Written by HITRUST Independent Security Journalist Sean Martin.
What are wearables used for? In many cases, for monitoring and recording health information. The sensors and telemetry gathered by wearables like wristbands, smartphones and chest monitors is incredibly personal, and incredibly sensitive.
The possibility that hackers could access this information presents a real risk for consumers, wearables companies — and for the doctors and healthcare organizations that receive and analyze that data for their patients. Fortunately, we don’t yet know of any breach that has resulted in the theft of data collected from wearables. However, given that nearly every other type of data has been successfully stolen — from credit cards to social security numbers — it’s certainly only a matter of time.
Because wearables can be literally anywhere in the world, they present a different type of threat than data gathered by, say, hospital devices or medical labs. Why?
- In part, that is because the communications between those wearables and the healthcare provider is lengthy and spans multiple carriers and network types, such as home or public WiFi networks, cellular data links, and Internet service providers.
- In part, it’s because there are multiple intermediaries that could be receiving and forwarding that information — each of which might be susceptible to hacking or man-in-the-middle attacks.
- And in part, it’s because wearables are designed primarily for functionality, style, long battery life, ease of use, and low cost; security is less important than getting to market quickly.
Consider a typical wearables device. In these two sample scenarios, HIPAA or other regulations may not apply until the data is received by the healthcare organization — until then, the information belongs to the patent. There may be compliance concerns, however, if the medical wearables are provided by a healthcare organization, or are offered by prescription. In any case, it is valuable to understand the full context for not only the information when it is received by the healthcare organization, but for the entire lifecycle of that data from its origins from the remote sensor through the communications path and intermediate cloud services before reaching the HIPAA-compliant organization.
- Smartwatch or wrist band with a heartbeat monitor. The data is collected by a smartphone app via Bluetooth, which transmits it to a cloud monitoring service over WiFi or cellular. That cloud service forwards the data to the patient’s doctor’s office, where it is treated like lab results. The service also creates reports for the patient herself, and can send alerts if heart rhythms exceed parameters set by the doctor after her pacemaker was inserted.
- Continuous glucose monitoring system for use by a Type 1 diabetic child, which has its own cellular data link. The data is received by a cloud service, which performs many functions, in addition to logging the data with the doctor’s office. The data is used to program an insulin pump; text the child’s school nurse or parents if his blood sugar gets too low and poses a risk for hypoglycemia; and is used in a study of diabetic children by a local university.
In both cases, there are many possible attack vectors: interception of Bluetooth; interception of WiFi data; malware on the smartphone itself; attack against the cloud service; attack against the doctor or health care provider. Again, your legal compliance responsibility may only for data once it reaches your organization — but it’s good to understand the entire end-to-end data chain in the event of a breach.
What can be done? End-to-end security must be designed into wearables that gather any sort of healthcare or medical information that would be protected by HIPAA or other compliance requirements. Cloud services used for medical data gathering, analysis and management must be rigorously protected against intrusion, and preferably certified against the HITRUST CSF, which encompasses HIPAA, PCDI-DSS, ISO 27001, COBIT, NIST and FTC as well as state laws. Healthcare organizations can stay up to date against cyber threats using HITRUST Threat Briefings, and make sure their network defenses are strong and up to date.
During the recent HITRUST 2016 conference, Pamela K. Arora, Senior Vice President and Chief Information Officer at Children’s Health and Roy R. Mellinger, Vice President IT Security and Chief Information Security Officer at Anthem offered some sound guidance for how to treat medical devices — namely wearables provided to the patient by a covered entity — leading with: First and foremost, treat your medical devices as part of your traditional IT infrastructure.
Also, from a device perspective, and in the context of an OCR Phase 2 audit, Michael Parisi, Director of Assurance at PwC offered a simple tip: the regulator accepts no excuses in this area when it comes to wearable devices owned by a covered entity—classify the devices and encrypt them.