Endpoint Security , Governance & Risk Management , Healthcare
The Privacy, Security Risks of Connected Health DevicesAttorney Justin S. Daniels and Privacy Consultant Jodi R. Daniels Discuss IoT Concerns
Connected health devices - ranging from health gadgets and applications used by consumers to IoT devices used in healthcare settings - raise numerous security and privacy issues that must be addressed, according to attorney Justin S. Daniels and consultant Jodi R. Daniels.
"Too many healthcare organizations use legacy infrastructures - and I mean legacy, like, circa 2005 or 2003," Justin Daniels says. "Think about hooking up IoT devices to those kinds of infrastructures. They are so old that if you have a ransomware event, passwords are hard-coded. How do you update that? How do you get endpoint detection software to integrate with something so old? The answer is: You can't," he says in an interview with Information Security Media Group.
"One of the big issues you have in healthcare from the connection standpoint of IoT devices is that so many of them continue to run with all of this legacy infrastructure … and that it is a ransomware event waiting to happen," he says.
In terms of connected health devices used by consumers, depending upon the kinds of data generated by these IoT products, sensitive data may or may not fall under the protection of various privacy laws, says Jodi R. Daniels.
Manufacturers of these devices should be clear with consumers about whether the individuals can choose to share - or not to share - various data, she says. As a user, "maybe I'm not comfortable sharing all of the data that a company would like to collect. ... But give me choices," she says.
In this joint interview (see audio link below photo), the attorney and the consultant, who are husband and wife, also discuss:
- A recent security research report from McAfee warning of a vulnerability that could have allowed attackers to spy on users of Peloton internet-connected exercise bikes and treadmills;
- The high cost of remediating a health data breach;
- Emerging privacy and security concerns involving the growing use of drones.
The Daniels co-host a podcast, "She Said Privacy/He Said Security."
Jodi R. Daniels is founder and CEO of Red Clover Advisors, a privacy consultancy that helps achieve regulatory and legal compliance.
Justin S. Daniels is a cybersecurity attorney at law firm Baker Donelson. He leads the firm's breach incident response teams on ransomware and wire fraud cases in sectors that include medical IT, healthcare SaaS, logistics and manufacturing.