Are Web-Enabled Health Devices Risky?Assessing the 'Internet of Health and Fitness Things'
Patients and healthcare providers need to recognize that consumer-grade, Web-enabled mobile health devices, such as fitness trackers and other gadgets that fall under the umbrella of the "Internet of Things," potentially can put personal information at risk, says Intel Security executive Greg Brown.
GPS-enabled fitness trackers and other devices "have access to our daily activities, potentially where we are in the world ... and rich information about our daily activities," Brown says in an interview with Information Security Media Group. On top of that, the information is being shared on social media sites and stored on "consumer-class cloud services," he notes.
A privacy and security concern is that the data on those sites is typically accessed through a username and password, he says. "We've had problems with management of traditional username and password systems in cloud environments. And one of the issues that really concerns me is that if you make the decision that you are going to put some sensitive information out into the cloud, be aware the information is only as secure as the access controls you put around them," he says.
Some of the information gathered from Web-enabled consumer health devices could prove desirable to criminals, Brown explains.
"We don't see this intense desire by the criminal hacker organizations to go after [this] healthcare information," he notes. But, for example, a criminal might review information stored in the cloud to determine an individual's ZIP code "to close out on a credit card they may have stolen somewhere else," he says. "The fact that these sites have rich information about you ... mining that information for theft in other financial systems is potentially what's going to cause the criminal hacking organizations to go after that infrastructure."
The new generation of Web-enabled devices can help clinicians to better understand, for example, the activity levels and sleep patterns of their patients, as well as gather important data, such as blood pressure readings, he says. "We've learned with health sciences that the more data we have the better we are at predicting the causes of illnesses. I see the opportunity as exciting."
But healthcare providers need to be aware that if they collect data from these devices, they have an obligation, under HIPAA, to keep that information private and secure.
Another legal question that hasn't been resolved yet involves whether a healthcare provider is liable under HIPAA if a device that a doctor recommends for a patient gets breached, he says.
"We have to make sure as we go through those innovation cycles of new classes of devices that we don't accidentally usurp traditional security controls that HIPAA developed around providing patient privacy and confidentiality," he says.
In the interview, Brown also discusses:
- Measures that patients should consider to protect their data privacy when using Web-enabled healthcare devices;
- How health data privacy and security fits into The Open Interconnect Consortium, a project in which Intel is partnering with other technology companies to deliver device-to-device connectivity requirements for the Internet of Things;
- The potential security and privacy impact of the recent IBM/Apple alliance for enterprise mobile computing in healthcare.
Brown is vice president and chief technology officer of cloud and Internet of Things at Intel Security, formerly known as McAfee. Brown has been involved with advances in network security technology, including integration with McAfee's systems and risk management product lines. He has 20 years of experience in the network security and telecommunications industry, working with hardware and software vendors and service providers. Brown has provided design consultant services for national IT security infrastructure programs on four continents.