To view this page ensure that Adobe Flash Player version 11.1.0 or greater is installed.
by Guy Ramsay
MedicalExpo e-magazine: Just how
sensitive is data from wearable devices?
Yes it might be embarrassing, but is it really
all that serious if data from a wearable
monitor or a health app is hacked?
Seyedmostafa Safavi: We categorize this
as trespassing on the user’s privacy. Any
negative personal information exposed on
the Internet is at best only embarrassing.
A breach in security with any health data
can be serious. For example, insurance
companies might refuse insurance if they
knew you were in poor health. Or a business
might be in trouble if its founder was ill and
that information was leaked.
With the recent Sony Entertainment hacks,
data security has become an issue in the press
and a headache for database administrators.
Sensitive data generated by wearable devices
are presumably no exception.
Are there any particular security concerns
with data from wearable devices? Are doctors
doing enough to protect patient data?
28 We asked Seyedmostafa Safavi, a researcher
at the Cyber Security Unit at the National
University of Malaysia and co-author of a
recent review on the subject to elaborate.
ME e-mag: Of all the stakeholders involved
in data from wearable devices, is there a
SS: Weak links emerge where the focus has
been on making features faster, lighter, or
cheaper at the expense of standardization
and security. Security matters also need to
be considered, as well as price and benefits.
ME e-mag: Is the real risk of hacking
wearable devices at the local, wireless
level, or rather at the cellular connectivity
level? SS: A risk emerges when an application
developer or device manufacturer didn’t or
wouldn’t consider the possibility of a security
breach. So there is a risk at both levels,
both locally and regionally. Complete data
encryption and using secure connectivity
protocols, like VPN built-into the device, can
ensure safer data transmission.
ME e-mag: What should doctors be aware
of when patents offer data from wearable
devices? SS: Doctors have to be careful with data
collection. They need to ensure that the data
have been recorded in a standard manner
and that the device has been certified for
accuracy. ME e-mag: What can doctors do to ensure
greater security of patient data?
SS: If the hospital or clinic has an Information
Security Management System (ISMS),
doctors should adhere to that framework.
If not, we would recommend a security
awareness course. In general, the basic
thing that doctors can do is to update their
applications regularly, and to not share their
user-IDs or passwords.
ME e-mag: What degree of responsibility
do doctors have for the protection of
SS: When we talk about confidential data,
it can be digital or it can be non-digital.
Both are confidential. You cannot just throw
printed patient data into the dustbin. For the
same reason, you shouldn’t be able to copy
patient data onto a USB drive. A systematic
process must be in place, starting with the
data collection. If an ISMS is practiced in
the hospital, doctors should find out about
it. Our advice to doctors is to ensure that
security is updated, to employ firewalls and
antivirus applications, and that the server
must be designed and implemented with
proper protections, both from online hacking
and from unauthorized physical access.
ME e-mag: What are the security
certification requirements that cover data
from wearable devices?
SS: Since we are focusing on information
privacy for wearable devices, we would
recommend adhering to the Markle Common
[Editor’s note: The Markle Foundation is
a US-based organization whose mission
is to “realize the potential of advances
in information technology to address
previously intractable public problems for
the health, security, and economic well-
being of all Americans.” The Markle Common
Framework is a set of policy and technology
practices that help medical professionals
and consumers share personal health
information while protecting privacy.]
ME e-mag: Are the private clinical
database-hosting services doing enough
to ensure security?
SS: In my opinion they are doing their best
to prevent security flaws, but to have proper
practices in place for security and privacy
in the healthcare industry requires an end-
to-end risk management process. This
includes risk assessment – a determination
of the organization’s level of acceptable
risk – and then deciding what controls must
be implemented to reduce that risk to an
acceptable level. In addition, they have to
monitor, measure, and report compliance to
security and privacy standards.