Does it really matter if medical data are secure?

  • January 15, 2021
  • Steve Rogerson

Panellists at this week’s virtual Consumer Electronics Show (CES) discussed security in healthcare. IMC executive editor Steve Rogerson reports.

Why would anyone want to hack into someone else’s health data? This is a problem that has perplexed me since the whole connected health revolution started and people began getting hot under the collar about security and privacy. Yet nobody seemed to be asking this fundamental question.

I mean, does anyone really care how Mr Brown is treating his haemorrhoids or whether Ms Smith is worried about the lump under her armpit? The answer is almost universally no. But, and it is a big but, Mr Brown and Ms Smith do not want anyone else to have that information, despite the fact nobody is interested. Plus, and it is a big plus, as we have come to discover there are people out there who like to hack stuff just for the sake of it.

As such, security and privacy have become big issues as we move towards more a more connected health system. Now a year ago, few were that worried; the mhealth world was moving forward at its own pace and dealing with the security issues as it did so. Then came Covid-19, and the whole thing was forced into a period of mega-acceleration.

Doctors no longer wanted to see patients face to face if they could help it. Hospitals wanted patients who could be treated at home to do so, freeing up more beds for those seriously ill from the pandemic. And the patients themselves didn’t want to go to hospital for fear of catching coronavirus.

As such, the medical engineers have had to up their game and deal with security quickly. How they are doing this and the difficulties that are being caused were among the subjects of this week’s IoT Edge in Health in Wellness panel organised by the IMC as part of the IoT Infrastructure Partner Conference at the virtual Consumer Electronics Show (CES).

“Covid really pressed the button on this,” said Jonathan Weiss, vice president at Software AG.

A typical remote patient monitoring system has multiple vulnerabilities as the chain that takes data from a patient at home to the relevant medical professionals goes through different systems from, say, a Bluetooth connection from a wearable to a communication device, probably a mobile phone, over a cellular network, and into the hospital’s IT network.

Scott Schwalbe, CEO of NimbeLink, said this meant the ecosystem had to be brought together to ensure each stage of the connection was secure. Scott Ellis, vice president at Telit, said there had to be a good understanding of the actual use case as well knowledge of the local regulatory requirements. This, he said, could lead to layer upon layer of security and it was important to know what needed to be accomplished. Weiss described it as a team sport.

Also, these uses might not be short term. With some medical conditions, the set-up has to be in place for several years during which time the cellular network standards are likely to change more than once. This could mean updating the medical devices and Ellis believes it is important to have the expertise to do that in house.

Another problem, addressed by Bryan Lubel, executive vice president at Kore, is that more and more consumer devices, such as Fitbits and Apple Watches, are being used for health monitoring and are not subject to the same scrutiny as a qualified medical device. For example, while there are consumer devices now that will give a full medical-grade ECG they are not set up to deliver information to and link up with the professional electronic health record (EHR). This means most doctors will still want to use qualified medical equipment.

Key elements in the security chain include making sure the data that leave the device are the same as those that arrive at the medical professional and checking that if a device goes offline and comes back on again – not an uncommon occurrence – that it is still the same device.

Lubel therefore said it was important to ensure that only the people who should receive the data and can see the data were able to connect the dots and know from which patient the data were coming. And he said that as we moved forward this would become more widespread as people took an active role in their own healthcare, beyond just exercise and diet, to managing critical diseases.

Me, I am still not convinced there is a real danger but better to be ready in advance than playing catch up if security and privacy are compromised. And it means Mr Brown and Ms Smith can sleep more soundly, and that after all is probably the most important factor, because if the patients themselves don’t trust what is happening then it won’t happen. We need to convince them that their personal data will remain private.