What could possibly go wrong when drug companies embed into a pill, so that after you swallow it connects to a smartphone app and then sends data over the internet?
The question is urgent as the United States Food and Drug Administration (FDA) this week approved a thing-in-a-pill, in the form of an antipsychotic called aripiprazole and branded "Abilify MyCite". The pill contains a sensor that informs doctors if their patients have taken their medicine.
From a patient care point of view, this is defensible. As the FDA's approval announcement stated, the drug treats: “schizophrenia, acute treatment of manic and mixed episodes associated with bipolar I disorder and for use as an add-on treatment for depression in adults”. Failing to take the drug is risky for those to whom it is prescribed.
But there are also risks with the pill's operation, which the FDA described as follows:
“The system works by sending a message from the pill’s sensor to a wearable patch. The patch transmits the information to a mobile application so that patients can track the ingestion of the medication on their smart phone. Patients can also permit their caregivers and physician to access the information through a web-based portal.”
The wearable patch records when the tablet was taken, “as well as certain physiological data such as activity level”, which it passes to the smartphone app.
The app can record more than that, if patients desire. Data can be collected on mood and rest, and the app also lets the patient who can view the data (up to four others, who might be family members as well as the doctor). Those individuals also get access to the Web dashboard, with the patient's consent.
That's a lot of moving parts and suggests attack vectors like:
- A Bluetooth channel between the patch and the phone;
- Accessing local data storage, if there is any;
- Intercepting internet communications from the app to the back-end systems;
- Attacking the portal to access the database that almost-certainly resides behind the web server.
El Reg found itself more than a little surprised that infosec issues aren't specifically raised by the FDA's approval announcement, given the agency's long involvement in the case of Abbott Pharmaceuticals' hackable pacemakers (there are apparently plenty more pacemakers needing work).
As recently as October, the FDA restated how it viewed its role in cyber-security, calling on the industry to take “a total product lifecycle approach, starting at the product design phase when we build in security to help foil potential risks, followed by having a plan in place for managing any risks that might emerge, and planning for how to reduce the likelihood of future risks."
Yet despite the obvious risks the device poses, and criticism of breaches possibly leaking patient data to insureers, the FDA's approval doesn't touch on security. It does, at least, include a caveat that there's no guarantee the sensor will operate perfectly.
But as the approval specifically addresses Abilify MyCite's patch, app, and portal - the drug it carries was approved for schizophrenia treatment in 2002, and the ingestible sensor was first approved in 2012 - the lack of security considerations seems out of kilter.
The Register asked Proteus Digital Health to detail the device's security, but at the time of writing had not received a response to our e-mail. ®
Sponsored: Ransomware has gone nuclear