Internet of Medical Things – exciting innovation with potential security risk

The “Internet of Things” (IoT) – the network of devices interconnected with each other via the Internet and other networks – is constantly expanding. These connected devices include medical devices with connectivity capability which form the so-called “Internet of Medical Things”, or IoMT. Examples include everyday wearable activity trackers, hospital bed sensors, centralised storage of medical imaging data and even implanted devices such as automated insulin pumps. The IoMT is expected to grow rapidly over the coming years, with increasing automation of patient tracking and remote treatment.

While this is an exciting area to watch in the medical technology field, a major concern with these IoMT devices is a potential lack of security and subsequent vulnerability to hacking. While you may not be overly concerned (although not happy!) if someone is able to see how many steps you’ve walked in a day, the idea that someone may be able to access a patient’s medical imaging files, or even hack into an implanted device, is enough to send a shiver down your spine. The NHS cyber-attack earlier this year has shown that potential security weaknesses are not something to be taken lightly and indeed, the FDA has urged medical device manufacturers to “bake” security into their designs (see here) in order to prevent such vulnerability.  

The final sentence of this report – “It’s much easier to bake it [security] in than to bolt it on as an afterthought” highlights some IP issues that medical device manufacturers and software developers may need to consider. For example, can any proprietary security software developed for use with devices be protected by IP? One way of protecting software-based innovation is by copyright of the underlying software code. However, copyright only protects the expression of the code itself, and if a third party produces the same resultant effect via independently-developed software, then copyright does not provide protection.

On the other hand, patents can provide such protection for a novel and inventive technical effect underpinned by software code even if a third party independently arrives at the same effect, and are therefore a powerful form of protection. There is a common misconception that it is not possible to patent a software-based innovation. On the contrary however, UK and European patent law states that computer programs are only excluded from patentability “as such”. This key phrase allows software-based inventions to be patented if they can be demonstrated to have a “technical effect” beyond implementing software code on a computer. In the field of medical device security, such a technical effect could be exhibited, for example, in secure data transfer, biometric sensing or an effect on the operation of an implanted device. Of course, once a patent application has overcome the hurdle of providing “technicality”, it must be novel and inventive over the state-of-the-art. 

Therefore, although not necessarily straightforward, patent protection in the field of medical device security should certainly not be ruled out simply due to the fact that it is based on software. With the continuing growth of the IoMT and the associated security considerations, medical device manufacturers and software developers may wish to consider pursuing patent protection for any proprietary security innovations.

If you would like further advice on this matter, please get in touch on +44 (0)20 7655 8500 or via gje@gje.com.