The Internet of Medical Things: Health Data Privacy

Note: This was written in early January for part of International Data Privacy Day and Iowa Data Privacy Day activities. It is just now being published due to some unforeseen delays.

Do you have any type of wearable health device, like a fitness tracker? Or maybe an implanted or attached medical device, like an insulin pump or pacemaker? If they connect with apps or other computers through wireless connections, they are most likely collecting and sending huge amounts of data. Have you considered all that data, and how it is secured and who is getting it?

In December I discussed how people truly do care about the privacy and privacy of their patient data. Since January 28 is International Data Privacy Day, I want to stay on this general topic, but turn the focus to all those wireless health devices that are emerging more quickly than anyone can catch up with in the Internet of Things (IoT).

Explosion of endless numbers of health devices

So how many health and medical devices are there? The numbers are increasing so quickly it is impossible to provide an accurate number; by the time this is published that number will be much larger. But here are some facts to give you a good idea of the vast numbers and types that are currently being used:

I created the infographic shown in Figure 1 to provide examples of the many types of devices collecting and sharing a wide range of health data, along with showing how this date is shared with others, who then also continue to share the data with even yet more entities, mostly unknown to the individuals about whom the data applies.

Privacy_Processor_Health_Data_infographic_HiRes

Figure 1 – Who Has Your Health Data?

Great potential for both benefits and harms

The potential for improving health through the use of IoT devices is unlimited. I fully recognize that, and am also excited about the possibilities! However, along with this excitement is justified concern. I want the security and privacy risks addressed.

I’ve heard many medical device makers, and makers of other types of personal health IoT devices, make comments indicating they do not build in security and privacy controls for a variety of common reasons. Here are the ones I’ve heard most often, in no particular order.

  • “People aren’t concerned about privacy so there is no reason to waste money building in privacy controls.”
  • “No one wants to target wearables and medical devices; there is no motivation because the data is not worth anything to anyone but the persons using the devices.”
  • “The cost of security controls, such as encryption and authentication mechanisms, would make the costs of the devices prohibitively high.”
  • “We will never spend money to build security or privacy controls into devices unless compelled by laws to do so; it is not worth the investment of cost and time resources to do so of our own free will.”

Device creators and vendors must understand that there are definitely risks that must be mitigated.

Health devices have privacy risks

A significant problem with health and medical devices is that, for the most part, they lack sufficient security controls, and most don’t have any privacy controls. Considering search tools such as Shodan can be used to find wireless devices, it makes it easy for those who are motivated to use such tools to find such devices to then exploit security vulnerabilities. It is generally common knowledge in the technology and hacker community that a large portion of medical devices are using versions of SSL that have the Heatbleed flaw, increasing the appeal of targeting these devices for hacking.

The vulnerabilities of medical devices have been demonstrated many times. Here are a couple of examples that illustrate how vulnerable medical devices are.

Insulin Pumps and Continuous Glucose Meters

Jerome Radcliffe detailed how he hacked a continuous glucose meter, similar to that shown in Figure 2, and a  wireless insulin pump, such as shown in Figure 3, and changed the dosage settings. Think about the fatal results that could occur by changing the settings of medical devices that people depend upon to support life functions. No wonder Dick Cheney had the wireless access communications disabled in his pacemaker in 2007.

Figure 2 – Continuous Glucose Meter

Figure 2 Continuous Glucose Meter

 

 

 

 

 

 

 

 

Figure 3 – Insulin Pump

Figure 3 Insulin Pump

 

 

 

 

 

 

.

.

.

Pacemakers

Shelby Kobes, did research on medical devices for his graduate work, and now puts that research into practice through his business which helps hospitals secure all their medical devices. As part of his graduate work he purchased a Medtronic 2060, shown in Figure 4, off eBay for US $200. A Medtronic 2090 communicates with a pacemaker using a programming head and magnet. Among other things he discovered that the device had:

  • An unencrypted hard drive
  • No password protection
  • A simple deletion process allowing deleted data to be retrieved
  • Data fr
    om over 50 patients that was still active on the device
  • Medtronic representative contact information that could allow for social engineering hospitals

Figure 4 Medtronic 2090

.

.

.

.

.

.

.

.

.

Figure 4 – Medtronic 2090

Here are the specific data items found on the device:

  • Patient names
  • Hospital names
  • Doctor names
  • Serial numbers of pacemakers
  • Hospital visits dates
  • Patient ID
  • Doctor phone numbers
  • Software version
  • Battery life
  • Telemetry status
  • Last doctor appointment
  • Episodes
  • Pacemaker model
  • Age
  • Social Security Number
  • Birth date
  • Implanted date
  • Note field where any type of information could be entered

Think about Health Data Privacy for Data Privacy Day

Obviously there is much to consider when looking at the security and privacy of the growing numbers of smart gadgets that collect any type of health data. If you use these devices, at work or elsewhere, or have friends or family that do, health data privacy would be a great topic for you to ponder throughout this month and especially on Data Privacy Day, January 28.

If your organization is considering, or already providing, these devices to employees, this is definitely a topic you need to know about. And it is highly likely your organization is, or soon will be, providing such gadgets to your employees when considering increasing numbers of employers are providing a wide variety of such health devices to their employees as part of their benefits, wellness programs, and to even pregnant workers to help them identify health issues.

Want to Know More?

I will be giving a webinar, “The Internet of Medical Things: 2016, The Year Ahead” on January 21 to discuss I more detail the topic of devices that collect, store and transmit a wide variety of health data. Join me if you are intrigued and/or alarmed by this topic to learn what needs to be done to secure all these many devices.

For more information about health and medical device security and privacy see:

 

 

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

dell_blue_rgb

Tags: , , , , ,

Leave a Reply