June 2017 - Issue 2
Welcome to Battelle’s Medical Devices newsletter. We offer this newsletter as a service to our clients to keep you informed of the latest news from our researchers and the industry.
Battelle’s Medical Devices team can help you accelerate your medical product development timeline – from ideation to evaluation to commercialization. Our newsletter will help keep you up-to-date on cutting-edge medical devices work, including device security, drug delivery, usability testing and neurotechnology.
If you have suggestions for the newsletter or want to learn more about the Medical Devices team, contact us.
By Debbie McConnell
What’s the secret to improving patient adherence rates? It starts with giving them something they need. Medical device design that ties patient needs to the actions we want them to perform can significantly improve adherence, acceptance, and satisfaction.
Consider the airplane lavatory door. Airlines have a behavior that they want to encourage: they want users to lock the door behind them when using the lavatory. Users have a need: they want to be able to see what they are doing. The simple, elegant solution is to tie the need (light) with the desired behavior (locking the door). The light comes on only when the door is locked. The same approach can be used to improve patient adherence regarding medical devices.
When I ask my medical device manufacturing clients how they would like to measure success after their new product is commercially released, the answer is always twofold. One answer is related to dollars: increased sales and market share, reduced manufacturing costs, etc. The second answer involves the benefits the medical device could bring to the intended patient population, such as better management of symptoms, increased independence, or prolonged life. Often, the patient must follow specific instructions or make lifestyle adjustments to achieve these outcomes, making patient adherence crucial.
The good news is that both manufacturer and patient needs often can be met at the same time using principles of human-centric design (HCD). A device that better meets the needs of its intended user population will result in better patient adherence and satisfaction, ultimately leading to better health outcomes and increased product adoption.
A great example of this can be seen in the world of insulin pumps. Insulin is a vital need for individuals with type I diabetes, so you wouldn’t expect there to be many adherence problems with wearable insulin pumps. However, many people living with diabetes struggle when it comes to using their pumps as intended. For example, pumps with tubing can be awkward and unsightly, must be removed for activities such as bathing, and can make it difficult for patients to wear certain clothing styles without embarrassment. Patients may therefore remove their pumps more than they should to avoid tubes that get in the way of activities, prompt unwelcome questions or simply make them feel uncomfortable with their bodies.
Insulet solved this problem with OmniPod, the first untethered insulin delivery device approved for sale in the U.S. by the FDA. OmniPod is small, waterproof and completely tubeless, so it can be discretely affixed to the body where it will not show and can be left in place through all normal daily activities. Reimagining the insulin pump has resulted in better adherence from type I diabetes patients. It has also been great for Insulet’s bottom line: since launching the OmniPod System in 2005, sales have grown to more than $320 million for 2015, with strong double-digit growth.
How do you know what users need? It starts with something most of us already do: spend time observing and talking with patients. Box CEO Aaron Levie has said, “You’ll learn more in a day talking to customers than a week of brainstorming, a month of watching competitors or a year of market research.” While this applies to all types of products, from software to sporting goods, nowhere is it truer than in the medical device market.
To get the most value out of user observations, usability researchers use a process called contextual inquiry. Contextual inquiry is a semi-structured interview method, generally conducted in the environment where the user will interact with the device, such as the home or clinic. The goal is to obtain information about how the device is used within the context of use. Users first are asked a set of standard questions, and then observed and questioned while they work in their own environments.
Compared to survey methods, contextual inquiry can give researchers a much more nuanced and accurate understanding of user needs, wants and challenges. Users are not always able to articulate their needs when asked survey questions; they may not remember things accurately when they are not actually interacting with the device, or they may neglect to mention an issue because they don’t see its importance for device development. Answers to surveys also depend on highly subjective interpretation of the questions, making it difficult to generalize results from large data sets.
Contextual inquiry gives researchers the opportunity to listen to what users say as well as observe what they actually do while using the device, uncovering insights that users themselves may be unaware of. While observing patients and healthcare providers in their own environments, we can uncover the gaps between what they have and what they need. We notice times when they are accommodating for the lack of a better solution: sticky notes, crib sheets, two-person tasks that could be one-person tasks, etc. We also notice when it’s just too hard for them to comply with required behaviors. In a healthcare setting, these instances may result in missing data in a patient chart or delays in non-critical patient care. At home, patients may make mistakes when taking medication, neglect to note events of interest requested by their doctor, or simply fall away from a beneficial practice that just feels too hard.
After observing, researchers can take the data from time in the field and distill it into unmet needs that were expressed in the language of the patients and healthcare providers. This information then is used to find design solutions that address these unmet needs and make it easier for users to adhere to the device’s intended use.
The second habit in Stephen Covey’s 7 Habits of Highly Effective People is “Begin with the End in Mind.” This is also a foundational principle of the six sigma lean practices, and excellent advice for medical device manufacturers.
We start with a goal: what is it that we want the patient or healthcare provider to do? For example, we may need them to input required data into an app or device, take a blood sugars reading before injecting medication, or keep a nebulizer in place long enough to get the entire dose of their medication. Then we ask the question: what is it that the user wants or needs from this experience? We use both inputs to drive concept design. The outcome is a product that ensures that the medical device manufacturer will achieve its success measures by providing patients and healthcare providers with a product that they will use as intended, because it meets their needs.
For example, many people with life-threatening allergic reactions fail to carry potentially life-saving epinephrine autoinjectors with them at all times because the devices are bulky and inconvenient to carry. Sanofi developed a smaller, more portable injector: the Auvi-Q, about the size and shape of a smartphone, and easily pocketable. Auvi-Q also is equipped with sound recording to provide voice instruction, so “good Samaritans” with no training can operate the device on behalf of an incapacitated person.*
Finding design solutions that meet manufacturer needs for increased adherence, as well as user needs and desires, requires a human-centric approach to device design and development. HCD keeps the needs and preferences of the user at the center throughout the process, starting with early concepting, in order to increase users’ ability, desire and willingness to use the product as intended. This adherence is key to realizing the potential benefits of the product as well as ensuring its safe use.
Small adjustments to product design can have a big impact on final adherence and product adoption rates. For example, a pharmaceutical company wished to improve the adherence rate for a medication that required behavioral changes on the part of the patient. Specifically, patients needed to wait a period of time after taking the medication before eating, and were asked to consume a large amount of water during this period. Contextual research provided information about how patients live their lives and currently take medication. Those findings helped to inform the product’s packaging design and aided in the creation of clear, concise instructions for use that resulted in a 92% success rate.
In my experience, integrating user needs from the very beginning can significantly improve the chances that the final product will gain user acceptance and promote user adherence. It also reduces the chances that safety and usability concerns will be uncovered late in the design process when they are costly to correct.
When medical device design really works, the result is a product that fully meets the needs of users while helping device manufacturers meet their financial goals. It’s the perfect example of “doing well by doing good.” By finding product design solutions that increase user adherence and satisfaction, manufacturers can improve both patient outcomes and the bottom line.
*The Auvi-Q has been recalled due to possible issues with dosing accuracy. However, there is no evidence that this issue is related to the user interface design.
About the Author
Debbie McConnell has 25 years of experience working with product development teams in private industry, public service, and government agencies, specializing in human factors. As a Human Factors Lead at Battelle, she has hands-on experience across all phases of the project development lifecycle, including user research-based design inputs, use error analysis, prototyping, usability testing, summative validation studies, regulator body submissions and product launch support.
By Stephanie Domas
When medical device manufacturers think about cybersecurity risks, they often focus on deliberate hacking attempts: a terrorist harming people by sabotaging the code in an insulin pump or pacemaker or a criminal organization using a medical device to pivot into the hospital network for a ransom attack or data theft.
The possibilities for direct, deliberate patient harm are certainly alarming and have been well documented by security researchers and “white-hat” hackers. The prospect of hackers using medical devices as a “weak link” to access hospital networks is also a genuine threat. But the biggest cybersecurity threat for medical devices isn’t a directly targeted attack. Statistically speaking, medical devices are much more likely to be impacted by commodity malware: the same rapidly propagating, indiscriminately targeted bits of malicious code that are the bane of every computer, cell phone and tablet user.
By “commodity malware,” we mean malicious computer code that is designed to affect a specific library or software used across a wide range of devices (such as an operating system or a browser), not necessarily a particular device. Whereas a targeted attack requires a hacker to research a particular device for possible vulnerabilities and specifically target them, commodity malware is opportunistic. It continually makes copies of itself and searches for opportunities to infect any and all devices it comes in contact with.
These types of viruses don’t know or care that they have infected a medical device. The device is just another vector that can now be used to infect other devices or networks it encounters. The ultimate goal is to infect as many machines as possible in order to open up security holes that can be exploited for other purposes later—often to steal data. Infection of the medical device is just collateral damage as the virus blindly seeks new targets.
Malware can propagate widely in this way, even to devices that are not directly connected to the internet. Viruses can spread to medical devices when they are connected to a laptop or thumb drive to upload patient data or when they connect to a network to get software updates. If any part of the “software ecosystem” that the medical device connects to, even periodically, is infected, malware can spread to the device itself. This is the same way that the Stuxnet virus is believed to have reached centrifuges used in Iran’s nuclear program: by indiscriminately copying itself onto devices throughout the world until it finally found its way to its target, possibly through an infected thumb drive plugged in to the secure network.
Attacks directly targeted at medical devices and mHealth apps can raise concerns about data privacy: does the device store HIPAA-protected medical data or sensitive patient information such as social security numbers and birthdates? Is it connected to a billing system that might allow access to financial information? With commodity malware, data privacy is still a concern, but now you also have to worry about data integrity. Malice is not required for harm to occur; data corruption may occur simply as a side effect of other things the virus is doing in the system as it blindly follows its programming.
Malware can interact with a device’s code in unpredictable ways, even when the device itself is not the target. The malware may overwrite part of the operating system or lock up critical data the medical device requires for operation, causing unexpected shutdowns or failures under certain conditions. It may cause the device to return bad data. Or it may change the data that the device uses to moderate its behavior. How dangerous or disruptive these code changes are depends on the robustness of the device, how critical the device is for patients or healthcare providers and exactly how the device’s behavior is changed. Imagine the following scenarios:
These scenarios all present the possibility of real patient harm even though there was no malicious intent in the code. In some cases, the data corruption may be obvious: if the device returns nonsensical data, or simply no data at all, fail-safes in the device or the common sense of the patient or healthcare practitioner are likely to prevent the data from being used in a way that could cause harm. However, if the effects of infected devices are more subtle (e.g. data used for diagnostic purposes is 10% higher or lower than the actual value, a false negative is returned or an alarm fails to sound), they may be overlooked. In these cases, bad data can lead to significant negative consequences for patients.
To mitigate these risks, medical device manufacturers should have a cybersecurity plan for every medical device that runs any kind of code. Devices do not have to be a direct target for hackers in order to be at risk, nor do they need to be directly connected to the internet or hospital network. Fast-spreading commodity malware can find its way onto nearly any device with software.
Medical devices and mHealth apps that run on common operating systems such as Windows, Linux, Android or iOS are at particular risk. The large portion of malware is directed at the Windows OS because it is so widely used in PCs and other devices. Patches are released frequently as new threats are discovered but often do not make their way to medical devices. While consumer devices can be easily updated by their owners or through patches pushed automatically by manufacturers, the code in medical devices is usually more locked down. And for good reason—the regulatory approval process for medical devices requires verification of the behavior and safety of the code. Whenever updates are made, device manufacturers must be able to verify that the update does not negatively impact device performance. Consumer device manufacturers can afford to take a “try it and see” approach with their patches, fixing unexpected issues resulting from unusual hardware or software configurations as they are reported. Apple, for example, had to quickly release a patch in September when their iOS 10 update temporarily bricked a number of users’ devices. Medical device manufacturers cannot afford to take that risk. As a result, many medical devices receive code updates rarely or not at all, leaving them susceptible not only to newly emerging viruses but to malicious code that has been circulating for years.
The FDA is trying to make this process easier. Their latest postmarket guidance, released in draft in January of this year, explicitly states that in most cases medical device manufacturers do not need to go through re-filing for recertification of devices when implementing routine updates and patches for cybersecurity. However, manufacturers still need to do their own internal verification to ensure that the device still operates normally after the patch. The extent of that verification process depends on the potential for patient harm that exists should the device fail to perform as expected. The FDA’s postmarket guidance document includes guidance for assessing the severity of impact on patients.
There are a number of steps that medical device manufacturers should take to mitigate potential risks from commodity malware. These include:
Ideally, cybersecurity is incorporated into every stage of device development, from ideation to postmarket. Secure design principals can help medical device manufacturers reduce risks and liabilities from both commodity malware and targeted attacks. The FDA has released both premarket and postmarket guidance for medical device cybersecurity. In addition, AAMI has released a technical information report (TIR) that details the principles for medical device security, called TIR-57. These documents provide best practices for medical device development, vulnerability assessment and postmarket updates.
If cybersecurity is not one of your core competencies, it makes sense to work with an outside security expert during design, development and testing. A cybersecurity expert can help you conduct vulnerability assessment, ensure that secure design principals are followed and develop a plan for secure postmarket updates.
Millions of new commodity viruses are released into the wild every year. Many of these make their way onto medical devices without causing any noticeable harm. But the potential risks—to patient safety, data privacy and data integrity—are too big to ignore. Medical device manufacturers should take steps now to reduce risks of infection by opportunistic malware.
About the Author
Stephanie Domas is Lead Security Engineer for Battelle’s DeviceSecure® Services. In this role, she is responsible for the design, architecture, verification and execution of security best practices in the development of new medical devices as well as the testing and cybersecurity risk mitigation of legacy systems. Ms. Domas is a registered Professional Engineer (PE) in the state of Ohio, and a Certified Ethical Hacker (CEH). She sits on several standards committees involved in furthering cybersecurity for medical products. Ms. Domas also serves as an adjunct faculty member at the Ohio State University College of Computer Engineering.
By Stephanie Domas and Nancy McMillan
As the healthcare industry moves towards precision medicine, are we doing enough to protect the privacy and integrity of patient data? Advances in genomics, medical sensors and data-driven healthcare are enabling doctors and patients to make healthcare decisions that are more personalized and targeted. However, precision medicine is only effective if the data it is based on can be trusted. Cybersecurity is a critical, but often overlooked, component of the precision medicine revolution.
What do we mean by precision medicine? The National Institutes of Health (NIH) has defined precision medicine as "an emerging approach for disease treatment and prevention that takes into account individual variability in genes, environment and lifestyle for each person." In other words, it is the ability to make informed healthcare decisions according to individual patient needs. While this often means using genetic or genomic data to target treatments, precision medicine isn’t just about genes. Treatments can also be targeted for patients with specific environmental exposures or lifestyle considerations.
This personalized approach to healthcare is made possible by an unprecedented volume of patient data. Information used for personalized medicine may include data gathered from bioassays and other clinical screeners, genetic sequencing data, data from body worn sensors or home health monitoring devices and behavioral data gathered using electronic logs or mHealth apps. Some types of data will be pulled into the official Electronic Health Record (EHR) and some will be stored locally on devices or in cloud-based applications to complement the EHR. This large volume of data enables patients and healthcare providers to make more effective and individualized healthcare decisions. However, it also opens up new challenges in data security.
When thinking about cybersecurity for patient health records, data privacy may be the first issue that comes to mind. These records can now store immense troves of personal information, possibly including the patient’s entire genome. What could possibly be more personal than that? However, data privacy risks are in general rather small. Patients may fear the implications of a hacker deliberately stealing their genetic heath data, but that information is not easily monetizable, which makes it of little interest to attackers.
The bigger security risk for precision medicine is one of data integrity. Precision medicine depends on the reliability and accuracy of the data it is based on. If the data is corrupted (intentionally or unintentionally), doctors and patients may make erroneous decisions using this false data. In some cases, the potential for harm could be enormous if wrong treatments are prescribed or needed treatments are withheld based on corrupted data.
Imagine, for example, the implications if a woman receives bad data on her genetic risk for breast cancer. She may decide on an unnecessary preventative mastectomy believing herself to be at high risk, or, conversely, skip mammograms believing herself to be at low risk. Other situations are even more immediate and potentially life threatening, such as a diabetic patient basing insulin dosages on corrupted data.
As applications for precision medicine grow, cybersecurity for the devices that gather, analyze and transmit our data is of paramount importance. Patients need to trust that their data will be protected in order to trust the technology. More critically, patients and clinicians need to be able to trust the integrity of the data they are using to make critical medical decisions.
Precision medicine may involve many different types of medical devices, including:
Increasingly, the devices that we use to collect and analyze patient health data, including genomic and biometric data, are connected to the internet, hospital networks or each other. Even devices that are not continuously connected are likely to be connected to a network or to another device such as a laptop or thumb drive in order to transmit data or receive software updates. Each of these connections, no matter how brief, is a potential vector for a cybersecurity breach that could result in data corruption.
In most cases, the individual device is not specifically targeted: there is probably limited value for a hacker in breaking into a genetic sequencer or medical imaging device. However, these devices can be vulnerable to software and data corruption even if they are not the primary target of an attack. Many computer viruses are designed to propagate themselves as widely as possible. These bits of malicious code will insert themselves into any device that has a software vulnerability that they can exploit. The infected device may be directly harmed by the virus or may simply act as a vector as the virus attempts to infiltrate hospital networks or other devices. Malice is not a prerequisite for harm; data corruption may occur simply as a side effect of other things the virus is doing in the system as it blindly follows its programming.
Viruses that make their way into a device through a network connection or a thumb drive can cause the device to behave in unpredictable ways, including returning false or misleading data. Sometimes, the data corruption may be obvious, with the device returning nonsensical data or simply no data at all. In other cases, the effects of corrupted code may be more subtle: a sequencer returns false negatives for a particular set of genes, a device mislabels data files so patient records are swapped, or sensor data is 10% higher or lower than the actual value. These cases are potentially much more dangerous because while clinicians are likely to question or ignore nonsense data, they may take a simple false positive or a mislabeled set of records at face value and prescribe the wrong treatment.
To keep the precision medicine movement on track, medical device developers need to have a cybersecurity plan in place for the smart, connected devices that make the movement possible. Any device that relies on software to collect, analyze, store or transmit data needs to be built with data security in mind and assessed for potential cybersecurity vulnerabilities.
Fortunately, there are guidelines in place that device developers can follow. The FDA has released both premarket and postmarket guidance for medical device cybersecurity. In addition, The National Institute of Standards and Technology (NIST) has developed a framework that defines 18 families of cybersecurity controls that can be used to identify relevant cybersecurity vulnerabilities for a medical device or mHealth app. These documents provide best practices for medical device development, vulnerability assessment and post-market updates.
A cybersecurity plan for medical devices should include several components that span the development process.
Precision medicine is still in its infancy. As we continue to explore the links between genes, environment, behavior and health outcomes, the applications for precision medicine are likely to explode. That growth depends on the security and integrity of the data used to drive decisions. The time to think about the cybersecurity implications of precision medicine is now.
If cybersecurity isn’t part of your core expertise, or you want an objective third party opinion, it’s wise to consider bringing in outside security experts to assist with threat assessment, secure device development, and vulnerability testing. Battelle has put together a suite of services for medical device manufacturers called DeviceSecure® Services, which incorporates secure design, vulnerability assessment, and anti-tampering and anti-counterfeiting measures. We work with device developers at every stage of the product lifecycle, from device design and testing to development of post-market security practices.
No device is ever 100% secure, but medical device developers who integrate cybersecurity throughout their development process will be well prepared to address and mitigate potential data security risks. A comprehensive approach to cybersecurity will go a long way towards protecting the privacy and integrity of patient data, building trust among their users and buyers and reducing liabilities. Increasing the security of medical devices will give precision medicine a solid foundation of trustworthy data to grow on.
Stephanie Domas is Lead Security Engineer for Battelle’s DeviceSecure® Services. In this role, she is responsible for the design, architecture, verification, and execution of security best practices in the development of new medical devices as well as the testing and cybersecurity risk mitigation of legacy systems. Ms. Domas is an invited active member of the Association for the Advancement of Medical Instrumentation (AAMI)-UL Joint Committee 2800 - Medical / health device communication standards, the IEEE guidelines for security in medical device software development and production, and AAMI TIR 57 – Principles for medical device information security risk management. Ms. Domas has expertise in firmware reverse engineering (x86, x86_64, MIPS, 8051), penetration testing, application fuzzing, as well as application development (C/C++). Ms. Domas is a registered Professional Engineer (PE) in the state of Ohio, and a Certified Ethical Hacker (CEH). In addition, Ms. Domas serves as an adjunct faculty member at the Ohio State University College of Computer Engineering.
Dr. Nancy McMillan is a Manager and Research Leader at Battelle. She has a broad background in statistics, with specific training and expertise in Bayesian statistics and considerable experience applying statistical concepts across a wide range of applied problems. She been a practicing applied statistician working in a research environment for 20 years. Her work focuses on providing quantitative analysis that captures uncertainty to support science-based decision making, particularly for problems that require analysis of big data, such as Precision Medicine. She has been a certified Project Management Professional since 2011.
Cybersecurity is becoming increasingly important as digital medical devices become more complex. Medical device manufacturers are developing sophisticated ways to ensure the digital integrity of their devices as well as the confidentiality of the information they contain or transmit. With this increased focus on cybersecurity, it is imperative for manufacturers to consider how such security measures impact usability. This is especially important because poor usability in a medical device can result in patient harm.
Watch the webinar recording of Battelle’s Stephanie Domas and T. Grant Leffingwell as they explore the intersection of medical device security and usability.
Smart, connected medical devices have launched a transformation in healthcare. But as devices become more sophisticated and connected, they also become more vulnerable to cybersecurity risks.
When developing a cybersecurity plan, many manufacturers only think in terms of vulnerability testing. While testing is a critical part of the process, the most effective and efficient approach to mitigating cybersecurity risks starts with smart design. By building secure design principles into the device from the start, manufacturers can minimize their risks and avoid missteps that could lead to costly delays and expensive changes later in the development cycle.
Dr. David Friedenberg is taming big data for healthcare and medical device innovation. A Principal Research Statistician at Battelle, David applies state-of-the-art machine learning methods to big data problems in neuroscience, analytical chemistry and other domains. For the last several years, he has been working primarily on Battelle NeuroLife™, an innovative neural bridging technology that has given a quadriplegic man conscious control over his hand and fingers Read More
Dr. Amy Schwartz is bringing attention to the human element in healthcare. Amy joined Battelle in March 2017 as a Thought Leader in Human-Centric Design (HCD) with a focus on medical devices and healthcare. Her mission is to move the medical device field forward with more human-centric approaches to device development — not just at the end through usability testing, but in an integrated and iterative way throughout the design process. Read More
Battelle respects your privacy and your patronage. If you would like to unsubscribe or manage the types of information Battelle sends to you, please click here.