To view this page ensure that Adobe Flash Player version 11.1.0 or greater is installed.

Special Feature Securing wearable device data by Guy Ramsay MedicalExpo e-magazine: Just how sensitive is data from wearable devices? Yes it might be embarrassing, but is it really all that serious if data from a wearable monitor or a health app is hacked? Seyedmostafa Safavi: We categorize this as trespassing on the user’s privacy. Any negative personal information exposed on the Internet is at best only embarrassing. A breach in security with any health data can be serious. For example, insurance companies might refuse insurance if they knew you were in poor health. Or a business might be in trouble if its founder was ill and that information was leaked. With the recent Sony Entertainment hacks, data security has become an issue in the press and a headache for database administrators. Sensitive data generated by wearable devices are presumably no exception. Are there any particular security concerns with data from wearable devices? Are doctors doing enough to protect patient data? 28 We asked Seyedmostafa Safavi, a researcher at the Cyber Security Unit at the National University of Malaysia and co-author of a recent review on the subject to elaborate. ME e-mag: Of all the stakeholders involved in data from wearable devices, is there a weak link? SS: Weak links emerge where the focus has been on making features faster, lighter, or cheaper at the expense of standardization and security. Security matters also need to be considered, as well as price and benefits. ME e-mag: Is the real risk of hacking wearable devices at the local, wireless level, or rather at the cellular connectivity level? SS: A risk emerges when an application developer or device manufacturer didn’t or wouldn’t consider the possibility of a security breach. So there is a risk at both levels, both locally and regionally. Complete data encryption and using secure connectivity protocols, like VPN built-into the device, can ensure safer data transmission. ME e-mag: What should doctors be aware of when patents offer data from wearable devices? SS: Doctors have to be careful with data collection. They need to ensure that the data have been recorded in a standard manner and that the device has been certified for accuracy. ME e-mag: What can doctors do to ensure greater security of patient data? SS: If the hospital or clinic has an Information Security Management System (ISMS), doctors should adhere to that framework. If not, we would recommend a security awareness course. In general, the basic thing that doctors can do is to update their applications regularly, and to not share their user-IDs or passwords. ME e-mag: What degree of responsibility do doctors have for the protection of confidential data? SS: When we talk about confidential data, it can be digital or it can be non-digital. Both are confidential. You cannot just throw printed patient data into the dustbin. For the same reason, you shouldn’t be able to copy patient data onto a USB drive. A systematic process must be in place, starting with the data collection. If an ISMS is practiced in the hospital, doctors should find out about it. Our advice to doctors is to ensure that security is updated, to employ firewalls and antivirus applications, and that the server must be designed and implemented with proper protections, both from online hacking and from unauthorized physical access. ME e-mag: What are the security certification requirements that cover data from wearable devices? SS: Since we are focusing on information privacy for wearable devices, we would recommend adhering to the Markle Common Framework guidelines. [Editor’s note: The Markle Foundation is a US-based organization whose mission is to “realize the potential of advances in information technology to address previously intractable public problems for the health, security, and economic well- being of all Americans.” The Markle Common Framework is a set of policy and technology practices that help medical professionals and consumers share personal health information while protecting privacy.] ME e-mag: Are the private clinical database-hosting services doing enough to ensure security? SS: In my opinion they are doing their best to prevent security flaws, but to have proper practices in place for security and privacy in the healthcare industry requires an end- to-end risk management process. This includes risk assessment – a determination of the organization’s level of acceptable risk – and then deciding what controls must be implemented to reduce that risk to an acceptable level. In addition, they have to monitor, measure, and report compliance to security and privacy standards. MedicalExpo e-magazine