Estimates of the number of IoT (Internet of Things) project 1.9 billion devices today growing to 9 billion by 2018. Already, healthcare has made major strides into the Internet of Things with a myriad of healthcare specific Internet connected devices, or “things” for managing health and wellness through vital signs.
For example, multiple healthcare “things” can measure everything from patient activity through multiple vital signs such as blood pressure, glucose levels and so forth. Connecting these “things” to the Internet enables the data to be analyzed, for example, for diagnostics. This has potential to radically transform healthcare enabling better, faster diagnostics, and personalized medicine.
Patient conditions can be detected proactively and early, personalized treatment provided, and patients allowed to return home for recovery faster with post treatment monitoring. Healthcare IoT is also poised to empower patients with their data, which historically has been locked inside healthcare organizations and difficult for patients to acquire. Clearly, potential benefits of healthcare IoT are great.
Security of IoT
Concurrently, privacy and security incidents such as breaches have reached alarming levels globally, both in frequency and impact. Privacy concerns have also been exacerbated in recent years by concerns over surveillance and privacy intrusions from online service providers such as social media platforms. Realizing the benefits of healthcare IoT sans the privacy and security incidents, and doing so in a way that preserves and builds patient trust, requires a proactive approach where privacy and security is built in by healthcare IoT device and service providers.
Many healthcare IoT service providers today stream sensitive patient data from the devices, securely over the Internet, to repositories they maintain for secure storage. These repositories enable analytics on the patient data, empowering patients with new insights, knowledge, and enabling them to make better informed decisions on their health and wellness. However, in a sense, these repositories are silos, storing the data from the specific healthcare IoT device and enabling analytics just on that data. Unfortunately for the patient, this data is not automatically available for co-mingling with other data from other healthcare IoT devices provided by other organizations. The result is a limitation in the analytics that can be done and benefits that can be delivered back to the patient.
Privacy through separation
Interestingly, one of the unintended benefits of silo’ing patient data across separate secure clouds maintained by different healthcare IoT service providers is that privacy and security risk is reduced through separation. If one of the providers is breached, there is a limit to the variety and quantity of sensitive healthcare data at risk. While industry is generally currently in the phase of building out the healthcare IoT, proliferating devices and silos, proactive attention to privacy and security demands that we think ahead to the inevitable next phase.
This is where data from different healthcare IoT providers is brought together, further enabling greatly increased benefits, while also greatly increasing privacy and security risks. An intrusion of such an integrated repository of patient data could breach a much greater variety and quantity of sensitive data. Preventing cybercrime in healthcare requires a holistic approach where a combination of administrative, physical, and technical safeguards are used to mitigate privacy and security risks. With cybercriminals using increasingly sophisticated techniques for intrusions, technical controls need to protect the whole stack, from various layers of software right down to the hardware level. With patients and healthcare workers being increasingly empowered with more sensitive data, and tools such as smart devices, apps, social media, wearables and IoT, we need to recognize that many breaches occur from inadvertent user actions that while well intentioned, subject sensitive data to greatly increased privacy and security risks.
In addition to securing the hardware and software, we need to secure the user, also empowering them with new visibility into privacy and security risks of their actions, as well as actionable alternatives available to them that both achieve their goals while reducing or eliminating risks.
What privacy and security challenges and risks are you seeing from healthcare IoT, and how are you planning to address these?
David Houlding, MSc, CISSP, CIPP is a senior privacy researcher with Intel Labs and a frequent blog contributor.
Find him on LinkedIn
Keep up with him on Twitter (@davidhoulding)
Check out his previous posts