ Healthcare Device Security Assurance Working Group; VP Engineering, Android Security and Privacy at Google
- Dr. David Klonoff, Co-Chair, IEEE 2621™ Healthcare Device Security Assurance Working Group; Medical Director, Diabetes Research Institute at Mills-Peninsula Medical Center, Clinical Professor of Medicine at UC San Francisco
- Kevin Nguyen, IEEE 2621™ Healthcare Device Security Assurance Working Group; Bioengineering Administrator at Diabetes Technology Society
- Naomi Schwartz, IEEE 2621™ Healthcare Device Security Assurance Working Group; Scientific Reviewer at the U.S. Food and Drug Administration (FDA)
- Nicole Xu, Secretary, IEEE 2621™ Healthcare Device Security Assurance Working Group; Cybersecurity Administrator at Diabetes Technology Society