Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Costs Of Compromised Credentials Rising

Posted on March 3, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Healthcare organizations face unique network access challenges. While some industries only need to control access by professional employees and partners, healthcare organizations are increasingly opening up data to consumers, and the number of consumer access points are multiplying. While other industries face similar problems – banking seems particularly relevant – I don’t know of any other industry that depends on such a sophisticated data exchange with consumers to achieve critical results.

Given the industry’s security issues, I found the following article to be quite interesting. While it doesn’t address healthcare concerns directly, I think it’s relevant nonetheless.

The article, written by InfoArmor CTO Christian Lees, contends that next-generation credentials are “edging toward a precarious place.” He argues that because IT workers are under great pressure to produce, they’re rushing the credentialing process. And that has led to a lack of attention to detail, he says:

“Employees, contractors and even vendors are rapidly credentialed with little attention given to security rules such as limiting access per job roles, enforcing secure passwords, and immediately revoking credentials after an employee moves on…[and as a result], criminals get to choose from a smorgasbord of credentialed identities with which to phish employees and even top executives.”

Meanwhile, if auto-generated passwords are short and ineffective, or so long that users must write them down to remember them, credentials tend to get compromised quickly. What’s more, password sharing and security shortcuts used for sign-in (such as storing a password in a browser) pose further risk, he notes.

Though he doesn’t state this in exactly these words, the problem is obviously multiplied when you’re a healthcare provider. After all, if you’re managing not only thousands of employee and partner credentials, but potentially, millions of consumer credentials for use in accessing portal data, you’re fighting a battle on many fronts.

And unfortunately, the cost of losing control of these credentials is very high. In fact, according to a Verizon study, 63% of confirmed data breaches happening last year involved weak, default or stolen passwords.

To tackle this problem, Lees suggests, organizations should create a work process which handles different types of credentials in different ways.

If you’re providing access to public-facing information, which doesn’t include transaction, identifying or sensitive information, using a standard password may be good enough. The passwords should still be encrypted and protected, but they should still be easy to use, he says.

Meanwhile, if you need to offer users access to highly sensitive information, your IT organization should implement a separate process which assigns stronger, more complex passwords as well as security layers like biometrics, cryptographic keys or out-of-band confirmation codes, Lees recommends.

Another way to improve your credentialing strategy is to associate known behaviors with those credentials. “If you know that Bill comes to the office on Tuesdays and Thursdays but works remotely the rest of the week and that he routinely accesses certain types of files, it becomes much harder for a criminal to use Bill’s compromised credentials undetected,” he writes.

Of course, readers of this blog will have their own strategies in placefor protecting credentials, but Lee’s suggestions are worth considering as well. When you’re dealing with valuable health data, it never hurts to go that extra mile. If you don’t, you might get a visit by the HIPAA police (proverbial, not actual).

Patient Misidentification Remains Common

Posted on February 27, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The following information was released several weeks ago, but I just found it and thought readers would still find it relevant. The research, from security researcher Ponemon Institute, concludes that patient misidentification is relatively common and continues to impact patient safety and experience.

Late last year, Ponemon surveyed 503 healthcare professionals from across the US, including nurses, physicians, IT practitioners and leaders in financial operations, on the frequency and root causes of patient misidentification, as well as the consequences.

According to the researchers, 86% of respondents said they’d witnessed or know of medical errors resulting from patient misidentification. And 67% said that when searching for patient information, they find duplicate medical records for that patient almost all of the time. Along the way, about three-quarters of respondents agreed that use of biometrics could reduce patient misidentification and by extension, cut down on medical errors.

The most common root cause of patient misidentification was incorrect identification at registration (chosen by 63%), followed by time pressure when treating patients (60%), insufficient employee/clinician training and awareness (35%), too many duplicate medical records in system (34%), registrar errors (32%), turf wars between departments (29%), inadequate safety procedures (20%), over-reliance on homegrown or obsolete identification systems (15%) and misinformation provided by patient (9%). (The remaining 3% was reported as “other”.)

The key causes of misidentification named in the survey included the inability to find a patient’s chart or medical record (68% of respondents), a search or query which brings up multiple or duplicate medical records for a patient (67%), patient associated with incorrect records due to same names and/or dates of birth (56%), or having the wrong record pulled up for a patient because another record in the registration system or EMR has the same name and/or date of birth (61%).

Not surprisingly, the survey also suggests that widespread patient misidentification can have a serious financial impact. On average, Ponemon says, respondents said that more than one-third of all denied claims resulted directly from an inaccurate patient identification or inaccurate/incomplete information. This costs the average healthcare facility $1.2 million per year, they reported.

Meanwhile, patient identification problems have a negative impact on patient experience, the survey concluded. Sixty-nine percent of respondents told researchers that staff spent up to or more than 30 minutes per shift contacting medical records or HIM departments to get critical patient information.

Not only that, misidentifying patients can have a ripple effect, with missing or incomplete information leading to patient care delays. Thirty-seven percent of respondents said that they spent an hour or more contacting medical records or HIM departments to get critical patient information.

FDA Weighs In On Medical Device Cybersecurity

Posted on January 5, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In the past, medical devices lived in a separate world from standard health IT infrastructure, typically housed in a completely separate department. But today, of course, medical device management has become much more of an issue for health IT managers, given the extent to which such devices are being connected to the Internet and exposed to security breaches.

This has not been lost on the FDA, which has been looking at medical device security problems for a long time. And now – some would say “at long last” – the FDA has released final guidance on managing medical device cybersecurity. This follows the release of earlier final guidance on the subject released in October 2014.

While the FDA’s advice is aimed at device manufactures, rather than the health IT managers who read this blog, I think it’s good for HIT leaders to review. (After all, you still end up managing the end product!)

In the guidance, the FDA argues that the best way to bake cybersecurity protections into medical devices is for manufacturers to do so from the outset, through the entire product lifecycle:

Manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.

Specifically, the agency is recommending that manufacturers take the following steps:

  • Have a way to monitor and detect cybersecurity vulnerabilities in their devices
  • Know assess and detect the level of risk vulnerabilities pose to patient safety
  • Establish a process for working with cybersecurity researchers and other stakeholders to share information about possible vulnerabilities
  • Issue patches promptly, before they can be exploited

The FDA also deems it of “paramount” importance that manufacturers and stakeholders consider applying core NIST principles for improving critical infrastructure cybersecurity.

All of this sounds good. But considering the immensity of the medical device infrastructure – and the rate of its growth – don’t expect these guidelines to make much of an impact on the device cybersecurity problem.

After all, there are an estimated 10 million to 15 million medical devices in US hospitals today, according to health tech consultant Stephen Grimes, who spoke on biomedical device security at HIMSS ’16. Grimes, a past chair of the HIMSS Medical Device Security Task Force, notes that one 500-bed hospital could have 7,500 devices on board, most of which will be networked. And each networked monitor, infusion pump, ventilator, CT or MRI scanner could be vulnerable to attack.

Bottom line, we’re looking at some scary risks regardless of what manufacturers do next. After all, even if they do a much better job of securing their devices going forward, there’s a gigantic number of existing devices which can be hacked. And we haven’t even gotten into the vulnerabilities that can be exploited among home-based connected devices.

Don’t get me wrong, I’m glad to see the FDA stepping in here. But if you look at the big picture, it’s pretty clear that their guidance is clearly just a small step in a very long and complicated process.

An Alternate Way Of Authenticating Patients

Posted on July 5, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Lately, I’ve been experimenting with a security app I downloaded to my Android phone. The app, True Key by Intel Security, allows you to log in by presenting your face for a scan or using your fingerprint. Once inside the app, you can access your preferred apps with a single click, as it stores your user name and passwords securely. Next, I simplified things further by downloading the app to my laptop and tablet, which synchs up whatever access info I enter across all devices.

From what I can see, Intel is positioning this as a direct-to-consumer play. The True Key documentation describes the app as a tool non-techies can use to access sites easily, store passwords securely and visit their favorite sites across all of their devices without re-entering authentication data. But I’m intrigued by the app’s potential for enterprise healthcare security access control.

Right now, there are serious flaws in the way application access is managed. As things stand, authentication information is usually stored in the same network infrastructure as the applications themselves, at least on a high-level basis. So the process goes like this, more or less: Untrusted device uses untrusted app to access a secure system. The secure system requests credentials from the device user, verifies them against an ID/PW database and if they are correct, logs them in.

Of course, there are alternatives to this approach, ranging from biometric-only access and instantly-generated, always-unique passwords, but few organizations have the resources to maintain super-advanced access protocols. So in reality, most enterprises have to firewall up their security and authentication databases and pray that those resources don’t get hacked. Theoretically, institutions might be able to create another hacking speed bump by storing authentication information in the cloud, but that obviously raises a host of additional security questions.

So here’s an idea. What if health IT organizations demanded that users install biometrically-locked apps like True Key on their devices? Then, enterprise HIT software could authenticate users at the device level – surely a possibility given that devices have unique IDs – and let users maintain password security at their end. That way, if an enterprise system was hacked, the attacker could gain access to device information, but wouldn’t have immediate access to a massive ID and PW database that gave them access to all system resources.

What I’m getting at, here, is that I believe healthcare organizations should maintain relationships with patients (as represented by their unique devices) rather than their ID and password. While no form of identity verification is perfect, to me it seems a lot more like that it’s really me logging in if I had to use my facial features or fingerprint as an entry point. After all, virtually any ID/PW pair chosen by a user can be guessed or hacked, but if you authenticate to my face/fingerprint and a registered device, the odds are high that you’re getting me.

So now it’s your turn, readers. What flaws do you see in this approach? Have you run into other apps that might serve this purpose better than True Key? Should HIT vendors create these apps? Have at it.

NIST Goes After Infusion Pump Security Vulnerabilities

Posted on January 28, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As useful as networked medical devices are, it’s become increasingly apparent that they pose major security risks.  Not only could intruders manipulate networked devices in ways that could harm patients, they could use them as a gateway to sensitive patient health information and financial data.

To make a start at taming this issue, the National Institute of Standards and Technology has kicked off a project focused on boosting the security of wireless infusion pumps (Side Note: I wonder if this is in response to Blackberry’s live hack of an infusion pump). In an effort to be sure researchers understand the hospital environment and how the pumps are deployed, NIST’s National Cybersecurity Center of Excellence (NCCoE) plans to work with vendors in this space. The NCCoE will also collaborate on the effort with the Technological Leadership Institute at the University of Minnesota.

NCCoE researchers will examine the full lifecycle of wireless infusion pumps in hospitals, including purchase, onboarding of the asset, training for use, configuration, use, maintenance, decontamination and decommissioning of the pumps. This makes a great deal of sense. After all, points of network connection are becoming so decentralized that every touchpoint is suspect.

The team will also look at what types of infrastructure interconnect with the pumps, including the pump server, alarm manager, electronic medication administration record system, point of care medication, pharmacy system, CPOE system, drug library, wireless networks and even the hospital’s biomedical engineering department. (It’s sobering to consider the length of this list, but necessary. After all, more or less any of them could conceivably be vulnerable if a pump is compromised.)

Wisely, the researchers also plan to look at the way a wide range of people engage with the pumps, including patients, healthcare professionals, pharmacists, pump vendor engineers, biomedical engineers, IT network risk managers, IT security engineers, IT network engineers, central supply workers and patient visitors — as well as hackers. This data should provide useful workflow information that can be used even beyond cybersecurity fixes.

While the NCCoE and University of Minnesota teams may expand the list of security challenges as they go forward, they’re starting with looking at access codes, wireless access point/wireless network configuration, alarms, asset management and monitoring, authentication and credentialing, maintenance and updates, pump variability, use and emergency use.

Over time, NIST and the U of M will work with vendors to create a lab environment where collaborators can identify, evaluate and test security tools and controls for the pumps. Ultimately, the project’s goal is to create a multi-part practice guide which will help providers evaluate how secure their own wireless infusion pumps are. The guide should be available late this year.

In the mean time, if you want to take a broader look at how secure your facility’s networked medical devices are, you might want to take a look at the FDA’s guidance on the subject, “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf Software.” The guidance doc, which was issued last summer, is aimed at device vendors, but the agency also offers a companion document offering information on the topic for healthcare organizations.

If this topic interests you, you may also want to watch this video interview talking about medical device security with Tony Giandomenico, a security expert at Fortinet.

Biometric Use Set To Grow In Healthcare

Posted on January 15, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I don’t know about you, but until recently I thought of biometrics as almost a toy technology, something you’d imagine a fictional spy like James Bond circumvent (through pure manliness) when entering the archenemy’s hideout. Or perhaps retinal or fingerprint scans would protect Batman’s lair.

But today, in 2016, biometric apps are far from fodder for mythic spies. The price of fingerprint scan-based technology has fallen to nearly zero, with vendors like Apple offering fingerprint-based security options as a standard part of its iOS iPhone operating system. Another free biometric security option comes courtesy of Intel’s True Key app, which allows you to access encrypted app data by scanning and recognizing your facial features. And these are just trivial examples. Biometrics technologies, in short, have become powerful, usable and relatively affordable — elevating them well above other healthcare technologies for some security problems.

If none of this suggests to you that the healthcare industry needs to adopt biometrics, you may have a beef with Raymond Aller, MD, director of informatics at the University of Southern California. In an interview with Healthcare IT News, Dr. Aller argues that our current system of text-based patient identification is actually dangerous, and puts patients at risk of improper treatments and even death. He sees biometric technologies as a badly needed, precise means of patient identification.

What’s more, biometrics can be linked up with patients’ EMR data, making sure the right history is attached to the right person. One health system, Novant Health, uses technology registering a patient’s fingerprints, veins and face at enrollment. Another vendor is developing software that will notify the patient’s health insurer every time that patient arrives and leaves, steps which are intended to be sure providers can’t submit fradulent bills for care not delivered.

As intriguing as these possibilities are, there are certainly some issues holding back the use of biometric approaches in healthcare. And many are exposed, such as Apple’s Touch ID, which is vulnerable to spoofing. Not only that, storing and managing biometric templates securely is more challenging than it seems, researchers note. What’s more, hackers are beginning to target consumer-focused fingerprint sensors, and are likely to seek access to other forms of biometric data.

Fortunately, biometric security solutions like template protection and biocryptography are becoming more mature. As biometric technology grows more sophisticated, patients will be able to use bio-data to safely access their medical records and also pay their bills. For example, MasterCard is exploring biometric authentication for online payments, using biometric data as a password replacement. MasterCard Identity Check allows users to authenticate transactions via video selfie or via fingerprint scanning.

As readers might guess from skimming the surface of biometric security, it comes with its own unique security challenges. It could be years before biometric authentication is used widely in healthcare organizations. But biometric technology use is picking up speed, and this year may see some interesting developments. Stay tuned.

Measuring Patient Discomfort Using Brainwave Activity

Posted on December 30, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Digital health opportunities are popping up everywhere and in every part of the nation. The IoT Journal (Internet of Things) recently profiled a hospital down the street from me who is exploring IoT’s potential to bring drug free relief to patients. Here’s a short excerpt from the article:

Until recently, when health-care providers wanted to gauge the level of discomfort a patient was enduring, they typically had to ask that individual to rate his or her pain—for example, on a scale of 1 to 10—and then use that information to plan treatment accordingly. If they wanted to ease the patient’s pain, they needed to administer medication.

Several months ago AccendoWave released an alternative solution that does not require medication and is personalized to each patient. The system was released in June 2015, says Martha Lawrence, AccendoWave’s founder and CEO, and has since been tested at several facilities. The company has spent seven years researching its solution for assessing patient discomfort levels, and is now using a headband that measures electroencephalography (EEG) activity and prompts a tablet PC to provide content aimed at reducing that discomfort.

The AccendoWave headband, which has seven EEG sensor leads built into it, transmits its brain-wave measurements to the tablet via a Bluetooth connection. The tablet, a Samsung Tab 4, uses its built-in AccendoWave software to process patient brain-wave data and then display diversionary content, including games, music, video clips and full-length movies. If, as a patient views a specific piece of content, the brain waves change to indicate increasing comfort, that content remains on the screen. If the content does not appear to have a positive effect on the brain waves, the software continues to select other content until it displays something appealing to the patient.

Pretty interesting approach. The article does note that they don’t use the brainwave data to determine how much medication to administer. They just use it as a way to assess the system’s effectiveness. They also do patient surveys to assess the impact of the device on a patient’s comfort. The article says that since the hospital implemented the system in the hospital, “1,600 patients have used the device to date, and more than 450 have completed surveys…More than 90 percent of responders reported viewing the system in a positive light.”

I’ve seen these EEG sensors for a while and they’re pretty neat. However, I always wondered how they’d actually be implemented and how they could be used to benefit patient care. No doubt it’s still early in their efforts to use and assess brainwaves, but it’s a pretty interesting solution to tie brain wave activity to soothing images. I’ll be watching to see how this evolves.

Are These Types of Breaches Really Necessary?

Posted on December 28, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Over the past couple of days, I took the time to look over Verizon’s 2015 Protected Health Information Data Breach Report.  (You can get it here, though you’ll have to register.)

While it contained many interesting data points and observation — including that 90% percent of the industries researchers studied had seen a personal health information breach this year — the stat that stood out for me was the following. Apparently, almost half (45.5%) of PHI breaches were due to the lost or theft of assets. Meanwhile, issue of privileges and miscellaneous errors came in at distant second and third, at just over 20% of breaches each.

In case you’re the type who likes all the boxes checked, the rest of the PHI breach-causing list, dubbed the “Nefarious Nine,” include “everything else” at 6.7%, point of sale (3.8%), web applications (1.9%), crimeware, (1.4%), cyber-espionage (0.3%), payment card skimmers (0.1%) and denial of service at a big fat zero percent.

According to the report’s authors, lost and stolen assets have been among the most common vectors for PHI exposure for several years. This is particularly troubling given that one of the common categories of breach — theft of a laptop — involves data which was not encrypted.

If stolen or lost assets continue to be a problem year after year, why haven’t companies done more to address this problem?

In the case of firms outside of the healthcare business, it’s less of a surprise, as there are fewer regulations mandating that they protect PHI. While they may have, say, employee worker’s compensation data on a laptop, that isn’t the core of what they do, so their security strategy probably doesn’t focus on safeguarding such data.

But when it comes to healthcare organizations — especially providers — the lack of data encryption is far more puzzling.

As the report’s authors point out, it’s true that encrypting data can be risky in some situations; after all, no one wants to be fumbling with passwords, codes or biometrics if a patient’s health is at risk.

That being said, my best guess is that if a patient is in serious trouble, clinicians will be attending to patients within a hospital. And in that setting, they’re likely to use a connected hospital computer, not a pesky, easily-stealable laptop, tablet or phone. And even if life-saving data is stored on a portable device, why not encrypt at least some of it?

If HIPAA fears and good old common sense aren’t good enough reasons to encrypt that portable PHI, what about the cost of breaches?  According to one estimate, data breaches cost the healthcare industry $6 billion per year, and breaches cost the average healthcare organization $3.5 million per year.

Then there’s the hard-to-measure cost to a healthcare organization’s brand. Patients are becoming increasingly aware that their data might be vulnerable, and a publicly-announced breach might give them a good reason to seek care elsewhere.

Bottom line, it would be nice to see out industry take a disciplined approach to securing easily-stolen portable PHI. After years of being reminded that this is a serious issue, it’s about time to institute a crackdown.

Mark Cuban’s Suggestion to Do Regular Blood Tests

Posted on April 24, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve been really intrigued by the tweets from Mark Cuban and the response from many to his tweets from those in the healthcare IT community. Here’s a summary of the 3 tweets which ignited the discussion:

  1. If you can afford to have your blood tested for everything available, do it quarterly so you have a baseline of your own personal health
  2. create your own personal health profile and history. It will help you and create a base of knowledge for your children, their children, etc
  3. a big failing of medicine = we wait till we are sick to have our blood tested and compare the results to “comparable demographics”

My friends Dan Munro and Gregg Masters have both been writing a lot about the subject, but there are many others as well. They’ve been hammering Mark Cuban for “giving medical advice” to people when he’s not a doctor. I find these responses really ironic since many of the people who are railing against Mark Cuban are the same people who are calling for us to take part in the quantified self movement.

What I think these people who rail against Mark Cuban want to say is: Don’t misunderstand what Mark’s saying. More testing doesn’t always improve healthcare. In fact, more testing can often lead to a lot of unneeded healthcare.

This is a noble message that’s worthy of sharing. However, I think Mark Cuban understands this. That’s why one of his next tweets told people to get the tests, but don’t show the results to their doctors until they’re sick. In fact, Mark even suggests in his tweets that the history of all these tests could be beneficial to his children and their children. He also calls it a baseline. Mark’s not suggesting that people get these blood tests as a screening for something, but as a data store of health data that could be beneficial sometime in the future.

How is Mark Cuban storing the results of a bunch of blood tests any different than him storing the results from his fitbit or other health sensor?

One problem some people have pointed out is that if you’re doing these blood tests as a baseline, then what if the blood tests weren’t accurate? Then, you’d be making future medical decisions based on a bunch of incorrect data. This is an important point worth considering, but it’s true of any health history. Plus, how are we suppose to make these blood tests more accurate? If the Mark Cuban’s of the world want to be our guinea pigs and do all these blood tests, that’s fine with me. Having them interested in the data could lead to some breakthroughs in blood testing that we wouldn’t have discovered otherwise.

Along with improving the quality of the data the tests produce, it’s possible that having all of this data could help people discover something they wouldn’t have otherwise seen. Certainly any of these possible discoveries should go through the standard clinical trial process before being applied to patients broadly. However, researchers only have so much time and so many resources to commit to clinical trials. Could all the data from a wide swatch of blood tests better help a research identify which research or clinical trials are worth pursuing first? I think so.

For me it all goes back to the wide variety of health sensors that are hitting the market. A blood test is just a much more powerful test than many of the health sensors we see on the market today. So, the warning to be careful about what you read into all these blood tests is an incredibly important message. However, with that fair warning, I don’t see any problem with Mark’s suggestion. In fact, I think all of the extra data could lead to important discoveries that improve the quality of the tests and what measurements really matter.

How Secure Are Wearables?

Posted on October 1, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

JaneenB asks a really fantastic question in this tweet. Making sure that wearables are secure is going to be a really hot topic. Yesterday, I was talking with Mac McMillan from Cynergistek and he suggested that the FDA was ready to make medical device security a priority. I’ll be interested to see what the FDA does to try and regulate security in medical devices, but you can see why this is an important thing. Mac also commented that while it’s incredibly damaging for someone to hack a pacemaker like the one Vice President Cheney had (has?), the bigger threat is the 300 pumps that are installed in a hospital. If one of them can be hacked, they all can be hacked and the process for updating them is not simple.

Of course, Mac was talking about medical device security from more of an enterprise perspective. Now, let’s think about this across millions of wearable devices that are used by consumers. Plus, many of these consumer wearable devices don’t require FDA clearance and so the FDA won’t be able to impose more security restrictions on them.

I’m not really sure the answer to this problem of wearable security. Although, I think two steps in the right direction could be for health wearable companies to first build a culture of security into their company and their product. This will add a little bit of expense on the front end, but it will more than pay off on the back end when they avoid security issues which could literally leave the company in financial ruins. Second, we could use some organization to take on the effort of reporting on the security (or lack thereof) of these devices. I’m not sure if this is a consumer reports type organization or a media company. However, I think the idea of someone holding organizations accountable is important.

We’re definitely heading towards a world of many connected devices. I don’t think we have a clear picture of what this means from a security perspective.