Internet of Medical Things (IoMT) advances and brings new challenges

The digital revolution in healthcare continues apace and the demand for data is higher than ever. A study by Canadian consultancy RBC Capital Markets, released in December 2021, shows that in 2010, the world’s total data storage capacity was approximately 487 exabytes. By 2025, that same volume will be created every two days.

Approximately 30% of the world’s data volume is generated by the healthcare sector. By 2025, the annual growth rate of healthcare data will reach 36%. This is 10% faster than financial services and 11% faster than media and entertainment.

This data is generated in two different ways. First, through the large heterogeneous networks spread across different locations in the healthcare organization. Other sources, increasingly significant, are the devices of the Internet of Medical Things (IoMT). A study by Research and Markets released in January 2022 reports that this market is expected to reach $258 billion by 2026. In 2019, the value of these solutions was $55 billion.

Under the label IoMT there are very varied technologies, explains Luis Arís is Business Development Manager at Paessler LATAM. Healthcare providers have been using mobile technology for some time, including handheld computers and devices that assist physicians in delivering care at the bedside. These mobile medical devices are often carried on a cart to the patient, improving accuracy by reducing the need to manually enter patient information. Mobile devices are also widely used to perform examinations at the patient’s bedside, as well as help share data with other medical colleagues (exchange shifts).

There is also a whole set of IoMT devices to be used by the patient at home, remotely.

1. Remote patient monitoring

Remote patient monitoring is the most common application of IoT devices for healthcare; it collects health metrics such as heart rate, blood pressure, and temperature. The collected data is sent to a software application where caregivers and/or patients can view it.

2. Glucose monitoring

IoMT devices can provide continuous automatic monitoring of glucose levels in patients. The goal is to eliminate the need for manual recording and can alert patients when glucose levels are problematic.

3. Heart rate monitoring

Conventional devices for continuous cardiac monitoring used in hospitals require patients to be constantly connected to machines via wires, hindering their mobility. Small IoMT devices free patients to move about as they wish, ensuring continuous monitoring of their hearts.

4. Hand hygiene monitoring

Currently, many hospitals and other healthcare facilities use IoMT devices to remind people to sanitize their hands when entering hospital grounds. The devices can even instruct on the best way to sanitize to mitigate a certain risk to a specific patient.

5. Depression and mood monitoring

Often, patients do not accurately report the mood swings they experience. IoMT “mood sensing” devices can address these challenges. By collecting and analyzing data such as heart rate and blood pressure, the devices can infer information about a patient’s mental state.

6. Parkinson’s disease monitoring

IoT sensors can continuously collect data regarding Parkinson’s symptoms. These devices give patients the freedom to live normally in their homes, rather than having to spend long periods in a hospital for observation.

7. Smart pills

IoMT devices are also essential for the use of “smart pills” with microscopic sensors. Signals emitted by the smart pills are collected by IoMT devices and then transmitted via the cloud to hospital systems.

For these applications to produce the desired results, it is critical that IoMT devices are carefully monitored to ensure that they do not stop working, causing disruption to patient care. This is a real challenge. A study by the specialist publication HITinfrastructure reveals that around 45% of connections between equipment within hospitals and remote devices used by patients fail. This causes an average of two additional seconds of waiting time to load application data.

IT teams are the ones responsible 24×7 for ensuring that IoMT devices are secure, active, and reliable. The mission is to manage and secure devices that are deeply heterogeneous and generate data that is very different from each other. Because healthcare applications require near-real-time data collection, any disruption in the connection can be costly in terms of data accuracy and errors in the diagnostic process.

Heterogeneity of health systems

Another factor that increases the complexity of the task of healthcare organization IT leaders is the fact that whether generated within the clinical environment or created by IoMT devices, the data is processed in well-delineated categories:

• HIS (Hospital Information System) – essential data for the operation of the organization;
• LIS (Laboratory Information System) – laboratory data;
• RIS (Radiology Information System) – radiology data;
• PACS (Picture Archiving and Communication System) – images generated by devices such as radiography, MRI, ultrasound, or video endoscopy equipment.

In practice, these categories are global standards that now guide the development of all medical applications. In the age of digital health, all these protocols have to be supported by the organization’s IT monitoring platform. This is essential to deliver to the manager a view that is both general – covering the entire organization, including mobile remote devices – and specific, able to get to the detail of the operation of a particular network element.

The goal is to gain predictability, for example, about the battery life of an IoMT, or how reliable the connections are between an MRI system and the hospital administration server. Multi-protocol monitoring solutions collaborate to free doctors, nurses, and patients using IoMT devices from frustrations with the technology. At the end of the day, this produces greater consistency in diagnoses and medical treatment tracking. 

Safety also matters

In addition, the digital revolution that has resulted in the Internet of Things (IoT), Internet of Medical Things (IoMT), Software as a Medical Device (SaMD) and connected devices that permeate the healthcare environment, both in the hospital and at home, has opened up the possibility of cyber attacks and intrusions against compromised connected medical devices and the network to which that device is connected, resulting not only in data breaches but also increased healthcare delivery costs and can affect patient health outcomes.

The consequences of these attacks, and the corresponding fiscal and security impacts, have led many government agencies and other actors (industry associations, technical societies, standards organizations, research institutions, political groups, and non-governmental organizations) to take steps to protect themselves and their citizens.

In the EU, MDR and IVDR requirements require consideration of the cybersecurity of medical devices, and the Medical Device Coordination Group (MDCG) provides guidance to manufacturers on how to meet all relevant essential requirements of Annex I of the MDR and IVDR with respect to cybersecurity. 

In Australia, the Therapeutics Goods Administration is treating medical device cybersecurity as part of the Core Principles and the TGA requires that the “Core Principles of cybersecurity are met by the application of accepted best practices in relation to quality management systems and risk management frameworks, which is typically through application of state-of-the-art standards.” 

In the U.S., since 2005 the FDA has been striving to improve the cybersecurity of medical devices, and the entity’s latest effort is draft guidance on security throughout the total product life cycle (TPLC). Another effort is the bipartisan congressional support for the Cyber Health Protection and Transformation Act of 2022 (PATCH Act of 2022), which, if passed, will revise the existing Federal Food, Drug, and Cosmetic Act.

The FDA’s draft guidance on medical device cybersecurity provides information on how the agency will enforce existing regulatory requirements. But how do you prepare to meet the FDA’s medical device cybersecurity expectations?

First, it is important to understand that the scope of the FDA guidance is exceptionally broad and covers devices that contain software (including firmware) or programmable logic, as well as SaaMD, and would be expected to:

• Pre-market notification submissions (510(k))
• New Request
• Pre-market approval applications (PMAs) and PMA supplements
• Product Development Protocols (PDPs)
• Investigational Device Exemption (IDE)/Humanitarian Device Exemption (HDE) submissions
• All devices within the meaning of the Federal Food, Drug, and Cosmetic Act (FD&C Act), regardless of whether or not they require a pre-marketing submission.

Principles of medical device cybersecurity

The FDA guidance sets six broad expectations and introduces the newly created concept of a Safe Product Development Framework (SPDF), which covers all aspects of a product’s life cycle, including development, launch, support, and decommissioning to satisfy the Quality System Regulations (QSR). in 21 CFR Part 820:

1. Cyber security is an integral part of device security and QSR
2. Security by Design
3. Transparency
4. Security Risk Management
5. Security Architecture
6. Objective test/evidence

The idea is to require devices, as well as software as a medical device (SaMD), to minimize cybersecurity risks associated with their design, security and use. Manufacturers would have to generate and maintain evidence about the quality management systems and risk management frameworks used to monitor the cybersecurity of medical devices to demonstrate compliance. 

Overall, FDA understands that the cybersecurity threat landscape is evolving rapidly and requires constant monitoring and appropriate corrective and preventive actions from medical device manufacturers, as well as timely communication to medical device users to establish their awareness of cybersecurity threats.