Mobile mHealth devices present prolific opportunities across the board. However, it could be just a matter of time before a public data breach that rocks the industry – such as a massive identity theft or large-scale insurance fraud, reports Arif Mohamed for M2M Now.
As the market for mHealth devices grows, so will the potential threat. According to Juniper Research, in just five years there’ll be more than 100 million smart watches in use worldwide. Also, mHealth interfaces, like Apple’s HealthKit and Samsung’s SAMI, are forecast to help propel the global healthcare accessory market to US$3bn by 2019.
As an indicator, the US Food and Drug Administration (FDA) recently warned medical device manufacturers and healthcare
professionals to protect their equipment against ‘cyber-security vulnerabilities and incidents.’
Equipment includes network-connected pacemakers and defibrillators, the cybersabotage of which would have unimaginable
consequences. A more widespread concern is that health apps collect personal information that could be shared with third parties or, worse still, stolen by criminals.
This could lead to targeted advertising at best, or at worst: identity theft, declined insurance, or employment discrimination. A malicious attack could, in theory, reveal where the patient is located, plus their regular daily movements, how they feel, and even how and when to get into their house, one industry observer commented.
In the case of an mHealth data breach, the biggest casualty will be consumer trust. Gareth Tolerton, CTO at TotalMobile, a
provider of mHealth solutions, believes that “there will be a backlash.” He also said that consumers and medical practitioners need to feel confident that the technology is clinically certified and secure.
But where does the responsibility lie to secure mHealth apps, devices, assets, and users? Some commentators feel that the end user should be responsible for their own data usage. “If I’m using a device to capture my health data, it’s my choice. The consumer has a responsibility,” noted Tolerton.
User education
Mark Hall, public sector director at Redcentric, agrees. Redcentric is a cloud service provider to N3, the UK National Health Service’s secure network. Hall said: “Since mHealth is concerned with the use of mobile to deliver health services, security lapses tend to occur due to user indifference or lack of education. It’s here that security is at its weakest
“Users need to understand the potential risk to their data however their chosen application providers transmit it; how they process it, and where it goes. Users also need to ensure that they educate themselves on how data can be easily shared in error using new applications and services such as Apple HealthKit,” he added.
Other experts believe the app and device makers are the ones most responsible for customer data security. Paco Hope, principal
consultant at app security firm Cigital, said: “The responsibility lies squarely with software makers. If they do not build a feature or a security control, the user cannot do it themselves.”
“The right answer is to give users clearly explained controls that cannot be overridden by the apps or the firms,” said Hope. He recommends securing data in transit using Transport Layer Security encryption correctly. “No
one suffers if data is encrypted unnecessarily. There is always risk that unencrypted data can be used in ways we didn’t anticipate when we decided not to encrypt it.”
Regulation control
Data encryption certainly lies within the scope of the app, device or network service provider, rather than the end user. However, experts agree that action is needed at all levels to mitigate the risk of a data breach. Catalin Cosoi, chief security strategist at Bitdefender, said that businesses, app developers, security vendors, privacy regulators, healthcare organisations, and patients should be working together to assess risks, prevent healthcare data loss, meet legal requirements, and secure IT infrastructures.
Cosoi added that privacy regulators need to play their part in creating new laws with tougher penalties for data loss incidents to
ensure compliance by hospitals and healthcare organisations.
The main security threats will come at the point where the devices and apps offload the data they collect to a smartphone, via a
Bluetooth or WiFi connection, Cosoi said. “This makes them vulnerable to identity theft, unintentional data leaks, traffic sniffing and man-in-the-middle attacks.”
End-to-end data encryption is the answer, securing data during transmission, with proper authentication and encryption protocols at both ends of a communication channel.
Data policy
Regarding Bluetooth, Steve Hegenderfer is director of developer programs at Bluetooth SIG – the body responsible for developing the wireless standard. He said that the connectivity technologies used in mHealth Bluetooth have all the tools to build a very secure solution. “For example, any actual personal data being sent by a Bluetooth Smart-enabled device uses AES-128 CCM cryptography to provide strong encryption and authentication of data packets.”
Hegenderfer argues that the issue is more one of data policy, and cited Apple recently posting privacy policy rules for developers working with its HealthKit platform.
“These rules, which ban developers from selling data obtained from apps within the platform to third parties, prove that Apple is trying to proactively change the conversation and get out ahead of this,” said Hegenderfer. He added that other major players such as FitBit are now doing this as well from a ‘health & wellness’ device perspective.
Setting the right policies is a step forward, but the question remains as to whether mHealth devices will come under the ruling of national and federal bodies, such as the US Federal Trade Commission. But
Hegenderfer also noted that: “Too much regulation however, can potentially stunt the growth of this industry. mHealth can provide consumers with so much value that it would be a waste for it to be legislated away.”
Two industry bodies that can help with mHealth data security standards and best practices are Workgroup for Electronic Data Exchange (WEDI), and the Healthcare Enterprise (IHE), suggested Tushar Bhatnagar, project manager, Digital Healthcare Solutions at IT services firm Tech Mahindra.
He commented: “The healthcare industry is witnessing an explosion in mobile based healthcare applications. Clinicians are using smart devices for monitoring patient data but unlike other industries, such as banking, the standards are yet to be embraced across the industry.”
It’s uncertain whether or not the industry will be able to avoid a headline-grabbing mHealth data breach. Yet, with the right security, data standards, policies and end-user practices in place, we can but try.