by Waqaas Al-Siddiq
The intersection of medical technology and the Internet of Things (IoT) signifies a revolution in the way healthcare is practiced and delivered today. IoT connected devices, such as cell phones and medical grade wearables, have emerged as an optimal means of facilitating ubiquitous connectivity. Connected devices constantly transmit real-time data to the Cloud for integration, aggregation, and analytics before sending results back as needed.
IoT connected devices like medical wearables, which constantly stream personally identifiable information (PII) and personal health records (PHI) to the Cloud, inevitably place patient identity and data at risk. While transmitting and storing information on the Cloud brings many benefits, health networks and patients are confronted with an increasingly complicated security landscape. A 2016 ransomware attack on a Los Angeles hospital disabled the institution’s computer system until a ransom, eventually totaling $17,000, was paid.
The threat of a ransomware attack lies in the repercussions of holding hospital data and systems for ransom; not only will efficiency and capital be lost but critical resources for keeping patients alive will be withheld for a price. A few months ago, Equifax, one of the nation’s largest credit reporting companies, announced that it had experienced a massive cloud data breach—raising the risk of identity theft for 143 million U.S. customers. The Cloud presents more opportunities for security breaches because it is not a physical thing; it is a network of servers. Before the advent of the Cloud, typical ways to illicitly acquire data would be to steal the hardware (i.e. computer) on which it was stored, compromise a user and gain password access, or infiltrate the organization.
The Current Security Landscape
Any approach to address security risks inherent in IoT connected devices must first and foremost banish the premise that there is an ultimate, fail-proof method to protect against a breach. Rather, security should be approached through the concept of risk mitigation or by implementing security methods that make infiltration incredibly difficult and costly. Government bodies and standards like the U.S. Department of Homeland Security (DHS) and the Health Insurance Portability and Accountability Act (HIPAA) have tried to address some of these concerns.
The DHS recently outlined six principles for securing the IoT. First on the list: incorporating security at the design phase. They recognized that manufacturers rush to release new products ahead of competitors, overlooking security issues in the process. Even before agentive, user-driven security measures enter discussion, hospitals and patients should be wary of purchasing devices which lack embedded security features.
HIPAA expands on these technical safeguards and best practices for protecting sensitive patient data by stating any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. While HIPAA does not require specific technology solutions, healthcare organizations must determine both reasonable and appropriate security measures for their own needs and practices. The U.S. Department of Health and Human Services (HHS) outlines four main areas for healthcare organizations to consider when implementing HIPAA safeguards: access control, audit controls, integrity controls, and transmission security. Several examples of HIPAA recommended technical safeguards are anti-virus software, authentication, data encryption, and de-identification of data.
A principle of least privilege (POLP) approach to IoT device deployment could help reduce risk by restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities. Forrester Research estimates that 80 percent of today’s security breaches involve privileged credentials. Most systems, applications, and databases have an administrative username and password. Administrative access grants more permissions and rights to users, and more access to valuable data. Healthcare providers can practice privileged identity management (PIM) by limiting the number of users who have administrative access to PII and PHI, and restricting both the sharing of passwords and shared functional accounts between users.
Dual advancements in both government and technology manufacturing guidance is providing directives for a new generation of IoT enabled medical technology that is better equipped to protect patient data and wider health networks. The FDA recently released its Postmarket Management of Cybersecurity of Medical Devices guidance, which includes a recommendation that medical device manufacturers and healthcare facilities take steps to ensure appropriate safeguards and frequently evaluate and update their network security to protect their IoT-enabled hospital systems.
The Case for a Layered Security Approach
The POLP approach, HIPAA, and both government and technology manufacturing directives are important because they set the framework for thinking about security risks that exist in the deployment of IoT connected medical devices. Taken singularly, however, no one security measure is entirely effective. Once an IoT connected device is implemented into a healthcare setting, multiple barriers to entry become critical. Healthcare providers should seek to mitigate security risks by creating layers of security at each stage of data collection, transmission, and storage to protect patient data and larger health networks.
Private access point names (APNs) as opposed to regular APN, create an important layer of security when people exchange data over a network. New generation remote patient monitoring (RPM) devices and smartphone health applications are increasingly relying on wireless communication to collect patient data, which inherently creates security risks because these devices typically use standard, public-facing APNs that connect to the Internet. Hackers can break into these devices by compromising them just as they do with PCs. Many of these health devices also have less built-in security in comparison to PCs. Ultimately, simply setting up a private APN will not provide surety against a security breach as it is still transmitted wirelessly, and unless encrypted, is susceptible to hacking.
Virtual private networks (VPNs) can be embedded within a private APN to add another layer of security. VPNs are designed specifically to allow users to transmit private information, such as electronic healthcare data, remotely and securely. VPNs are an extension of a private network that can be accessed through the public internet, and the connection can be made both within a physical location, such as a hospital, or remotely – which is key for employees who might need to access the network while travelling or working outside a physical location. They offer several additional benefits for healthcare, including scalability as thousands of users can connect to a VPN at the same time, lower cost, and easy sharing. The latter advantage is especially critical for a healthcare environment where sharing and receiving responses in a timely manner can speed up diagnosis and care delivery.
Layered encryption and compression could further protect the integrity of healthcare networks and patient data. Data encryption translates information into another form, or code, so that only people with access to a secret key or password can read it. Layered encryption takes this precaution one step further by scrambling an already encrypted message one or more times, using the same or a different algorithm. For example, data that is encrypted and then transmitted within a VPN is a form of layered encryption. Data compression, also known as source coding or bit-rate reduction, is the process of modifying, encoding, or converting the bits structure of data in such a way that it consumes less space on disk. A 2015 research study demonstrated that a combination of data compression and encryption increased the security of data transferred via the Internet.
A layered security approach can create enough barriers wherein hacking the system becomes complicated, labor-intensive, and expensive. Healthcare providers and technology companies can also minimize security risks by testing product data security features and enlisting third-party audits of security procedures. Medical wearables offer immeasurable benefits to the future of healthcare, helping to improve patient care while curbing healthcare expenditures and in-facility congestion. As IoT connected medical wearables reach new heights of scientific innovation, medical technology manufacturers and healthcare providers should try to implement and follow security procedures to protect patient data and health networks.
Waqaas Al-Siddiq is the founder and CEO of Biotricity.
