Recently I spoke with Bloomberg Radio's “Taking Stock” about the security risks associated with internet connected healthcare devices – specifically the medical devices that are connecting to users' smartphones and home networks, which enables physicians to receive their patients' healthcare information directly without requiring them to come into their office.
While the increase in healthcare internet connectivity has many benefits - such as patients receiving treatment and diagnostics from doctors in real-time - by configuring medical devices to connect with mobile devices, external networks and cloud services, the attack surface for gaining access to them grows exponentially. This in turn greatly increases the risk of devices being compromised in addition to the confidential information they're transmitting and receiving.
The same holds true for the many new and innovative applications and devices people are using to improve their fitness, encourage weight loss or improve their health and well-being (such as FitBit or Apple's Healthkit).
Currently the FDA is taking a closer at medical device cybersecurity, and recently issued guidance to medical vendors, manufacturers, healthcare providers and hospitals about responsible mitigation methods and security procedures: http://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/ConnectedHealth/u cm373213.htm
However, medical device cybersecurity policies and procedures are still in their early stages of development. Consumers should be taking an active role to ensure their own private data and healthcare information is being secured.
You have a right to know how information on these devices and applications is being collected, stored, shared and secured, particularly from the vendors, manufacturers and service providers who may have access to all of the aggregated data.
If you're considering using your smartphone for any type of health monitoring services, for personal use or with your doctor, consider asking these questions before making a decision:
- What type of security policies are in place to ensure my information is safeguarded and confidential?
- Where is this data being stored and who has access to it?
- What type of password protection, both at the device and data level, is currently being used?
- Do the device manufacturers or any other third-parties have access to this information?
- What are the encryption standards and levels being used to secure my data, both in transit and at rest?