FTC on Consumer Health Device RisksReport Outlines Privacy, Security Concerns and Best Practices
As the use of wearable fitness devices, health applications and interconnected medical devices expands, organizations need to take steps to protect the privacy and security of consumer data that these products collect, store and transmit, the Federal Trade Commission says.
A new FTC report, Internet of Things: Privacy & Security In a Connected World, details the privacy and security concerns posed by Web-enabled consumer gadgets ranging from household appliances and automobiles, to health-monitoring and fitness devices.
The report, which focuses on products that are used or sold to consumers, also outlines best practices to address those privacy and security risks, as well as legislative issues that need to be assessed by Congress.
"Unfortunately while this is a well-articulated FTC report and does a good job of summarizing the issue, in 2015 - nine years after these devices became a concern - we are no closer to an answer, and as the report points out, the [privacy and security issues of] the Internet of Things will just get worse," says Mac McMillan, CEO of security consulting firm CynergisTek.
The FTC report notes that while gadgets such as consumer fitness devices offer the potential for improved health-monitoring,"interconnected devices raise numerous privacy and security concerns that could undermine consumer confidence."
Among the security risks these devices pose are enabling unauthorized access and misuse of personal information for ID theft, fraud, and other crimes; facilitating attacks on other systems; and creating consumer safety risks.
Privacy risks posed by these devices involve "the direct collection of sensitive personal information, such as precise geolocation, financial account numbers or health information," the report notes.
"Unauthorized access to data collected by fitness and other devices that track consumers' location over time could endanger consumers' physical safety," the FTC says. "If a pacemaker is not properly secured, the concern is not merely that health information could be compromised, but also that a person wearing it could be seriously harmed."
Many of the privacy and security risks posed by these devices exist with traditional computers and computer networks, but "they are heightened in the IoT," the FTC says.
The FTC identifies several best practices that makers of these consumer devices should consider to mitigate the potential security and privacy risks, including:
- Build security into devices at the outset, rather than as an "afterthought" in the design process;
- Train employees about the importance of security and ensuring that security is appropriately managed;
- Implement a "defense-in-depth" strategy using multiple layers of security to defend against a particular risk;
- Consider measures to keep unauthorized users from accessing a consumer's device, data or personal information stored on the network;
- Limit the collection of consumer data to a minimum, and retain that information only for a set period of time - not indefinitely;
- Monitor connected devices throughout their expected life cycle, and provide security patches to cover known risks whenever feasible;
In addition to the measures that manufacturers should take to address the privacy and security issues involving IoT, including health-related devices, the FTC says it is renewing its call for "broad-based privacy legislation that is both flexible and technology-neutral" and also "strong" data and breach notification legislation. "However, any Internet of Things-specific legislation would be premature at this point in time given the rapidly evolving nature of the technology."
The FTC also notes gaps in current HIPAA regulations when it comes to health data generated by consumer wearable devices. The report notes that at a FTC Internet of Things workshop conducted in November 2013, participants discussed concerns that HIPAA protects sensitive health information, such as medical diagnoses, names of medications, and health conditions, but only if it is collected by covered entities, such as healthcare providers or health insurance companies, and their business associates.
"Increasingly, however, health apps are collecting this same information through consumer-facing products, to which HIPAA protections do not apply. Commission staff believes that consumers should have transparency and choices over their sensitive health information, regardless of who collects it," FTC says. "Consistent standards would also level the playing field for businesses."
The FTC did not respond to an Information Security Media Group request for comment on the report.
Covered entities, such as hospitals or doctor offices, that are considering collecting and using data generated by wearable medical devices also need to take precautions to safeguard this data, McMillan notes.
"Healthcare entities should employ sound selection processes to understand the risks associated with the devices they intend to acquire or use before they buy them," he says. "They should seek those [devices] that are most secure as it relates to basic design factors such as operating system, patching, access controls, etc."
As for the patients, "consumers should ask a lot of questions, read the literature associated with a device, and do their research before buying," McMillan says. "If receiving a device from a medical practitioner, ask them questions regarding how privacy and security of their data will be addressed. Try to make informed decisions."
Some of the best practices that the FTC recommends for makers of consumer wearable devices are similar to the voluntary guidelines that the Food and Drug Administration issued last year to manufacturers of medical devices, including interconnected devices used in clinical settings.
The FDA also recommends that manufacturers submit their plans for providing patches and updates to operating systems and medical software when they seek FDA pre-market review for their products.
In addition, the FDA and some industry organizations, such as the Medical Device Innovation Safety and Security Consortium, are also urging healthcare entities to seek out cybersecurity information from their medical device manufacturers before they purchase products (see Medical Devices: Assessing Security).
Steph Warren, CIO of the Department of Veterans Affairs, says that among the VA's cybersecurity best practices, the VA works closely with the manufacturers of the 50,000 medical devices used at VA health facilities to ensure that software patches and upgrades are available and implemented. "Our best recourse is to replace the medical device if we can't patch it," he told reporters during a recent press briefing.