US authorities swallow security-free script for pill that knows when you're off your meds

Sensor in pill, bluetooth patch on arm, app in phone ... and crossed fingers nothing leaks

By Richard Chirgwin


What could possibly go wrong when drug companies embed into a pill, so that after you swallow it connects to a smartphone app and then sends data over the internet?

The question is urgent as the United States Food and Drug Administration (FDA) this week approved a thing-in-a-pill, in the form of an antipsychotic called aripiprazole and branded "Abilify MyCite". The pill contains a sensor that informs doctors if their patients have taken their medicine.

From a patient care point of view, this is defensible. As the FDA's approval announcement stated, the drug treats: “schizophrenia, acute treatment of manic and mixed episodes associated with bipolar I disorder and for use as an add-on treatment for depression in adults”. Failing to take the drug is risky for those to whom it is prescribed.

But there are also risks with the pill's operation, which the FDA described as follows:

“The system works by sending a message from the pill’s sensor to a wearable patch. The patch transmits the information to a mobile application so that patients can track the ingestion of the medication on their smart phone. Patients can also permit their caregivers and physician to access the information through a web-based portal.”

The wearable patch records when the tablet was taken, “as well as certain physiological data such as activity level”, which it passes to the smartphone app.

The app can record more than that, if patients desire. Data can be collected on mood and rest, and the app also lets the patient who can view the data (up to four others, who might be family members as well as the doctor). Those individuals also get access to the Web dashboard, with the patient's consent.

That's a lot of moving parts and suggests attack vectors like:

El Reg found itself more than a little surprised that infosec issues aren't specifically raised by the FDA's approval announcement, given the agency's long involvement in the case of Abbott Pharmaceuticals' hackable pacemakers (there are apparently plenty more pacemakers needing work).

As recently as October, the FDA restated how it viewed its role in cyber-security, calling on the industry to take “a total product lifecycle approach, starting at the product design phase when we build in security to help foil potential risks, followed by having a plan in place for managing any risks that might emerge, and planning for how to reduce the likelihood of future risks."

Yet despite the obvious risks the device poses, and criticism of breaches possibly leaking patient data to insureers, the FDA's approval doesn't touch on security. It does, at least, include a caveat that there's no guarantee the sensor will operate perfectly.

But as the approval specifically addresses Abilify MyCite's patch, app, and portal - the drug it carries was approved for schizophrenia treatment in 2002, and the ingestible sensor was first approved in 2012 - the lack of security considerations seems out of kilter.

The Register asked Proteus Digital Health to detail the device's security, but at the time of writing had not received a response to our e-mail. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

MedSec's St Jude pacemaker hacks confirmed by pen-tester

Bishop Fox report says Merlin@Home vulns are real and deadly

St Jude sues short-selling MedSec over pacemaker 'hack' report

Defibrillator security saga will go to court

Castaway hacker guilty of sedating children's hospital computers

He'll almost certainly get more than a three-hour tour after DDoS strike on medics

Epyc move: Supermicro plunges into Cascade Lake’s Optanical waters

In brief Silicon Valley box slinger claims it's first on the block with Intel processor... which isn't out yet

Muddying the waters of infosec: Cyber upstart, investors short medical biz – then reveal bugs

Analysis Some sharks wear suits and ties

MedSec's 'hackable pacemaker' report autopsy: Bombshell crash claim in doubt

No conclusive evidence of bricked devices, say uni experts

Pacemaker maker St Jude faces new security flaw claims from biz short-selling its stock

This is not the way to get vulnerabilities fixed

Nutanix finds Waters flows away

New corporate marketing head joins hyper-converged box and software shifter

Waters named HPE boss on his 40th b'day

For absence of doubt, we mean birthday

South China waters are red, Brit warships are blue, HMS Sutherland's sailing there

And Queen Lizzie will too