Every day more medical innovations come on the market. These so-called smart devices collect, transmit and store huge amounts of personal data. They communicate and share this huge pool with more devices, networks and systems.
Particularly concerning is the explosion of direct-to-consumer medical devices that are collecting and sharing huge quantities of data with unlimited, unknown others.
Beyond the privacy implications of all this unsecured personal medical information floating in vulnerable cloud-based systems, is the security of it. There were 450 total breach incidents reported in the U.S. in 2016, impacting more than 27 million patient records. How many more breaches occurred that were never identified? How many are occurring right now without anyone knowing?
More needs to be done to protect smart medical devices that largely have little-to-no security controls built into them.
Without these controls, that FitBit, Internet-enabled pacemaker or connected imaging device becomes an open door to valuable, irresistible data. And whats waiting to walk through? Malware engineers, distributed denial of service (DDOS) attackers, and scarier yet criminals seeking to do physical harm to the patients that depend upon them.
Here are just a few of the questions we, as an industry, need to ask as we integrate smart-device innovations into the health care ecosystem:
- How is access to the devices, and to its settings, controlled?
- How is the security and privacy of all that data assured?
- What security and privacy standards can be used by medical device engineers to build in protections and controls?
- What agencies are overseeing the medical device manufacturers to make sure they appropriately address security and privacy risks?
- What can CISOs/information security officers and privacy officers within hospitals and clinics do to mitigate the risks connected medical devices bring into their digital environments?
- What can health care providers do to mitigate the HIPAA non-compliance risks these devices present?
In our next post, well address other actions the industry and each of its players can take collaboratively to achieve comprehensive and effective security and privacy controls.