BOSTON — Healthcare facilities can advance their patient care with IoT remote monitoring if manufacturers understand how to develop and use connected medical devices.
Medical IoT remote monitoring “will change the way you do service, the way your customers perceive you, not just you, but your products. They become reliant on the network of things that you provide them, not just the transaction,” said Anthony Moffa, senior director of ThingWorx IIoT Platform at PTC.
IoT remote monitoring gives manufacturers access to real-time information from the field that is unfiltered and unbiased, which they can use to secure and maintain connected medical devices. Devices can transmit data back to manufacturers on key performance indicators — such as power settings or the number of times a device was turned on and off — that they can use to improve connected medical devices. Engineers don’t have an easy time observing their devices in the field consistently, but anyone can sit in front of their laptop and see how devices perform, said Paul O’Connor, director of medical development at Boston Engineering.
Moffa and O’Connor were among the experts discussing considerations for connected medical device manufacturers during the panel “How to leverage IIoT to improve medical device innovation and user insights,” which was held on Dec. 10. It was hosted by Boston Engineering, the Massachusetts Medical Device Industry Council and PTC.
Anthony Moffaenior director, ThingWorx IIoT Platform at PTC
Here is a rundown of the event’s expert advice on how to address problems before IoT development begins, how to secure medical devices and the importance of identifying the needs that remote monitoring connected medical devices can address.
How to get started with remote monitoring for medical IIoT devices
Organizations often introduce IoT remote monitoring for connected medical devices with the intent to improve their products and differentiate themselves from the competition. Remote monitoring with IoT might have to overcome resistance.
“Somebody has to own [the project] and you have to have coordination between all your team members, so service, marketing operations, the R&D side; they all have to work together. If they don’t, it’s going to be an uphill battle,” Moffa said.
During IoT remote monitoring, developers should try to answer several questions:
- Do you really know how your customers are using the product?
- What settings do they actually use?
- What is the optimal proactive maintenance schedule?
- Do the components perform in a way that meets their needs?
- How has device use changed since introduction?
- Is the product over-engineered?
Developers can now track the data to answer these questions from around the world and apply the real-time insights and feedback to the next generation of the product.
“Think of your own product line and what you want to know about how your products are being used. Think about what you need first versus how [IoT remote monitoring technology] can help me,” O’Connor said. “You can test for years and not actually get real-time data on a global basis.”
Organizations might also see resistance from their customers. IT pros could see connected medical devices and remote monitoring as a threat to network security. The manufacturers must show how the device will bring value to the hospital, show how it’s secure and why it won’t put the network at risk, Moffa said.
Connected products typically have some built-in security processes. For example, all IT pros must make sure to encrypt communications and safely pair devices. When devices have basic security measures, adding remote monitoring security for post-market surveillance is a low security risk, said Elizabeth Couture, security software engineer at Geisel Software. Hackers won’t be particularly interested in data about what the current pressure on a sensor is or what firmware the device is running, which is the data that a device manufacturer would want from IoT remote monitoring. When manufacturers have continued access to deployed devices, they can increase the security of the product through processing device data with behavioral analytics to pick out deviations from the normal device use.
Create a culture of security
For something to be secure, the whole team must secure the product, including different engineering and support groups when it’s developed, designed and implemented outside of the facility.
“[Medical IIoT device manufacturers] need to have a culture of security. Security is not a thing you do once and then you are done with it. And it’s not a thing that you can slap on the end of the finished product,” said Elizabeth Couture.
Most hacks today are caused when attackers find bugs in widely used software from trusted organizations that are implemented on devices, said Couture. The organization that made the software announces that they have a fix for the bug, which makes applying updates critical. Organizations must plan how to update devices in the field, otherwise they will have a security hole that the entire internet knows about.
Organizations must apply layered security and not treat medical devices as if they exist in a lockbox that no hacker will ever break into. A malicious actor should not be able to command the medical IIoT device to do dangerous things or access any patient data. By the time a medical device passes all Food and Drug Administration procedures, it’s usually 15 years old, Couture said.
“I wouldn’t trust a 15-year-old computer to buy it off the shelf. You have to be so sure that everything is safe, and that means that we need to assume that something will go wrong in the future,” she said.
When dealing with a larger number of connected medical devices, it’s important to make sure that devices have an incredibly narrow application to secure the multitude of endpoints that consumable items represent, Couture said. IT pros might be tempted to be lax on security for consumer devices, but they must tighten restrictions to prevent malicious actors from accessing the whole network through a device.
The best way to restrict application use on a medical device is to have very strict controls on the API, Moffa said. Limit the ability to use the device connection to go onto other networks, because as soon as a device connects to multiple different networks, malicious actors have a larger surface area to initiate a potential attack, he said.
Another way that organizations can improve their device security is to have other IT pros attempt to hack it. Smaller organizations might have to hire an outside expert if they don’t have people internally who focus on cybersecurity. Even having someone from a different group in an internal team attempt to hack a device will uncover security holes, Couture said.
“People used to approach cybersecurity as if ‘I am the best at building walls. I will build this wall around the product and everything is safe because I’m really good at that.’ But nowadays it’s not just about building good walls, it’s about learning the skills that a hacker would actually use to attack a product and attacking your product,” she said.
Keep the customer in mind, no matter the use of remote monitoring
Remote monitoring with IoT starts with user needs and adds value for them, said Raj Sivakumar, global product director at Hologic. Remote monitoring can improve the reliability of technology. When organizations use IoT remote monitoring for predictive maintenance, field engineers can identify when a component is going to fail and replace it without any downtime. With analytical tools, medical device users can take advantage of the device utilization rates to understand if their team uses the devices optimally or if they need more training.
“By adding IoT to this environment you’re able to increase the throughput of your technicians, because you can do some things remotely. You might walk a customer through a workflow on a screen, rather than physically,” Moffa said.
The data provided through remote monitoring gives engineers information for maintaining devices. IoT sensors can record the temperature and other variables that would inhibit or show the decline of medical devices. For example, without remote monitoring, an anesthesia machine in an operating room could fail when a patient is under. The patient must be moved to another room and hooked up to another machine. The time under anesthesia is increased, which means there is more risk for the patient. IoT predictive maintenance is critical from a risk management perspective in healthcare, Sivakumar said. If technicians know a machine will fail well ahead of time, they can apply this change. Eliminating downtime means patients spend less time in the hospital, which decreases their chances of getting sick from something they didn’t come in with.
“You could talk to people about the issues they have [with your device]. There’s no aversion to doing that; Everyone thinks it’s a good idea,” O’Connor said. “But it’s being able to define a starting point. Start small with something that you can control and have access to.”