Wearable healthcare devices are one of the great innovations in medical care in the digital age. Gadgets that measure things like temperature, blood pressure, blood oxygen, cardiac activity, breathing rate, and movement can help patients and their providers to keep tabs on conditions like diabetes, cancer, and lung disease. These devices are invaluable for monitoring patient status, especially during the pandemic when frequent office visits are inadvisable. The following video describes how medical professionals are improving these devices.
But wearable healthcare devices are subject to the same cybersecurity concerns as other electronic devices, especially other wearables. That is, depending on the technologies used, they can include vulnerabilities that are subject to cybersecurity threats such as ransomware and access to personal and financial data.
Recently Kaspersky found that the data transfer protocol used by healthcare devices contains 90 vulnerabilities, including 33 found in 2021 alone, an increase over the number found the previous year. Even more alarming, some of these vulnerabilities remain unpatched, giving cyber attackers the ability to intercept data being sent from these devices. Here we describe how issues with wearable healthcare devices can cause problems for individuals, and how healthcare professionals should respond.
The data transfer protocol studied by Kaspersky is Message Queuing Telemetry Transport (MQTT), which is a common protocol for transmitting data from wearable devices including those used for healthcare applications. It was designed specifically for use in Internet of Things (IoT) devices and is known for being easy and convenient. It allows messages to be sent and acknowledged between devices no matter where they are, even when networks are unreliable.
Unfortunately, many transactions that use MQTT don’t include encryption, and authentication is optional with this protocol. Those features make MQTT vulnerable to man-in-the-middle attacks, in which attackers can position themselves between the two communicating parties and steal data that is transferred between them. With wearable healthcare devices, that data may include sensitive personal, medical, and location information.
Yet, the pandemic has made these devices more essential. Amid quarantines and greater demands placed on healthcare workers, these professionals have had to find creative ways to provide care. Strategies include telehealth appointments in which patients visit with their providers via video call, and monitoring healthcare conditions through the use of wearable devices, which reduces the number of office visits required.
Consequences of Misuse
One of the most dangerous consequences of wearable healthcare devices and interference with the data they transmit is potential reduction in quality of care. For example, a healthcare practitioner might offer incorrect diagnoses or recommendations based on incomplete or inaccurate data.
Another potential outcome is the use of personal data for “surveillance advertising.” Accountable Tech, an organization working to bring about long-term structural reform in social media, describes surveillance advertising as “the practice of extensively tracking and profiling individuals and groups, and then microtargeting ads at them based on their behavioral history, relationships, and identity.” The organization says this strategy is used “to keep each user hooked, so they can be served more ads and mined for more data.”
The traditional issues associated with other devices are potential problems as well. For example, hackers can sell a patient’s private information, or encrypt it and demand a ransom in a ransomware attack. Additionally, when a patient uses Bluetooth on their phone to connect to their device, they run the risk of Bluetooth hacking, in which the hacker can gain entry to their phone, giving them access to a wide range of personal information, including bank details and location information.
The U.S. Food and Drug Administration (FDA) is keeping an eye on these developments. It “regulates medical devices and works aggressively to reduce cybersecurity risks in what is a rapidly changing environment,” according to its website. To achieve these ends, the agency works in conjunction with device manufacturers, hospitals, health care providers, patients, security researchers, and other governmental agencies.
One of the FDA’s roles in this area is to provide direction to manufacturers to ensure their products are cyber secure, and the recommendation to share any issues they might find. When a manufacturer does find such an issue, the FDA may issue a safety communication, which is information about the vulnerability and actions for patients, providers, and manufacturers to take. Manufacturers must also work to create code that is impervious to tampering.
The U.S. Federal Trade Commission (FTC) is also involved in promoting wearable healthcare device safety. According to a news release published in late 2021, it “issued a policy statement affirming that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule, which requires that they notify consumers and others when their health data is breached.”
How Healthcare Professionals Can Help
Those in the healthcare field can take steps to ensure higher security for their patients:
- Given a choice in which devices to use, don’t automatically use those suggested by a hospital or medical organization. Instead, research these options and compare them with alternative products.
- Adjust settings to allow for the least amount of data transfer possible and instruct patients to do the same. For example, turn off the ability to collect location data.
- Change passwords on all devices and corresponding software. Instruct patients to do the same.
- Use encryption if it is available with the device and software. Instruct patients to do the same.
Additionally, healthcare professionals should tell patients to take the following precautions:
- Maintain physical control over wearable healthcare devices.
- Only connect devices to other devices or software if instructed to do so by the manufacturer or a healthcare provider.
- When prompted to update the device, do so immediately.
- Review specific instructions for securing each type of device.
- If the device behaves strangely, contact the manufacturer or a healthcare provider.
- Share information with family members and caregivers so they can help with safety measures.