The most commonly used protocol for transferring data from wearable devices used for remote patient monitoring contains 33 vulnerabilities, according to Russian cyber-security company Kaspersky.

The figure includes 18 critical vulnerabilities found in 2021 alone. That is ten more critical vulnerabilities than in 2020, and many of them remain unpatched. Some of these vulnerabilities give attackers the potential to intercept data being sent online from the device.

The ongoing pandemic has led to a rapid digitalisation of the healthcare sector. With hospitals and healthcare staff overwhelmed, and many people quarantined at home, organisations have been forced to rethink how patient care is delivered. Recent Kaspersky research found that 91% of global healthcare providers have implemented telehealth capabilities. However, this rapid digitalisation has created new security risks, especially when it comes to patient data.

Part of telehealth includes remote patient monitoring, which is done using wearable devices and monitors. These include gadgets that can continuously, or at intervals, track a patient’s health indicators, such as cardiac activity.

The MQTT protocol is the most common protocol for transmitting data from wearable devices and sensors because it’s easy and convenient. That’s why it can be found not only in wearable devices, but also in almost any smart gadget.

Unfortunately, when using MQTT, authentication is completely optional and rarely includes encryption. This makes MQTT highly susceptible to man-in-the middle attacks (when attackers can place themselves between two parties while they communicate), meaning any data transferred over the internet could potentially be stolen. When it comes to wearable devices, that information could include highly sensitive medical data, personal information and even a person’s movements.

Since 2014, 90 vulnerabilities in MQTT have been discovered, including those that are critical, many of which remain unpatched to this day. In 2021, there were 33 newly discovered vulnerabilities, including 18 critical ones, ten more than in 2020. All these vulnerabilities put patients at risk of having their data stolen.

Kaspersky researchers found vulnerabilities not only in the MQTT protocol, but also in one of the most popular platforms for wearable devices – the Qualcomm Snapdragon wearable platform. There have been more than 400 vulnerabilities found since the platform was launched. Not all have been patched, including some from 2020.

Qualcomm has been asked for its views on this but at the time of writing had not responded.

Most wearable devices track both health data and location and movements. This opens up the possibility of not just stealing data but also potentially stalking.

“The pandemic has led to a sharp growth in the telehealth market, and this doesn’t just involve communicating with your doctor via video software,” said Maria Namestnikova, head of the global research and analysis team at Kaspersky. “We’re talking about a whole range of complex, rapidly evolving technologies and products, including specialised applications, wearable devices, implantable sensors and cloud-based databases. However, many hospitals are still using untested third-party services to store patient data, and vulnerabilities in healthcare wearable devices and sensors remain open. Before implementing such devices, learn as much as you can about their level of security to keep the data of your company and your patients safe.”

Kaspersky is a cybersecurity and digital privacy company founded in 1997. More than 400 million users are protected by Kaspersky technologies and it helps 240,000 corporate clients.