E-News Exclusive

Secure Your Wearable Devices:
The Health of Your Organization Depends on It

By Andrey Pozhogin

We are officially living in an era of wearables. More and more companies market technologies and devices to improve vital data monitoring and, as a result, diagnostics. There is no doubt that these wearables provide the health care industry with the ability to potentially help them monitor a patient’s health information more closely and have even more information on a specific patient to make informed health decisions. But unfortunately, very few of these devices are developed with security in mind. This is partially because this market is still quite new and partially because technology used for communication with wearables is also viewed as a protective limitation (getting data off the device requires either tethering or at least a physical location of the device a short distance from a control device, such as a laptop or a mobile).

However, successful hacks and exploitations of weak spots in communication protocols have been documented recently. Earlier this year, Kaspersky Lab researcher Roman Unucheck was able to access his wearable device data without authentication. What’s concerning about this example is when he reported the vulnerability to the wearable device manufacturer, the case was classified as a user experience issue, not a security concern. This demonstrates an unwillingness of wearable manufacturers to appreciate the seriousness of the security issues at hand and dismiss the very real possibility of a successful malicious action on premises such as “technology limitations prohibit hacking of wearables” or “this data cannot be misused anyways.” The reality is those devices are hackable and possess such a powerful sensor combination that can be misused in numerous ways—from tracking a person and measuring their reaction to surroundings and events to performing remote health diagnostics with malicious intent (eg, getting an unfair advantage in negotiations or using data for trading stock).

Things get really dire, though, when we shift focus from consumer health care devices to the devices that have been used by doctors for a while—not only for monitoring but also for life support itself. Devices such as insulin pumps, heart rate monitors, and drug injectors are becoming even more connected and introduce further security risks to hospitals. A terrifying example of this can be found as far back as 2011 when security researcher Jerome Radcliffe demonstrated an attack on an insulin pump that can be performed from as far as one-half mile away from the victim and is able to adjust parameters of operation in a way that could harm the patient.

That alarming research is a call to action for anyone involved in the production and enabling of connected sensors (this is basically what a wearable device is) to consider security when implementing these devices into a health care environment. It is critical that all aspects of personal health monitoring and treatment be properly secured. This doesn’t have to be a hard process or a project that could take up precious time from a hospital’s IT teams. As a starting point, it’s important for all wearable manufacturers to do their part and take into account that securing wearables requires the following:

• an appreciation of the fact that such devices are a useful asset for an attacker and will be targeted to steal sensitive data if security is not in place;
• effort from the organization implementing a wearable device to design an architecturally secure solution;
• using potentially more expensive components (eg, with hardware support of encryption) to ensure proper security is in place; and
• potentially a larger investment in development of the security architecture, and so on.

In addition, health care organizations should do their part to ensure the security of wearable devices used by staff. There’s no shortage of technologies that can help simplify the process of securing these types of devices. However, it’s important for health care organizations to do their research and implement a security technology that best fits their organization and customers. Health care organizations must examine the effectiveness of security technologies to detect, prevent, and neutralize malicious code. In short, security shouldn’t be just a check box for health care organizations. Securing health care wearables needs to start with the manufacturers, but it also takes careful internal planning by health care organizations and the right type of technology.

The market for health care wearables will only continue to grow as more users begin to use them. And while security can sometimes be an afterthought when it comes to these devices, we will definitely see this aspect gain more traction as we continue to embrace wearable sensor technology. Unfortunately, an increase in attacks against users of wearable devices may be the trigger to get manufacturers and health care organizations to focus more on security issues. Especially since a recent Kaspersky Lab survey found that only 25% of health care organizations named preventing IT security breaches as a top three concern of the IT function.

But that doesn’t have to be the case. Through proactive security implementation, a health care organization can stay ahead of competitors by not only highlighting their use of wearable technology but also ensuring that a patient’s sensitive data remain safe. Once organizations realize the value of this competitive advantage, the race to make wearables secure will be on.