Diabetes Device Security: Who determines your risk?

What about Diabetes Device Security? Who determines your risk of device hacking?

In March, the FDA handed down a statement on its refusal to consider devices for approval based on cybersecurity concerns. Essentially this was a statement that a device would not even be considered for approval by the FDA until a company had locked down all its cyber security concerns.

Have the best hybrid closed loop algorithm ever created in your new system? Too bad! The FDA is not going to waste its manpower evaluating your algorithm if you are not able to prove that the system can’t be hacked by Russian bots to over-deliver insulin!

I wish I were being hyperbolic, but the FDA’s reasoning for this was literally to avoid wasting the time of their staff on products that would not make it to market due to cybersecurity concerns.

As a person with diabetes this offends me in a few differing ways:

1. First is because the FDA should not be the body making risk assessments for me. As people with diabetes, we are pretty intimately acquainted with risk assessment. We look risk in the eye multiple times a day. Decisions we make about things as seemingly innocuous as exercise, eating, driving a car, and taking a nap, can have life-threatening, even deadly consequences for ourselves and those around us. We are entrusted with a very large degree of trust in our ability to assess risk and make sound decisions. People with diabetes DO NOT BE AFRAID OF THAT! BE PROUD OF IT! We are given a trust and we hold it with pride and honor every day! We are given trust to ourselves and those around us and those who care about us! We show day in and day out that we can rise to the occasion and assume risk appropriately. The role of the FDA is to assess whether a drug or device works. Does it do what it is telling us it does? And does it do that with a reasonable degree of safety? The FDA should make sure my insulin pump will not break and malfunction (cough cough cough) or overheat and present a burn or fire risk (cough cough cough). But at what point does looking out for patient safety become playing big brother? At what point should I, as the patient, be allowed to assume a certain level of risk, if I deem it acceptable given the other safety checks available to me, and the potential benefits of the device?

The FDA would argue that SOMEONE COULD hack an app that would control my insulin pump and cause it to over deliver a massive dose of insulin and cause me harm.

I would argue:

-First, that is an intense amount of effort and expense to go to in order to attack someone of not much financial or social reward to murder. No one has bothered to hack my Facebook account, much less my pancreas. (Probably because I still use Facebook)

-Second IF someone did hack my pump and deliver a huge bolus I have safety limits so that bolus could only be SO big, my pump also have safety limits on how big a bolus it will deliver, and there is a limit on how much it will deliver in a given hour before I get an alert. I also get a notification at the completion of a bolus. I would have time to react before that insulin even began to take effect.

-Third IF I were to somehow miss all those safety barriers and that notification, my CGM would alert me to a problematic drop in blood sugar and give me time to react with rapid-acting carbs and or glucagon, two things no person taking insulin should ever be caught without. (See previous statement about making life threatening high risk decisions daily)

-Fourth IF someone were to hack my pump, AND hack my CGM at the same time, because I’m somehow worth this monumental effort of technology (it would also require knowing a great deal about my pump on my person and typically also being within a radius of a few feet of my person to perform this operation and what is that creepy person doing hanging around me anyway…..) the statistical likelihood of this harm is still infinitesimally small. Compared to the statistically significant benefit to not only myself, but potentially thousands of other people with type 1 diabetes around the world in terms of improved health, reduced illness, injury, loss of life, loss of income, loss of quality of life etc.

Correct me if I’m wrong but doesn’t the FDA seek statistical data on risk of harm (side effects) vs benefit (efficacy) and use that to decide whether a drug or device is approved? Since when are drugs required to prove a lack of side effects before they will even be considered for approval?!

2. The second reason I find this statement by the FDA offensive as a person with diabetes is that it clearly does not represent the demonstrated concerns values and priorities of the diabetes community, but that of corporate biomedical manufacturing giants.  For over 5 years thousands of people with diabetes around the Globe have used DIY Insulin delivery systems such as loop, open aps, as well as nightscout and more to improve their management and achieve levels of wellness and qualities of life that “big pharma” and the FDA simply have not been able to touch. They have done this with no reported device that caused fatalities. (For the record, the FDA-approved manufacturers can not claim the same, not even in just the last 5 years)  There has also not been a single reported incident of someone having been harmed by their devices being “Hacked” despite having no regulatory oversite of their cyber security features beyond the integrity of the developers and the community itself. The devices have been reported to have been hacked, by whom? Why the major FDA-approved manufacturers of course who want to “protect the community” and warn them that DIY devices are “dangerous”.

SO clearly the diabetes community is saying “We are fine assuming cyber security risks if it improves our quality and quantity of wellness”  SO if that is what we are saying, then who is the FDA really protecting with these sweeping cybersecurity limitations? I can’t say for certain, but when one is looking at massive regulatory bodies that are not required to answer to the public they “serve” follow the $$$.

And those $$$ lead back to Biotech companies that have a stranglehold on product development, making sure that smaller companies can not gain a foothold in the market (Because the years that the FDA bogs a company down in reviews is more than enough to bankrupt any small company). Technologies companies that make the devices that these platforms run on and have a huge stake in deciding who gets to play in their sandbox and develop their apps easily and who does not (and the fact that each major technology company has a line of smartphones and its own biotech division couldn’t possibly give them a reason to delay competitors from bringing innovations to market could it?) and the governmental policymakers themselves who have no incentives to actually help people because people helped to not pay them. People served do not line their future campaign funds, or their grease their political tracks.

So what can we do as the diabetes community to make sure innovation is not mired in paperwork and stifled by bureaucrats?

• Get loud! Let the FDA know that you’re not a babe to be coddled, that you are capable of taking on your own risk assessments!
• Invest in DIY projects. Whether financially or in shares, increasing visibility and awareness of DIY projects, spread the word. Help keep the developers coders, hackers and innovators of the diabetes community going! Many of them gave up big corner offices with those big biotech companies to “fight the good fight” so even if you’re not game to use their systems. Support them as you can!
• VOTE! From the local level to the national level, our voices COUNT so find out who the names on your ballots really are! Find out what they stand for and who’s paying them to stand there!
• Read. Don’t just accept things as they are, staying informed like you do with this newsletter is key to keeping our diabetes community growing and thriving!