Download full-text PDF

Securing wearable device data

Technical Report · January 2015with143 Reads
DOI: 10.13140/2.1.2155.8565
Abstract
http://www.medicalexpo.com/emag/5/files/28.html
Securing Wearable Device Data
Seyedmostafa Safavi*, Zarina Shukur
Unit of Cyber Security, Faculty of Information Science and Technology, Universiti
Kebangsaan Malaysia,43600 Bangi, Malaysia
Abstract:
With the Sony Entertainment hacks, data security has become an issue in the press and a
headache for database administrators. Sensitive data generated by wearable devices are
presumably no exception. Are there any particular security concerns with data from wearable
devices? Are doctors doing enough to protect patient data? We asked Doctor Seyedmostafa
Safavi, an associate fellow at the Cyber Security Unit at the National University of Malaysia
and co-author of a recent review on the subject to elaborate.
Keywords: Internet of Things, cyber-crime, information network attacks, data breaches,
Hyper-Connectivity Society, Act on Promotion of Information and Communication Network
Utilization and Information Protection , Direct Hacking , Internet-Connected Device , Data
Breaches , Security Threats .
Just how sensitive is data from wearable devices?
SS. We categorize this as trespassing on the user’s privacy. Any negative personal information
exposed on the Internet is at best only embarrassing. For example insurance companies might
refuse insurance if they knew you were in poor health. Or a health product business might be
in trouble if its founder was ill and that was leaked.
Of all the stakeholders involved in data from wearable devices, is there a weak link?
SS. Weak links emerge where the focus has been on making features faster, lighter or cheaper
at the expense of standardization and security. Security matters also need to be considered, as
well as price and benefits.
Is the risk of hacking wearable devices greater at the local, wireless level or at the
cellular connectivity level?
SS. The risk emerges when application developer or device manufacturer didn’t or wouldn’t
consider the possibilty of a security breach. So there is a risk at both levels, both locally and
regionally. Complete data encryption, and using secure connectivity protocols, like VPN built
into the device can ensure safer data transmission[1].
What should doctors be aware of when patents offer data from wearable devices?
SS. Doctors have to be careful with data collection. They need to ensure that the data has been
recorded in standard manner and that the device has been certified for accuracy.
What can doctors do to ensure greater security of patient data?
SS. If the hospital or clinic has an Information Security Management System (ISMS) doctors
should adhere to that framework. If not, we would recommend a security awareness course. In
general, the basic thing that doctors can do is to update their applications regularly, and to not
share their user-IDs or passwords[2].
Published by Medical Expo. Open access.
Interviewed by Guy Ramsay.
Access link: http://medicalexpo.com/emag/5/
What degree of responsibility do doctors have for the protection of confidential data?
SS. When we talk about confidential data, it can be digital or it can be non-digital. Both are
confidential. You cannot just throw printed patient data into the dustbin. For the same reason
you shouldn’t be able to copy patient data onto a USB drive. A systematic process must be in
place, starting with the data collection. If ISMS is practiced in the hospital, doctors should
find out about it. Our advice to doctors is to ensure that security is updated, to employ
firewalls and antivirus applications, and that the server must be designed and impleted with
proper protections, both from online hacking and from unauthorised physical access.
What are the security certification requirements that cover data from wearable devices?
SS. Since we are focusing on information privacy for wearable devices, we would recommend
adhering to the Markle Common Framework guidelines.
Are the private clinical database-hosting services doing enough to ensure security?
SS. In my opinion they are doing their best to prevent security flaws, but to have proper
practices in place for security and privacy in the healthcare industry requires an end-to-end
risk management process. This includes risk assessment – a determination of the
organization’s level of acceptable risk – and then deciding what controls must be implemented
to reduce that risk to an acceptable level. In addition, they have to monitor, measure, and
report compliance to security and privacy standards[3].
What guidelines should software developers and database administrators follow for
better security?
SS. Firstly, there are the technical controls: firewalls, VPN for patient connectivity and
biometric authentication services. Secondly, developers should check for policy flaws and
design errors during the developmental stage – to prevent software vulnerabilities and human
error factors, as well as correcting hostile code and misconfigurations. Solving these security
issues requires ongoing awareness training, implementing appropriate policies and standards,
and doing audits. A background check of the personnel involved is also a good idea. We
suggest that software developers follow the Secure Software Development Life Cycle
(SSDLC) standards. Although I don’t believe they always do because if they had, we wouldn’t
have had half of the attacks at the moment that are resulting in personal information being
leaked.
Links:
Cyber Security Unit, National University of Malaysia:
http://www.ukm.my/ftsm/cybersecurity.php
Published by Medical Expo. Open access.
Interviewed by Guy Ramsay.
Access link: http://medicalexpo.com/emag/5/
PLOS One paper:
http://www.plosone.org/article/info%3Adoi%2F10.1371%2Fjournal.pone.0114306
Markle Common Framework:
http://www.markle.org/health/markle-common-framework
References:
1. Safavi, Seyedmostafa, and Zarina Shukur. "Improving Google glass security and privacy by
changing the physical and software structure." Life Science Journal 11.5 (2014): 109-117.
2. Safavi, Seyedmostafa, Zarina Shukur, and Rozilawati Razali. "Reviews on Cybercrime
Affecting Portable Devices." Procedia Technology 11 (2013): 650-657.
3. Safavi, Seyedmostafa, and Zarina Shukur. "Conceptual privacy framework for health
information on wearable device." PloS one 9, no. 12 (2014): e114306.
Published by Medical Expo. Open access.
Interviewed by Guy Ramsay.
Access link: http://medicalexpo.com/emag/5/
Article
Full-text available
December 2014 · PLoS ONE
    Wearable health tech provides doctors with the ability to remotely supervise their patients' wellness. It also makes it much easier to authorize someone else to take appropriate actions to ensure the person's wellness than ever before. Information Technology may soon change the way medicine is practiced, improving the performance, while reducing the price of healthcare. We analyzed the secrecy... [Show full abstract]
    Article
    Full-text available
    May 2014 · Life Sciences
      Following the exciting first reactions, Google Glass has encountered seriously criticism, due to the perceived threats to security and privacy. Cyber security is one of the most serious threats, both to private users and business enterprises. At present, Google Glass makes it easy for cyber hackers to gain access to our personal data, banking and credit card details, passwords or personal... [Show full abstract]
      Article
      Full-text available
        Background Health data personally collected by individuals with wearable devices and smartphones is becoming an important data source for healthcare, but also for medical research. Objective To describe a new consent model that allows people to control their personally collected health data and determine to what extent they want to share these for research purposes. Methods We developed, in... [Show full abstract]
        Article
        Full-text available
          Wearable technology is one of the greatest applications of the Internet of Things. The popularity of wearable devices has led to a massive scale of personal (user-specific) data. Generally, data holders (manufacturers) of wearable devices are willing to share these data with others to get benefits. However, significant privacy concerns would arise when sharing the data with the third party in... [Show full abstract]
          Discover more