Wearable Devices: Security RisksExpert Offers Mitigation Advice for Healthcare Organizations
Before healthcare entities consider accepting data from consumers' wearable devices, they need to take appropriate security measures, says Verizon security expert Suzanne Widup.
These devices, such as Fitbit and AppleWatch, and related apps, raise potential data privacy concerns for the users. But they also potentially pose the risk of serving as a launching pad for attacks directed at healthcare entities, Widup says in an interview with Information Security Media Group.
For instance, some of the devices have applications that could potentially contain vulnerabilities, which could then become the jumping off point for a cyber-attack, such as when data from the device is transmitted to a healthcare organization, she explains. "We are seeing attackers increasingly taking alternative means of getting in [to healthcare IT environments] because the direct methods are getting more secure and difficult to get through," she says.
"What we're seeing is that security is not being built into these devices - not just the wearables, but [also] anything that can be implanted" she warns. "So, until we see device manufacturers really getting on-board, putting security into their products from day one, we're going to see more and more issues with these things."
In fact, a new report by independent research firm AV-Test gave mixed reviews for security controls offered by nine fitness trackers.
Also, if a consumer transmits data from a wearable device to a healthcare entity, the organization also is potentially liable under HIPAA to safeguard protected health information that's contained in the data (see Report Spells Out Medical Device Risks).
So, before organizations begin to collect data from wearable devices, they need to take several steps to safeguard their systems, Widup advises. That includes putting into place authentication controls to verify the identities of individuals sending data from these gadgets; assessing how data will be secured during transmission, including considering whether the data should be encrypted; and keeping up with updates in the devices' firmware as new vulnerabilities are discovered.
In the interview, Widup also discusses:
- How emerging Internet of Things wearable devices, such as consumer health and fitness wristbands, smart watches and smart eyeglasses - such as Google Glass - potentially could play a role in healthcare;
- The patient privacy and security risks that could be posed by those devices;
- Emerging cyberthreats related to wearable devices as their use becomes more mainstream.
As a senior analyst at Verizon, Widup is a co-author of the company's Data Breach Investigations Research report. Prior to joining Verizon, Widup held security-related positions at several other organizations, including Pacific Gas and Electric Company, Safeway and Oracle. She is also president and a founding member of the Digital Forensics Association.