Partner Perspectives  Connecting marketers to our tech communities.
6/11/2015
10:45 AM
Lorie Wigle
Lorie Wigle
Partner Perspectives
100%
0%

The Promises And Perils Of The Healthcare Internet Of Things

Connected devices are working wonders for managing treatment, but their integration with consumer technology and cloud computing raises significant security issues.

What has been happening over the past week or month with your blood pressure, heart rate, glucose level, respiration, or oxygen levels? How much and what type of exercise do you do, and what effect is it having? While the answers to these questions may not be on the tip of your tongue, wearable medical technologies can monitor, store, and transmit this data, providing your healthcare team with more granular information than they have ever had outside of a hospital. These and other connected healthcare devices are improving diagnosis, treatment, and quality of life, while reducing costs.

How much do you weigh? What do you eat? What medications are you taking? What diseases or conditions do you have? Medical information is also one of the most personal and private aspects of our society. While it is important for your healthcare professionals to know these things, it is equally important to keep it private from those who may use the information to take advantage or discriminate against you.

Tiny devices that can be worn, implanted, or even ingested are being invented at an accelerating pace. And they are not just monitoring, but taking an active role in managing a long list of things, including hearts, pain, insulin, and seizures. These devices are working wonders for managing treatment and quality of life outside of hospitals. But their connectivity and integration with consumer technology and cloud computing raise significant security issues. The biggest concerns are privacy violations and intentional disruptions, and one high-profile security incident could discourage adoption for decades.

Personal medical information is valuable to cyber criminals. While stealing credit card numbers is big business, the stolen card has no value once it is reported stolen. Stolen medical data, on the other hand, can be sold for insurance fraud repeatedly and can continue to add value for years. And we can only imagine what other unethical and illegal uses criminals could come up with.

Security By Design

Managing and reducing these security concerns requires a change in how we design, develop, and regulate connected healthcare devices. The first step is a focus on security by design, making upfront investments that will pay back benefits to the device manufacturers and the healthcare community for years. Sharing best practices and building shared or open-source libraries of common functions would go a long way to quickly improving security across the industry.

Then we need better collaboration among vendors, medical practitioners, and regulators to openly discuss and resolve issues, enable innovation and effectiveness, and safeguard the public interest. Regulators themselves need to review the approval process, taking into consideration the pace of technological change and the cloud nature of data that crosses national and corporate borders, while continuing to protect patients. Finally, we need to learn from social media and customer centric design, listening better to the voices of the patients and families involved and incorporating their feedback.

Connected healthcare devices deliver highly personal benefits, embedding the Internet into medical processes. With these tools, we are already seeing improved medical outcomes, better quality of life, and lower healthcare costs, and we are just at the beginning of this transformation. Incorporating security by design, increasing collaboration, and evolving the regulatory process will ensure these benefits are not lost to crybercrime and security breaches.

For more information on the topic, check out Atlantic Council’s recent report at The Healthcare Internet of Things Rewards and Risks.

Lorie Wigle is building a new business focused on securing critical infrastructure and IOT more broadly at Intel subsidiary McAfee. Lorie has been with Intel for nearly 30 years in a wide variety of marketing and technical roles. She has an MBA from Portland State University ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
LoriWigle
50%
50%
LoriWigle,
User Rank: Strategist
6/18/2015 | 2:25:48 PM
Re: Scare tactics

As far as scary goes...I'd say it's serious but not scary, because unlike the horror movie, we know exactly what to do about it. 

Hope that no one thinks this is a call to do nothing and wait until everything is perfect. In fact, it's quite the opposite, as doing nothing about security is part of the problem today. No one should be waiting to employ best security practices: the technologies already exist today to address these serious risks. Employing them doesn't get in the way of using the Healthcare Internet of Things. Hardening the device can be as straightforward as providing for immutable device identity, a secure boot and application whitelisting. Failure to adopt security will lead to distrust of the Healthcare IoT and get in the way of its adoption. There is no reason to wait.

 

mHealthTalk
50%
50%
mHealthTalk,
User Rank: Apprentice
6/12/2015 | 11:54:04 AM
Scare tactics
"They Sky is Falling. The Sky is Falling." Isn't that what the umbrella salesman says? 

While the article did mention some of the benefits of Healthcare Internet of Things, the overal tone was to make this a very scary place, discouraging use of these technologies until all is perfect. Just consider the source.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18913
PUBLISHED: 2019-03-21
Opera before 57.0.3098.106 is vulnerable to a DLL Search Order hijacking attack where an attacker can send a ZIP archive composed of an HTML page along with a malicious DLL to the target. Once the document is opened, it may allow the attacker to take full control of the system from any location with...
CVE-2018-20031
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2018-20032
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon t...
CVE-2018-20034
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2019-3855
PUBLISHED: 2019-03-21
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.