According to the World Health Organization, 830 million people are living with diabetes worldwide. The continued growth of patients with diabetes has led to an increased reliance on connected devices such as insulin pumps and glucose monitors. These devices are transforming patient care by providing real-time monitoring and automated treatment adjustments from the convenience of the patient’s home. As an example, continuous glucose monitors enable the wireless transmission of data to apps on smartphones or cloud platforms, allowing patients and healthcare professionals to see trends and patterns in glucose levels. Automated insulin dosing systems use this data to dispense insulin in controlled amounts at specific times. However, while these devices offer significant benefits, they are highly susceptible to cybersecurity risks. To address these concerns, the IEEE Standards Association (IEEE SA) developed the IEEE 2621 series of standards to help secure these connected diabetes devices. The IEEE 2621 standard sets the benchmark for connected healthcare device cybersecurity, aligning seamlessly with FDA requirements and global regulatory guidance. With an increasingly connected world filled with healthcare data exchanges, IEEE 2621 provides the security framework for connected diabetes devices and will eventually be applied to all connected medical devices regardless of therapeutic area.

What Is IEEE 2621?

IEEE 2621 provides a framework for connected electronic product security assurance evaluation for diabetes devices to resist cyber threats. This standard covers several key areas:

• Protecting the patient: Securing sensitive patient health data and protecting their safety.
• Bolstering devices from remote interference: Preventing unauthorized access and control of the devices.
• Addressing the tampering of treatment protocols: Helps make sure that devices operate correctly and safely.

The IEEE 2621 standard defines the concept of cybersecurity assurance for wireless diabetes devices, specifying security requirements and providing guidelines for secure design principles, regular software updates, and rigorous testing so that devices are resilient and better able to endure cyberattacks. By following and implementing these standards, manufacturers can develop devices that enable patient safety and security, increase confidence in use from clinicians, and help maintain the integrity of the device’s data.

Regulatory/Compliance Requirements for Cybersecurity

Regulatory and compliance requirements in cybersecurity ensure devices meet specific safety and security guidelines.

• The FDA (Food and Drug Administration): In the United States, the Food and Drug Administration provides guidance on cybersecurity in medical devices from design through post-production, such as data encryption and user authentication, and pre-market submission of devices to identify potential risks and mitigation strategies.
• MDR (Medical Device Regulation): In Europe, the MDR is more comprehensive and robust than the FDA’s cybersecurity regulations, requiring devices to be designed with state-of-the-art security measures and any issues that might arise must be quickly addressed by the manufacturer.
• ISO 13485: Globally, this standard provides a framework for quality management systems, focusing on designing, developing, and producing medical devices safely. It includes some aspects of cybersecurity, particularly around risk management and product lifecycle.

Real World Importance

The application of the 2621 standards helps manufacturers create more resilient products. By following IEEE 2621, device makers can create secure products that minimize uncertainty for both patients and healthcare providers. Strong cybersecurity measures are crucial to prevent life-altering situations such as incorrect insulin delivery or data leaks, which could have serious consequences for patients. For instance, if a continuous glucose monitor is hacked, it could send incorrect readings to an insulin pump, leading to inappropriate insulin delivery. Similarly, data breaches have a lifetime effect on patients as their immutable personal health data information is exposed, resulting in violations of privacy and identity theft.

For manufacturers looking to develop devices that align with the safety expectations of patients and healthcare providers, the IEEE Medical Device Cybersecurity Certification Program offers a straightforward evaluation process with a clear definition of scope and test requirements specific to medical devices. This program helps manufacturers demonstrate conformity with the IEEE 2621 standard, ensuring that their devices meet rigorous cybersecurity criteria. Certified devices are included in the IEEE Medical Device Registry, which assists with submission to regulatory bodies and meets FDA submission criteria.

Beyond Diabetes

While IEEE 2621 is focused on diabetes devices, this standard is currently under amendment to include all other connected health devices. As healthcare moves toward more remote and tech-powered care, the need for robust cybersecurity measures will only grow as these methods create greater entry points for cyber threats. Increasing the security of all connected health devices is essential to protect patient data and maintain confidence in these technologies.

Pacemakers serve as a prime example of this, as any tampering with these devices could literally impact the beating of a heart. Other connected medical devices that act as diagnostic tools as well as telemedicine platforms also require strong cybersecurity protocols to prevent cyberattacks that can impact patient health or compromise personal information.

The broader use of connected medical devices in healthcare systems and increased adoption by patients present significant cybersecurity threats. This should prompt device manufacturers to consider an all-encompassing cybersecurity strategy that takes into account secure design principles, regular software updates, and rigorous testing to address these risks. These devices are vulnerable to exploitation by malicious actors, posing risks to critical patient care, sensitive data, and overall healthcare operations. The IEEE 2621 series of standards provides the necessary guidelines to develop connected health devices that are safe and resilient against cyberattacks.

The Most Vulnerable Devices

While all medical devices, including wearables, must be protected, experts suggest that the most vulnerable devices include insulin pumps, pacemakers, infusion pumps, patient monitors, and older medical devices. These devices can be susceptible to weak encryption, unsecured wireless connections, signal interception, reprogramming, and data manipulation.

It’s important to remember that all devices are targets of hackers. Within recent years, a manufacturer of an insulin pump recalled certain products due to cybersecurity vulnerabilities, including the potential for hackers to change the pump’s settings. Another manufacturer released a firmware update for its implantable cardiac devices after it found cybersecurity vulnerabilities that could have allowed unauthorized users to access and manipulate the devices.

Comprehensive global standards are necessary to make connected healthcare devices resilient to cyber threats. The adoption of IEEE 2621 can help build confidence and protect the patient in a digital world. It is vital for the industry to collaborate and focus on secure innovation to keep pace with the evolving landscape of connected health. By embracing the reality that comes with using digital and connected medical devices, device manufacturers can take a leadership position in the healthcare industry by developing hardened connected medical devices.

Final Note

Learn more about the IEEE 2621 series of standards or the Medical Device Cybersecurity Certification Program. There are many other standards and programs within the IEEE Healthcare and Life Sciences Global Practice supporting innovation for the future of connected medical devices that better secure and enhance patient outcomes. Learn more at ieeesa.io/hls.