Article: Year of Telehealth

Here's an article telling us what lots of us already have learned, that telehealth is an up a coming method of providing effective and cost-effective as well as continuous medical care where ever a patient may be. Here's the link to the article: https://www.beckershospitalreview.com/telehealth/dr-toby-cosgrove-2019-will-be-the-year-of-telehealth.html

Here's a quote from the article that I think is of interest:

"[Oakland, Calif.-based Kaiser Permanente] is seeing over 50 percent of their patients distantly," Dr. Cosgrove told CNBC.

What Cosgrove isn't telling us is how telehealth is being provided. Telehealth is pretty loosely defined. It can mean that patients have access to a health care provider through chat or the telephone. Or it can mean something more sophisticated such as continuous medical-device communication and automated monitoring. One way or another telehealth is clearly on the rise and will likely become the standard for providing care.

Training a Damaged Brain

One of my medically related interests is a neurological disorder know as CTE, Chronic Traumatic Encephalopathy. I became aware of this disorder largely through an exceptional documentary on PBS Frontline, League of Denial. It's a history of the discovery of this disorder as found in NFL players and the lengths the NFL had gone to deny that this disorder is common among those in NFL and football players in general. If you're not familiar with CTE and its connection to playing tackle football, I strongly suggest that you see this documentary. And consider reading and watching much of the source material. The work in this area continues to progress with more and more sufferers of CTE being discovered among those who were NFL players. Many of the changes in the rules and football equipment has been driven by research on CTE and the accumulating findings.

CTE is not the only type of brain damage that afflicts older NFL players. CTE is particularly troubling because its severity on suffer's cognitive and emotional functioning. There are brain damage related disorders are not at the level of severity as CTE that plague older football players.

A few days ago I ran across a treatment system that trains damaged brains. Many of the former football players, particularly those from the hard-hitting NFL, live in a kind mental haze, as if they were living in a dream state. They're unable to concentrate or focus for even a short period of time on anything without mentally drifting from the task at hand. This training system has been shown to significantly increase lift patient's emotions and apparently, lift them out of the mental hazy they have been living with for years. Here's a link to video and the article: https://denver.cbslocal.com/2016/02/08/former-broncos-seek-concussion-relief-through-neurofeedback/

The treatment system is called neuro-feedback. Because it appears to run on a computer, it would seem that it would be something that a patient could use on their own home computer.

Now, one of the reason's I mention this is because one of the people mentioned in the article and who is in the video is Jon Keyworth (and his wife). I mention that because Jon and I were childhood friends. He and I grew up in the same neighborhood. Jon is a few years older than I am. And we went to different high schools and different universities. Our paths diverged, but I haven't forgotten Jon. I followed his career from a distance and I've been in contact with people who have known him over the years.

Jon was an exceptional athlete. (Interestingly enough, the only person I've ever know who had athletic skills at Jon's level is my younger brother.) Me? I'm no athlete. I kept trying and continue to ride a road racing bicycle at respectable speeds, low to mid 20s MPH over reasonable distances, but in truth my athletic skills are at the opposite end of the bell curve from Jon. I'm not ashamed to say that I'm jealous. I always wondered what it would be like to have athletic skills at his level. (I bet there are others out there who have wondered the same thing.)

Let me go through Jon's success as a football player. Jon played for the Denver Broncos as number 32 for his entire NFL career from 1974 to 1980. (Seven seasons.) He was fullback meaning that his primary job was as a blocking back, nevertheless Jon is listed the 10th best all time rusher for the Broncos. He played in Super Bowl 12. (Not only can I not imagine what it's like to play in an NFL game, I certainly can't imagine what it would be like to play in the Super Bowl. I haven't had anything close to that kind of an experience. I guess it must have been nice, but that's something I'll never know.)

One more thing I want emphasize. Jon was, is and will be a much nicer, kinder person than I ever have been or will be. Forget about any stereotypes that you might hold about NFL players, particularly the stars of the game. At least as it applies to Jon. Jon is someone filled with warmth, kindness and generosity. And when I ran across the article and video above that talked about Jon's plight and his way back, I felt that I needed to share this treatment as well a little bit of Jon's story. It could be that these players and the treatment they're undergoing may have an impact on a much wider group, maybe people suffering from dementia, especially early dementia. Maybe it can be slowed or possibly reversed. But these former players may be blazing a trail for the rest of us.

So, thank you, Jon. And your wife. And thanks to the people who have developed the treatment and continue to refine it. 

Adhesives: Part of the Future for the Remote Monitoring Sensors?

I just ran across this article a few minutes ago. It's a serious article published in Machine Design. Here's the link: http://www.machinedesign.com/mechanical/adhesives-enabling-future-wearable-medical-devices?NL=MD-005&Issue=MD-005_20180724_MD-005_524&sfvc4enews=42&cl=article_1_b&utm_rid=CPG05000003255032&utm_campaign=18775&utm_medium=email&elq2=5b76b40ea8f44d76b2b883c5c09f23fe

It's an extremely readable article and what's being described has in my opinion real applicability in the future of medical sensors. Adhesive, "band-aid" or strip sensors development applies to both the fitness set as well as to remotely monitored patients.

Transmitting data to monitoring systems and people will likely require an intermediate device such as a smart phone. I suspect that the real issues and hurdles will likely revolve around digital communications issues and standardization. Having worked most of my life in the communications domain, communications issues can be successfully overcome.

Here are a few quotes from the article:

Device manufacturers are taking steps to create medical devices that are smaller, lighter, and less invasive. Whether they’re adhering device components together or sticking a device to skin, adhesives are uniquely bonded to a device’s success.

Both consumers and patients want wearable devices to be smaller, lighter and less cumbersome to use for seamless integration into their everyday lives. The design process can get challenging when devices must maintain accurate sensing capabilities, but also reduce friction to ensure precise data collection. Adhesives can help to keep friction to a minimum by being breathable and maintaining a low profile. In addition, options with flex electronics, as well as addressing battery implications and electromagnetic interference, provide opportunities for advancement.

Adhesive wear time is a crucial consideration when designing a wearable device, impacting overall resilience and durability, as well as how often the user will need to change their device. 

______________

I should mention that by the looks of things, it appears to me that 3M maybe behind the article. Nevertheless, I think that considering adhesives in the research, design and development process of a bio-sensor is worth your time. 

Article: Remote Monitoring of Heart Failure Patients

Although this article was published in 2013, it's findings are still applicable today. Moreover, there is applicability of this system remote monitoring and remote patient management to patients with other chronic conditions other than heart failure. 

I have experience with engineering methods to support remote monitoring and treatment of heart failure patients and this article is an extensive review many of the systems that were and would be coming available in 2013 and later.

Here is the link: Remote Monitoring of Heart Failure Patients by Arvind Bhimaraj, M.D., M.P.H. I recommend this article if you have an interest in many of the details of remote monitoring and remote patient management.

Heart Failure

Heart failure is a chronic disorder and requires continual monitoring and management. The management of heart failure patients remotely can serve as a model for managing patients with other chronic disorders such as diabetes or COPD.

Article Abstract (from the article)

Heart failure continues to be a major burden on our health care system. As the number of patients with heart failure increases, the cost of hospitalization alone is contributing significantly to the overall cost of this disease. Readmission rate and hospital length of stay are emerging as quality markers of heart failure care along with reimbursement policies that force hospitals to optimize these outcomes. Apart from maintaining quality assurance, the disease process of heart failure per-se requires demanding and close attention to vitals, diet, and medication compliance to prevent acute decompensation episodes. Remote patient monitoring is morphing into a key disease management strategy to optimize care for heart failure. Innovative implantable technologies to monitor intracardiac hemodynamics also are evolving, which potentially could offer better and substantial parameters to monitor.

My Analysis

With the advent of smartphones and increasingly sophisticated, smaller and lower power bio-sensors, remote monitoring and remote patient management of all types of chronic conditions should be on the rise. Furthermore, the rise and acceptance of computerize expert medical systems (artificial intelligence), should make remote monitoring and remote patient management a first choice. Not only will this lower costs, but as we have seen it: increases patient satisfaction and mobility, enabling a patient to spend time traveling and enjoying the life that remains.

One more thing ... and I have to add this as a point of pride, a quote from the article:

Also, advancements in implantable wireless technology seen with the pulmonary capillary pressure monitoring device CardioMEMS® (CardioMEMS, Inc., Atlanta, GA) and the left atrial pressure monitor HeartPOD™ System (St. Jude Medical, Inc., St. Paul, MN) or Promote® LAP System (St. Jude Medical, Inc., St. Paul, MN) bring us closer to finding the holy grail of home monitoring systems. (my emphasis)

I had a part in SJM's LAP project. I was working at SJM when this project was in the state of early patient trial. The project manager needed assistance with issues related to and testing of operation of the user interface including the how the computerize system would interact with patients to collect necessary data and provide the patient with directions on what to do to manage their current condition -- mostly, taking medication and performing certain activities. I provided that assistance, design direction and usability testing for this early stage product. Although I haven't seen this system in it's commercial form, I suspect that a lot of what I did was included in the commercial product. The "holy grail" comment is personally gratifying. And I should mention that my experience with the LAP system was one of this things that lead me to starting and continuing with this blog.

New York Times Opinion: Why Health Care Tech Is Still So Bad

This was an opinion piece published 21 March 2015 in the New York Times written by Robert M. Wachter, Professor of Medicine, University of California, San Francisco and author of "The Digital Doctor: Hope, Hype, and Harm at the Dawn of Medicine’s Computer Age” also published in the New York Times.

Here's the link to the article: http://www.nytimes.com/2015/03/22/opinion/sunday/why-health-care-tech-is-still-so-bad.html?smid=nytcore-ipad-share&smprod=nytcore-ipad

I have commented on several quotes from the article.

1. "Even in preventing medical mistakes — a central rationale for computerization — technology has let us down. (My emphasis.) A recent study of more than one million medication errors reported to a national database between 2003 and 2010 found that 6 percent were related to the computerized prescribing system.

At my own hospital, in 2013 we gave a teenager a 39-fold overdose of a common antibiotic. The initial glitch was innocent enough: A doctor failed to recognize that a screen was set on “milligrams per kilogram” rather than just “milligrams.” But the jaw-dropping part of the error involved alerts that were ignored by both physician and pharmacist. The error caused a grand mal seizure that sent the boy to the I.C.U. and nearly killed him.

How could they do such a thing? It’s because providers receive tens of thousands of such alerts each month, a vast majority of them false alarms. (My emphasis.) In one month, the electronic monitors in our five intensive care units, which track things like heart rate and oxygen level, produced more than 2.5 million alerts. It’s little wonder that health care providers have grown numb to them."

Comments: Before I read the third paragraph, I was thinking How can you blame the computer when it provided you with an alert regarding the prescribing error that you made? 

It is well known that systems that produce a high percentage of false alarms, that those alarms over time will be ignored or discounted. I consider this is a devastating indictment. We must do better.

I have been a human factors engineer and researcher for decades. One of the mantras of human factors is preventing errors. That's central to what we're about. But if the systems we help engineer generate false alarms at a rate that has our users ignoring the correct ones, then we have failed and failed miserably.

I think the problem of false alarms requires further research and commentary.


2. "... despite the problems, the evidence shows that care is better and safer with computers than without them."

Commentary: This is nice to read, but we as medical technologists need to do better. We really need to follow up on the repercussions of our technology we create when it's deployed and used in the field.


3. "Moreover, the digitization of health care promises, eventually, to be transformative. Patients who today sit in hospital beds will one day receive telemedicine-enabled care in their homes and workplaces."

Commentary: I agree. Of course that's a central theme of this blog.


4. "Big-data techniques will guide the treatment of individual patients, as well as the best ways to organize our systems of care. ... Some improvements will come with refinement of the software. Today’s health care technology has that Version 1.0 feel, and it is sure to get better.

... training students and physicians to focus on the patient despite the demands of the computers.

We also need far better collaboration between academic researchers and software developers to weed out bugs and reimagine how our work can be accomplished in a digital environment."

Commentary: Agreed again. But, I believe that technologist just can't dump these systems into the healthcare environments without significant follow-up research to insure that these systems provide or suggest the correct treatment programs and effectively monitor patients. Investment in systems like these will be cost effective and improve lives, but only if the necessary level of care and follow-up is performed.


5. "... Boeing’s top cockpit designers, who wouldn’t dream of green-lighting a new plane until they had spent thousands of hours watching pilots in simulators and on test flights. This principle of user-centered design is part of aviation’s DNA, yet has been woefully lacking in health care software design."

Commentary: All this is true. And as noted above that it would be a good idea to do more extensive research on medical systems before we deploy them to the field as well. That this is not done may be a regulatory issue that the FDA has not required the kind of rigorous research as performed in aircraft cockpit design. They should require more research in real or simulated environments. Right now, all that appears to be required is a single verification and single validation test before allowing commercialization. I think it would be valuable for regulators to require more research in real or simulated settings before allowing companies to commercialize their products.

Or, requiring more extensive follow-up research. Grant companies the right to sell their medical products on a probationary basis for (say) 1 year after receiving initial commercialization certification. During that year, the company must perform follow-up research on how their medical product performs in real environments. If there are no significant problems ... such as overly abundant number of false alarms ... then the product no longer on probation and would be considered fully certified for commercialization.
However, if significant problems emerge, the FDA could:

a) continue to keep the product in a probationary status pending correction of those problems and another year of follow-up research or

b) it could require the withdrawal of the product from sale. A product that had been withdrawn would have to go through the entire commercialization certification process just as if it were a new product before commercialization and sale would be allowed.


A final thought ... I think there's a reality in commercial aviation that is not true in medicine. If commercial aircraft killed and injured as many people as are killed and injured by medical practitioners, then the commercial aviation would come to a halt. People would refuse to fly because they perceive it to be too dangerous. But, if you're sick, then you have little choice but the clinic, ER or hospital.

Internet of Things ... From a Connected Medical Device Perspective

Before I dive into the issues regarding the possible means for connecting medical devices to the Internet, I would like to provide you with a little background on two relevant research programs I have lead. I was the principal investigator on two Federally supported research programs described below.

The first was a NIST Research grant to support the development of a secure and commercially viable wireless data communications technology. Much of that technology has been incorporated into today's smartphones, although not all of what we created has yet found its way into the current generation of smartphones. But with each iteration, more of what we created gets incorporated.

A central part of our program was to insure secure and private data communications. It would be secure from infiltration by malware and impenetrable by snoops ... including the NSA. The system worked by securing and controlling both ends of the communication. It was capable of sending a single file to over multiple communications channels simultaneously, the packets could be sent out of order using multiple forms of encryption including nonstandard or private encryption methods -- that are much harder to break. By securing and controlling both ends of the connection between devices, we could completely control what went in and out of the channel. Nothing would flow to the other end that was out of our view or control.

The second Federal grant was for a data security program. VoIP communications channels are lightly secured largely due to the requirements to insure that audio is clear and voices understandable. This fact makes VoIP channels particularly vulnerable vectors to use for an attack. There have been attempts to logically divide voice and data channels; however, there have been several demonstrations that this does not always work. Our research focused on methods to detect the presence of an intruder without disrupting or significantly lowering audio quality. And when we detected a possible intruder, we attacked this apparent intruder through a series of escalating techniques that could finally end with terminating the connection when it was clearly apparent that an intruder was using the VoIP connection to do something nefarious.

Architectures for the Internet of Things

The two architectures I would like to review are direct and mediated connections that could be used in the realm of the Internet of Things.

Direct and mediated connections are illustrated in the figure below.

The real difference between the two diagrams is the way the Apple Watch is connected to the Internet. On the left the Watch is directly connected to the Internet. When connected, it is an addressable device on the Internet. On the right, the Watch is connected to the Internet through the iPhone. The iPhone mediates the connection to the Internet through the iPhone. All the data traffic to and from the Watch goes through the iPhone.

A mediated connection through the device can be as simple and unmanaged as one through a router. However, with the appropriate software on the iPhone, the iPhone should be able to manage the connection with and security of the Watch.

In the case of the direct connection, management of the connection to the Internet including security must be done by the Watch itself. The Watch could be subject to a direct attack and must defend against such an attack by itself.

Best Architecture for Medical Devices?

In the diagram above, I'm treating the Watch as if it were a medical device ... and a medical device it could be. It would seem that the safest connection to the Internet would be a mediated connection. However, there are hybrid scenarios. For example, incoming communications including software updates could require a mediated connection. Encrypted uploads from the Watch to a centralized server system could use a direct connection.

This is a brief introduction into this topic. I'll have further explorations into this issue in future articles.

How This Blog Got Going: MRI Safe and Conditional Pacemakers, Reprise

I have decided to return to the thing that I was working on when I started this blog ... an MRI conditional pacemaker. Specifically, an MRI conditional pacemaker for St. Jude Medical. At the time I was Lead Human Engineering Clinical Systems Engineer on this project. Before I go any further I would like to distinguish between MRI conditional and MRI safe devices. It is important to distinguish between the two.

MRI Conditional v. MRI Safe

Having an MRI safe implanted cardiac device is the ideal situation. If the cardiac device is MRI safe, it means that a device patient can be "popped" into an MRI without any changes to the device. For the patient it's just like the person does not have an implanted device. The only difference is that the resulting imagery from the MRI around the device may not be as good if the person did not have an implanted device. 

An MRI conditional device presents some significant procedural challenges to all those involved. If a person has an MRI conditional device, certain conditions must be met before the device patient is allowed to enter the MRI. When I was working at St. Jude Medical, changes in the settings that operate the device are required before the patient enters the MRI. Once scanning is complete, the settings need to be changed back to their normal, operational settings.

As of publication of this article, only one medical device company has a commercially available MRI safe pacemaker, Biotronik. St. Jude Medical and Medtronic have commercially available MRI conditional devices. 

When I was work at St. Jude, the only cardiac device being engineered to permit patients to have MRI scans were pacemakers. At the time ICDs and CRTs were not considered for MRI compatibility. However, apparently, Biotronik has developed an MRI conditional ICD that is commercially available ... at least in Europe.

There are other issues regarding MRI compatibility such as whether there are limits on the area that can be scanned a cardiac device patient ... something other than a full body scan. The allowable limits on how much can be scanned are continually in flux. But this particularly issue does not have anything to with the story I want to tell.

My Experience with the MRI Conditional Project

The St. Jude Medical MRI conditional pacemaker was engineered to enable patients to undergo an MRI scan. To insure that pacemaker patients would not be harmed by the scan required that the operating settings on the pacemaker be adjusted. (To make a long story short ... a change in the setting needed to make sure that the sensing lead to heart be turned off. The pacemaker could be changed to constant pace or turned off entirely if the patient is not pacemaker dependent ... as most pacemaker patients are.)

So the major problem in this entire issue was in regards to how to change the settings on the device? Who would do it, how would it be done, what would the settings be? Essentially three basic approaches were considered:

1. Have the patient's cardiac physician or cardiac nurse go to the MRI center, lugging their device programmer with them, change the settings on the patient's device to those that are MRI compatible, wait for the scan to complete, reset the settings to normal and examine the patient to insure that the patient is OK.
2. Have the settings changed remotely. The patient is at the MRI center, the cardiac professional is in the office, at the hospital or at home. This is known as "remote programming."  At the time this was something that the FDA did not allow. Using remote programming, the patient's device communicates wireless to a pacemaker communicator located at the MRI center. The cardiac professional sees a 30 second rhythm strip before setting the patient's device to the MRI settings and sees another 30 second rhythm strip after the changes have been made. (Just like an onsite cardiac professional would do.) The patient undergoes the scan. During that time, the professional can perform other tasks. Once the scan is complete, the cardiac profession changes the pacemaker settings back to normal and sees the before and after rhythm strips. 
3. The pacemaker is programmed with two settings by the cardiac professional using the programmer. The first set of settings define the normal operation of the pacemaker. The second set are the MRI settings: that is, the settings of the pacemaker when the patient undergoes an MRI scan.  When the pacemaker patient goes to the MRI center, the MRI tech takes a wand (that's best way I can describe it.) and changes the settings from normal to MRI. Once the patient completes the MRI scan, the MRI tech uses the wand to change the patient's setting back to normal. 

I became quickly apparent that cardiac professionals had no interest in option 1. As it turned out St. Jude Medical chose the third approach. 

When the third approach was described, I had numerous objections ... mostly related to the device that would change the setting on the pacemaker. Thankfully, there have been substantial changes and upgrades made to the wand. However, I wanted to purse option 2, remote programming. And the desire to purse option 2 inspired me to start this blog ... hence the title Medical Monitoring & Remote Programming.

Wherefore Remote Programming?

Most physicians showed some hesitancy when it came to adopting remote programming. They saw it as unproven ... and they were right, it was (and so far as I know still is) unproven and still not acceptable to the FDA. However, many if not most were intrigued by the idea and thought that the technology should be pursued. Many clearly saw the potential value of the technology, the value of being able to monitor patients remotely with the potential ability to change cardiac device settings without the patient being in the office could be a revolution in patient care ... not only for people with chronic conditions like heart problems, diabetes or neurological problems that involve implanted devices, but potentially everyone. And it need not involve the need for implanted or wearable devices. We'll explore this in later postings.

Some Articles of Interest Before the 4th

I came across two long investigative articles that I thought could be of interest those in the medical products field. One article is from the National Journal and the other from Pro Publica. Here are the links to the articles with short clips.

Spinal Product Controversy Raises Red Flags on Medical Journals’ Disclosure Policies

Medical journals have long had to wrestle with the possibility that financial bias influences the work they publish, but if the growing controversy over Medtronic's Infuse spinal product is any indication, they may not be doing enough.

Comment: This is an area that should concern everyone in the field of medical devices and device research. I am very aware that companies fund a lot of empirical and academic research much of which is published in peer-reviewed and respected medical journals. On the face of it, nothing wrong with that. When I was a graduate student, some of my research was funded the research and development division of a well-known (non-medical) company. The funding had absolutely no bearing of the design of the research program, the data collected or interpretation of the data. The concern expressed in this article is whether data maybe suppressed or not reported in an unbiased fashion particularly when it comes to reporting data related to the risks. You be the judge.

How the Media Fell for McKinsey's Twisted Health Care Report

Critics of last year’s health care law pounced on what seemed like a damning new survey, but the details were a lot murkier than the headlines.

Comment: This is an interesting article well worth your time to read.


Finally, here's a short article that just came across indicating how rural health may well be the driver behind telemedicine. Here's the link to the article:


Rural Healthcare to Drive the Global Telemedicine Industry

...[C]ountries face various problems in the provision of medical services and health care, including funds, expertise, and resources. To meet this challenge, the governments and private health care providers are making use of existing resources and the benefits of modern technology. Besides, with limited medical expertise and resources, telecommunication services have the potential to provide a solution to some of these problems. As telemedicine has the potential to improve both the quality and the access to health care regardless of the geography; the rural market is driving the incessant growth of the telemedicine market.

Hacking Grandpa's ICD: Why do it?

Background

I am part of another professional discussion group with an interest in Medical Data, System and Device security.  One of the topics was whether medical devices are a likely target for cyber-attacks.  I made a contribution to the discussion and stated that I believed that although unlikely, I thought that medical devices will eventually be targets of cyber-attacks.  But putting data security measures into medical devices is at odds with the directions that the medical device industry wants to take its product lines.  The trends are for smaller and less power-hungry devices.  Adding data security measures could increase power demands, increase battery sizes and thus increase device size.  Nevertheless, I believe that starting the process of putting data security measures into the medical devices has merit.

I received a well-reasoned response that hacking medical devices was highly unlikely and research funding on security measures for medical devices would be money best spent elsewhere.  That response started a thought process to develop a threat scenario to address his points.

I reviewed my earlier article on "hacking medical devices," http://medicalremoteprogramming.blogspot.com/2010/04/how-to-hack-grandpas-icd-reprise.html.  I revisited the paragraph in my regarding the motivation for hacking a medical device, an extortion scheme. 

When I wrote that article, I did not have any particular scheme in mind.  It was speculation based more on current trends.  Furthermore, I did not other motivations as particularly viable - data theft, not much money or value in stealing someone's implant data or killing a specific person, there are easier ways to do this although it might make a good murder mystery.

I did come up with a scenario, and when I did, it was chilling.





The Threat Scenario

First, as I had previously suggested, the motivation for hacking medical devices would be extortion.  The target of the extortion would be the medical device companies.  Before getting into the specifics of the extortion scenario requires that you understand some of the technologies and devices involved.

The wireless communications of interest occurs between a "base station" and a wirelessly enabled implanted device as shown in the figure below.

The base station need not be at a permanent location, but could be a mobile device (such as with the Biotronik Home Monitoring system).  The base station in turn communicates with a large enterprise server system operated by the medical device company.


The two systems communicate use wireless or radio communication.  For example, St. Jude Medical uses the MICS band - a band designed by the FCC for medical devices in the range of 400Mhz.  To insure that battery usage for communications is minimal, the maximum effective range between is stated as 3 meters.  (However, I have seen a clear connection established at greater 3 meters.)  


In general, the implant sends telemetry data collected it has collected to the base station.  The base station sends operating parameters to the implant.  Changing the operating parameters of the medical device is know as reprogramming the device and define how the implant operates and the way the implant exerts control over the organ to which it is connected.


Device Dialogue of Interest to Hackers

As you probably have guessed, the dialogue of interest to those with criminal intent is the one between the base station and the device.  The "trick" is to build a device that looks like a legitimate base station to the medical device.  This means that the bogus device will have to authenticate itself with the medical device, transmit and receive signals that the device can interpret.  In an earlier article (http://medicalremoteprogramming.blogspot.com/2010/03/how-to-hack-grandpas-icd.html), I discussed an IEEE article (http://uwnews.org/relatedcontent/2008/March/rc_parentID40358_thisID40398.pdf**) where the authors had constructed a device that performed a successful spoofing attack on a wireless Medtronic ICD. So, based on the article, we know it can be done.  However, based on the IEEE article, we know that it was done at distance of 5 cm.  This was aptly pointed out in a comment on my "How to Hack Grandpa's ICD" article.


Could a Spoofing/Reprogramming Attack be Successful from Greater than 5 cm or Greater than 3 meters?


I believe the answer to the question posed above is "yes."  Consider the following lines of reasoning ...

1. As I had mentioned earlier, I know that base stations and medical devices communicate at distances of 3 meters and can communicates greater distances.  The limitation is power.  Another limitation is the quality of the antenna in the base station.  The communication distance could be increased with improvements in the antenna and received signal amplification. 
2. The spoofing/reprogramming attack device could be constructed to transmit at significantly greater power levels than current base station.  (Remember, this is something built by a criminal enterprise.  They need not abide by rules set by the FCC.)  Furthermore, a limited number, maybe as few as one or two, of these systems need be constructed.  I shall explain why later.
3. A base station can be reverse-engineered.  Base stations can be easily obtained by a variety of means.  Medical devices can be stolen from hospitals.  Documentation about the communication between the medical device and the base station can be obtained.

Thus, I believe the possibility exists that a device that emulates a base station and could successfully perform a spoof/reprogramming attack from a significant distance from the target is possible.  The question is, what is to be gained from such an attack?


Attack Motivations


Extortion: Earlier I mentioned that in an other article, I suggested that the motivation would be extortion: money, and lots of it.  I think the demands would likely be in the millions of US dollars.

In this scenario, the criminal organization would contact the medical device companies and threaten to attack their medical device patients.  The criminal organization might send device designs to substantiate their claims of the ability to injure or kill device patients and/or send the targeted company with news reports sudden unexplained changes in medical devices that have caused injuries or deaths in device patients.


Market Manipulation: Another strategy would be as a means to manipulate the stock prices of medical device companies - through short-selling the stock.  In this scenario the criminal organization will create a few base station spoofing/reprogramming systems. Market manipulation such as placing the value of the stock at risk could be a part of the extortion scheme.




Book of Interest: Hacking Wall Street: Attacks And Countermeasures (Volume 2)


In another article I'll discuss how someone might undertake an attack.




** Halperin, D, Heydt-Benjamin, T., Ransford, B., Clark, S., Defend, B., Morgan, W., Fu, K., Kohno, T., Maisel, W. Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses, IEEE Symposium on Security and Privacy, 2008, pp 1-14.

How to Hack Grandpa's ICD, Reprise ...

Several weeks ago I published an article (How to Hack Grandpa's ICD) discussing another article published in an IEEE journal that described a variety of ways to hack, illicitly manipulate or modify an ICD.  To those in the know, this is a potentially greater concern than I had imagined.  As it turns out, not surprisingly enough, the concerns about hacking are not limited to ICDs. 

One of my readers notified me of a recent article published by the CNN website that discusses concerns regarding the capability to hack ICDs.  Here's the link to the article that was published on 16 April 2010.  I was also republished in the Communications of the ACM (of which I am a member) on 19 April 2010.


Much of the article appears below Before proceeding, I would like to add a little background about myself and a little bit of commentary regarding hacking.  I am a co-founder of data leak security company, Salare Security (http://www.salaresecurity.com).  If anyone is interested in what the company does, please do follow the link above.  (As of this point, I am a silent partner in the company.  My partners are currently running the business.)  I mention this because I have some real-world based knowledge regarding system vulnerabilities.  

From experience and research I have found that even vulnerabilities that seem unlikely to be exploited, inevitably are exploited.  If something can be gained from a target and a vulnerability exists, you can be assured that the vulnerability will be exploited.  

For example, specific vulnerabilities that Salare Security addresses months ago were considered unlikely to be exploited because of the lack knowledge and a lack of interest on the part of hackers.  However, the vulnerabilities are of significant interest because if exploited, the damage to a government, a company or other organization could be severe.  Nevertheless, the thinking in the industry has been that exploitation of the vulnerabilities over the near term were remote.

However, recently, we have received information that the system vulnerabilities that Salare Security addresses have been exploited by a government funded group of hackers.  So much for "nothing happening in the near term."  

In the case of the vulnerabilities that Salare Security protects ... the hackers were after information.  (I do not know the details of the attack so I cannot tell you what information they stole.)  But, why might hackers develop systems to exploit medical device vulnerabilities?  

My sense is that the hackers most likely are not out to attack, injure or kill people with medical devices.  In my estimation, these hackers would be engaged in an extortion scheme against a device manufacturer or manufacturers.  This suggestion is based on some of the current trends in criminal activity. (Please see: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1510919,00.html?track=NL-102&ad=763387&asrc=EM_NLN_11442713&uid=6228713)  The article references other possible motives for hacking medical devices.  I would strongly side with any motivation that opens the door for extracting money from a manufacturer.

Here is the article published by CNN

Scientists work to keep hackers out of implanted medical devices
By John D. Sutter, CNN  (4/16/2010)

(CNN) -- Nathanael Paul likes the convenience of the insulin pump that regulates his diabetes. It communicates with other gadgets wirelessly and adjusts his blood sugar levels automatically.
But, a few years ago, the computer scientist started to worry about the security of this setup.
What if someone hacked into that system and sent his blood sugar levels plummeting? Or skyrocketing? Those scenarios could be fatal.  

Researchers say it is possible for hackers to access and remotely control medical devices like insulin pumps, pacemakers and cardiac defibrillators, all of which emit wireless signals.
In 2008, a coalition of researchers from the University of Washington, Harvard Medical School and the University of Massachusetts at Amherst wrote that they remotely accessed a common cardiac defibrillator using easy-to-find radio and computer equipment. In a lab, the researchers used their wireless access to steal personal information from the device and to induce fatal heart rhythms by taking control of the system.

This article references the same IEEE article that I referenced in my blog posting.

"Medical devices have provided important health benefits for many patients, but their increasing number, automation, functionality, connectivity and remote-communication capabilities augment their security vulnerabilities," he wrote.

FDA spokeswoman Karen Riley declined to say whether the FDA is looking into new regulations of wireless medical devices; she added that the responsibility for making the devices secure falls primarily on the manufacturer.

"The FDA shares concerns about the security and privacy of medical devices and emphasizes security as a key element of device design," she said.
Wendy Dougherty, spokeswoman for Medtronic Inc., a large maker of implantable medical devices, said the company is willing to work with the FDA to establish "formal device security guidelines."
The company is aware of potential security risks to implanted medical devices, she said. "Safety is an integral part of our design and quality process. We're constantly evolving and improving our technologies."
In a written statement, Dougherty described the risk of someone hacking into a wireless medical device as "extremely low."

Wireless connections

The security concerns stem from the fact that pacemakers, defibrillators and insulin pumps emit wireless signals, somewhat like computers.
These signals vary in range and openness. Researchers who reported hacking into a defibrillator said some in-the-body devices have a wireless range of about 15 feet.

Many devices do not have encrypted signals to ward off attack, the researchers say. Encryption is a type of signal scrambling that is, for example, employed on many home Wi-Fi routers to prevent unknown people from accessing the network.

Motive

There's some question as to why a person would hack into a pacemaker or insulin pump and how the hacker would know a person uses a medical device.
Maisel listed some possible scenarios in his New England Journal article.
"Motivation for such actions might include the acquisition of private information for financial gain or competitive advantage; damage to a device manufacturer's reputation; sabotage by a disgruntled employee, dissatisfied customer or terrorist to inflict financial or personal injury; or simply the satisfaction of the attacker's ego," he wrote.
Denning, from the University of Washington, said the current risk of attack is very low, but that someone could hack into a pacemaker without apparent motive.
She referenced a case from 2008 in which a hacker reportedly tried to induce seizures in epilepsy patients by putting rapidly flashing images on an online forum run by the Epilepsy Foundation.

I emphasized Denning's comments because in my experience those are "famous last words." If there is a way to profit from exploiting a vulnerability, be assured, it will be exploited.

 

Additional Resources

Hacking For Dummies

Gray Hat Hacking, Second Edition: The Ethical Hacker's Handbook

Hacking Exposed: Network Security Secrets and Solutions, Sixth Edition

Hacking: The Art of Exploitation, 2nd Edition

Hacking Wireless Networks For Dummies (For Dummies (Computer/Tech)) 

 

Medical Implant Issues: Part 1, A True Story

When I started this article, I thought I could place it into a single posting.  However, having written just the first section, noted it's length and how much more there was to write.  Thus, I decided to turn this into a serialized publication just as I am doing with HE-75.  Thus, here is Part 1 ...
 

Part 1: Background Story

Before I dive into the technical details of this issue, I want to tell a true story from my own experience.  It involves a friend of mine.  (I need to be vague regarding the person's identity including gender and how I came to know this person.  As you read this, you'll understand.) 

My friend was incredibly intelligent (e. g., the best applied statistician I have ever known) and physically attractive, and diagnosed as a paranoid schizophrenic.  In the early 1990's, my friend underwent back surgery.  To my amazement, my friend claimed that the surgeon had placed a "chip," small processor into the person's spinal cord.  My friend said that the chip could be activated by people with controls that looked like garage door openers.  When activated, the chip would cause my friend to have a sudden, overwhelming desire to have sexual relations with the person who had activated the chip.  My friend called this chip a "tutu."

At the time I had been part of the cutting-edge technology community to know that such a chip was absurd.  And I told my friend that this chip did not exist. My information was not well received by my friend who was convinced of the reality of this chip.

I tell this story because at the time my friend informed me of the "tutu," the idea of embedding a chip in a human being and activate it using wireless means was patently absurd.  Embedding programmable chips with wireless communications less than a decade and a half later is no longer considered absurd, but real.  And for some people, frightening with religious overtones.  Consider what the Georgia state legislature just passed and you'll understand what I mean.  Here's a link to that article: Georgia Senate Makes "Mark of the Beast Illegal."


The reaction from the Georgia Senate makes my paranoid-schizophrenic friend's story seem plausible.  Interestingly enough and I did not realize it at the time (but I do now), that was my introduction to wireless, medical remote programming.  As I said, my friend was extremely intelligent and as it turned out more creative and prescient than I realized at the time.  Turns out that today a device embedded in the spinal cord with the ability to trigger sexual experience is real.  And the ability to embed microprocessors and controls in people with the capability of wireless communication and medical management is also real.


I tell you that story not to make light of people's stories and fears, but as a "sideways" introduction to the technical topic of dealing with multiple, embedded medical monitoring and remote programming systems.  And to suggest that people may have real fears and concerns regarding the capabilities that technologists like myself often overlook.  In this series I discuss real and imagined fears as well as the technical problems with multiple, implanted devices.




Part 2: Multiple, Implanted Wireless Communicating Devices

Books sold by Amazon that might be of interest in this series

New Frontiers in Medical Device Technology

MEMS and Nanotechnology-Based Sensors and Devices for Communications, Medical and Aerospace Applications
 

Market Research Report Available: Remote & Wireless Patient Monitoring Markets

A new market research report has just been made available that discusses the market and investment potential of remote and wireless monitoring of patients.  I do not endorse this study or suggest it's purchase.  I am making it's existence known.

Here's a list of some of disorders covered by the study:

• Asthma
• COPD
• CHF
• CHD 
• Diabetes 

Here are a few quotes from the press release:

Patient monitoring systems are emerging in response to increased healthcare needs of an aging population, new wireless technologies, better video and monitoring technologies, decreasing healthcare resources, an emphasis on reducing hospital days, and proven cost-effectiveness.

Of these new high-tech patient monitoring systems, nearly all focus on some form of wireless or remote patient monitoring. ...

...  the following companies are profiled in detail in this report:

• Abbott Laboratories, Inc
• Aerotel Medical Systems
• GE Healthcare
• Honeywell HomMed LLC
• Intel Corporation
• Philips Medical Systems
• Roche Diagnostics Corporation

Here's the link to the press release and links to purchasing this study: http://www.marketresearch.com/product/display.asp?productid=2645944&g=1

 

Article: Investments in Real Time Medical Monitoring

This is an article targeted to the investment community regarding investment in real time medical monitoring.  I do not endorse anything in this article.  However I do find it interesting.  I do not know the track record of this publication.  Nevertheless, here a link to the article: http://www.onemedplace.com/blog/archives/4878

Medtronic Remote Monitoring Study: CONNECT

At the American College of Cardiology 59th annual conference George H. Crossley, MD presented evidence that cardiac patient from remote monitoring (one scheduled in-office visit per year with remote monitoring) verses standard in-office care (four in-office visits per year) cuts the time between the time a cardiac or device related event occurs and when a treatment decision is made.

The title of the study: "The clinical evaluation of the remote notification to reduce time to clinical decision (CONNECT) Trial: The value of remote monitoring."

I present a summary of the method and the results of the study gleaned from the slides presented by Dr. Crossley at the conference.

Hypothesis

Tested hypothesis: Remote monitoring with automatic clinician notifications reduces the time from a cardiac or device event to a clinical decision.

Additionally investigated were rates utilization of the health care system including hospitalization and between treatment groups.

Method

Study participants:  1997 newly implanted CRT-D and DR-ICD patients from 136 US centers were randomly assigned to one of two groups. The first group had 1014 patients assigned to the remotely monitored group and the second had 983 patients assigned to the standard in-office care group. The patients were reasonably well matched for age and gender characteristics.  (A procedure similar to the Biotronik TRUST studies.)

The patients were followed for 12 months.  (On first reading, I found the the time relatively short in that I would not expect enough differentiating events would occur during that time.  However, on further reading, I believe my first impression was incorrect.)

Findings

Time from Event to Clinical Decision

The median time (used nonparametric inferential statistics for the analysis) from the cardiac or device event to clinical decision was 4.6 days in the remote group and 22 days in the in office group. This difference was significant.  The remote group involved 172 patient while the in-office group involved 145 patients.

The cardiac/device events included:

• Atrial Tachycardia/Fibrillation (AT/AF) for 12 hours or more
• Fast Ventricular rate. Of at least 120 beats per minute during at least a 6 hour AT/AFT event
• At least two shocks delivered in an episode
• Lead impedance out of range
• All therapies in a specific zone were exhausted for an episode
• Ventricular Fibrillation detection/therapy off
• Low battery

Total number of events Remote group: 575 and In-office group: 391.  The slides show the breakdowns.

Office Visits

The number of office visits per patient reported are shown below.

                        Scheduled     Unscheduled      All office

Remote group:     1.68              2.24              3.92

In-office group:    4.33              1.94              6.27

The TRUST studies showed a slight increase of more unscheduled visits for the remote group. However, given the nature of the study and that remotely monitored patients would receive only one in-office visit per year, it's remarkable how similar the numbers between the two groups are.

Utilization of the Health Care System

Number of incidents where patients used the health care system show virtually no difference, hospitalization or emergency room. 

However, a remarkable difference was the significant difference in length of stay when there was a hospitalization. The remote group had a mean hospital stay of 3.3 days while the in-office group was 4.0 days with an estimated savings per hospitalization of $1659.

Conclusion

The CONNECT and (Biotronik) TRUST studies show clear benefits from a number of standpoints for remote monitoring.  In addition, the CONNECT study showed clear cost and hospital resource utilization benefits from remote monitoring in that hospitalized patients had shorter stays indicating that they were in better shape than patients in the in-office group when admitted to the hospital.  Quick responses seem to lead to better outcomes as well as cost reductions.

Here is the link to Medtronic's press release of the study: http://wwwp.medtronic.com/Newsroom/NewsReleaseDetails.do?itemId=1268659150410&lang=en_US

Here is another link to an article on the study that includes a link to Dr. Crossley's slides: http://www.cmio.net/index.php?option=com_articles&view=article&id=21235:acc-remote-monitoring-shortens-event-response-time-reduces-hospital-costs

Additional resources

Reimbursement for Remote Patient Monitoring in the United States- Regulatory Antennae Picking Up Demand Signals 

Remote ICD monitoring speeds diagnosis of arrhythmias.(CARDIOVASCULAR MEDICINE)(implantable cardioverter defibrillators)(Report): An article from: Internal Medicine News

Why the Moniker "RemoteProgrammerGuru?"

For those who have wondered ... there is a story behind why I use the moniker, "RemoteProgrammerGuru."  Any identity that has as part of the name, "guru" could be considered more than a little ostentations.  Here's the definition as provided by Wikipedia:http://en.wikipedia.org/wiki/Guru.

The definition describes someone with "supreme knowledge."  Fortunately for me, the term in India is synomous with "teacher."  For me, the "term" teacher was more appropriate and the role of a teacher came as a surprise.

I was part of a project where remote programming was the technical centerpiece of a proposed solution.  Frankly, I was new to remote programming for medical devices ... as are most.  However, I have a rich telecommunications background including expertise in wireless communications.  (I was the principal investigator on two federally funded telecommunications research grants.)  I know the technologies and I know how things work. 

As it turned out, I knew more about telecommunications than my colleagues who had been working in remote programming for longer than I ... much more.  And I started teaching them, about communications and about remote programming and necessary processes to insure communication integrity.  In effect, I became a "guru," a teacher.

Finally, since remote programming when designed and implimented correctly, involves sophisticated monitoring, I decided to incorporate the term "remote programmer" to represent someone who informs people about remote monitoring and programming.  Thus the moniker, "RemoteProgrammerGuru" was created.

Article: Wireless Remote Monitoring Prevents Complications of Chronic Diseases

An interesting article about the benefits of remote monitoring in the care of patients with chronic diseases from the Press of Atlantic City, 8 March 2010.  Here's the link to the article:  http://www.pressofatlanticcity.com/life/monday_health/article_1333e585-e3a6-5ba8-a411-75530f6b63cf.html

Quotes from the article:

Improving management

By early 2012, Americans will use about 15 million wireless health-monitoring devices, according to a forecast from ABI Research, which tracks mobile-technology trends. The mobile health market is projected to more than triple to $9.6 billion in 2012 from $2.7 billion in 2007, according to study from Kalorama Information Inc

[T]he first pilot project in the nation to assess whether the use of remote digital devices with data sent over the Internet to a doctor's office improved management of multiple chronic diseases - diabetes, heart disease and high blood pressure, also known as hypertension. 

Diabetics and hypertensive patients increased the number of days between appointments by 71 percent and 26 percent respectively ...
"One of the great promises of wireless (health) is making it a part of the patient's daily life, not an interruption to what they're doing every day," ...

From personal experience I believe the last sentence I quoted is among the most important in the article.  The entire process should be so smooth, so automated, so uncomplicated and unintrusive that the patient's life is uninterrupted and that the data is seamlessly collected and sent to the patient's caregiver.

Two other items to note.  The first is a brief discussion of the sensors connected to the patient's body.  They mention band-aid size electrodes.  I am not sure if these are the "digital plaster" that I've discussed in an earlier article.  http://medicalremoteprogramming.blogspot.com/2009/11/digital-plaster.html
Or something else.  I do not know, but it would be interesting to find out.  If I have any informational, I'll post it.  If you have any information, please enlighten us with a comment.

The second issue of note is the discussion in the article regarding payment, and who will do it.  Given the convoluted nature of our system of payments, this will be the most difficult issue to resolve, I believe.  It's ironic considering that remote monitoring saves money.   I think the technical issues will be minor in comparison.  I hope I am proved wrong.

Human Factors Issues in Remote Monitoring and Remote Programming

Series Overview and Background
 
Human factors issues related to remote monitoring and remote programming (remote patient care) will predominate in my postings over the next several months.  If I learned anything while working at St. Jude Medical, I learned the value of human factors engineering in relationship to remote monitoring systems.  Before I discuss what I learned, I want cover a few issues regarding remote patient care.

If you talk to a device clinic clinician, that person will have few difficulties in communicating to you the value of remote monitoring technology.  I heard stories from cardiologists that before remote monitoring technology was in place that device nurses would have to telephone device patients.  The emotional strain on the nurses was so great that device nurses would burn-out in two years.  

Remote monitoring provides a service to patients and their caregivers.  Most patients do not want to come to the device clinic and caregivers would rather that they did not.  Remote monitoring lengthens the time between clinic appointments.  Furthermore, remote monitoring can detect signs of potential problems much earlier than a visit to the clinic.  Remote monitoring can keep patients out of emergency rooms and can provide patients with a better quality of life.  Finally, remote monitoring can lower the cost of care while improving it.


Among the medical trail blazers, there is an interest in remote programming.  The ability to remotely make changes in the operation of a medical device could enable caregivers to be more proactive and provide patients with care where ever they are located, rather than just in the clinic.  This capability significantly lowers barriers and limitations on patients and their caregivers.  Patients can lead more free and independent lives and less tethered to clinic appointments.


Sounds wonderful, doesn't it?  Remote patient care technology does provide the underlayment, the enabling capability.  However, remote patient care system cannot be limited to the technology.  From my perspective working at St. Jude Medical, roles of caregivers and patients have been under valued, misunderstood or neglected in the development of systems to provide remote patient care.  I cannot speak for other medical device manufacturers.  I can say, because this is public information, that St. Jude Medical's remote monitoring system has come under fire because of issues related specifically to the performance and design of the user interface of their remote monitoring system.  

I am not singling-out St. Jude Medical regarding the design and implementation of their remote monitoring system.  St. Jude Medical implemented a beneficial and desired medical system.  However, it appears that they failed to understand two essential elements who are just as essential to the remote care system as the hardware and software.  Thus the current state of St. Jude Medical's remote monitoring system serves as a starting point for the articles that will follow this one.


My next two articles will focus on the new AAMI/ANSI standard HE75 due to be officially released in April 2010.  I cannot quote from the document at this time, however, I can say that HE75 is founded on the basic foundations of human factors. Thus, from that standpoint, there is nothing new about what is contained in HE75. I know several people on the HE75 committee and I can say that they are consumate human factors professionals, and dedicated to the profession. 


I can also say that should the FDA adopt this document (and all expectations are that the FDA will adopt it), the relatively lax approach that FDA approach to usability and human factors will come to an end.  There is a massive body of literature that documents the massive number of injuries and deaths from medical errors, and some of those medical errors can be traced back to poor device designs.  It may well be that the FDA will believe that it is time to "crack down" on poorly designed medical system user interfaces.  Furthermore, medical systems are becoming increasingly more powerful and complicated, thus the capability to do injury to patient will increase.  Thus, the need to insure that medical devices and their user interfaces will meet specific and unambiguous performance standards before being approved by the FDA.


I plan to focus specifically on medical devices related to remote patient care in this blog.  However, I may stray from time to time when there is something that seems particularly relevant or interesting.


I shall not discuss anything regarding future St. Jude Medical products or services in this blog.  However, I can discuss some of the issues I faced in general terms to illustrate points.  I suspect that the experiences I relate will resonate with others.


Next time: Human factors in the research and development of medical devices.

Development of BANS Expected to Accelerate

For those not in the "know," BANs is an acronym for Body Area Network.  It is a technology to capture and transmit body-related telemetry.  The National Institute of Standards and Technology (NIST) has granted the Center for Wireless Information Network Studies at Worcester Polytechnic Institute (WPI) Worcester, MA, $1.2 million over three years to advance BANs technology.  The research will focus on the propagation of radio waves around and through the human body. This could have real potential for the development of robust communications standards to enable medical devices to send and receive data and instructions over wireless networks.  This research is something to watch.

http://medicaldesign.com/engineering-prototyping/research-development/development-bans-expected-accelerate-032210/

Receiving a NIST grant is a significant achievement.  I was the Principal Investigator on a $2 million, two year grant to Rosetta-Wireless.  The NIST vetting process is arduous, but the grants generally fall into the seven figure range over two to three years.  I know that wireless data communication is an important area of interest to NIST particularly as it relates to medical applications, more specifically into the areas of wireless medical monitoring and remote programming.  I know that NIST has continued hopes for a medical application of the technology that my company, my research and development team created.

For those who have an interest in BANs, one of the technical problems is getting the data collected by BANs back to a location where medical professionals can review and evaluate it. And, if need be, make changes remotely in the operation of the implanted medical system (e. g., pacemaker, ICD, insulin pump, etc.).  If you review some of my earlier posts, you'll note that I have described methods to transport data and instructions over the commercial wireless network from and to a patient's implanted medical device. 

I shall continue to bring to light any further developments in BANs.

Revamping the Revenue Generation Model in the Medical Device Industry

My fourth posting on this blog on 29 September 2009 was part of a multi-part examination of Medtronic's remote programming patent (US Patent # 7,565,197 that was granted in 21 July 2009).  I suggested that the patent patent implied two directions in the development of medical devices:

1. The development of a single, common hardware platform based on a generalized processor, similar to TI's low power processor. (Add urls).
2. Medtronic device capabilities would be defined primarily by software.  Furthermore, the patent defines a capability for software to be downloaded to a device, thus defining the capability for updating the software on the device.

We've learned that there are technologies in development that could significantly increase the battery life of devices: maybe at some point eliminating the need for battery replacement all together.

Today, physicians, hospitals and device manufacturers receive the bulk of their payment when a device is implanted or replaced.  Thus, the current business model of device manufacturers relies on primarily on product such as an ICD or CRT and leads.


However, the Medtronic patent suggests the possibility, maybe even the likelihood of strategic shift from a product to a licensing business model. This would suggest a business similar to software companies who charge a flat or yearly fee for the use of software.  Instead of a replacement, the patient receives a software upgrade and the device company receives payment for the software upgrade.  This is one step removed from a pure product to a service-oriented model, but it still treats the software as a product.  Nevertheless, it provides flexibility to the medical device company in that revenue comes less tied to the sale of objects, and more tied to the services provided to the customer.


An even more innovative approach and more in-line with a service-oriented business model would be to have the software redefine the capabilities of the device itself while implanted in the patient.  For example, upgrade an ICD to a CRT-D by changing software.  I do not know the technical, implantation or leads-related issues of doing this, however, from a software standpoint, there should be nothing stopping a device manufacturer who has taken the common hardware design approach.

A pure service-oriented model would change on the basis for the services provided.  Since I'm a technologist and not an MBA who has worked in the device industry for decades, I cannot define all the possible revenue-producing services medical devices with remote monitoring and remote programming could provide device companies.  I can say that the services that medical device companies can provide medical care providers and their patients is becoming less and less tied to the devices themselves. So a more service-oriented perspective in the medical device industry seems warranted.  

It seems apparent that for medical device companies to expand their services and patient-care and management capabilities with information-based services over the communications infrastructure, they are going to have to change the way they receive revenue.  The current business model and means of generating revenue does not provide incentives to companies to expand into information based services given the current product-based revenue model currently in use.  I suspect that in a relatively short time, Medtronic will propose a new revenue model.  I shall be watching for the signs.