By Aleksandr Peterso
Wearable tech has painted itself as the future of innovation for many different industries, but perhaps most notably for healthcare. Even now, wearable devices are seeing increased use at care facilities to track patient status, reduce response times, and improve care coordination. But wearable technology is still a new trend (even for consumers), and many have expressed concerns about privacy and security that may halt adoption.
The stakes are particularly high for healthcare—an industry that’s taken some of the biggest blows from cybercrime in recent years. According to study by cloud security broker Bitglass, almost half of all U.S. data breaches in 2014 involved healthcare providers, and the information stolen was up to 50 times more valuable than credit card data. A separate estimate by the Ponemon Institute valued the total cost of medical identity theft in 2013 at $12 billion.
But the more specific question remains: Do wearable devices make healthcare facilities less safe?
Security and Privacy
The concerns about wearables in healthcare are part of a larger concern involving the so-called Internet of Things (IoT), which refers to physical objects that exchange information through the Internet. According to the Federal Trade Commission, the IoT is comprised of 25 billion devices worldwide, outnumbering humans roughly 3-to-1.
In a basic sense, more devices do mean more vulnerability. As Cisco expressed in their 2015 Annual Security Report, “Anything connected to a network presents an attack surface to exploit.” There’s also the fact that wearable devices—especially medical ones—track and record detailed information about a person’s movements, location, vital signs, and even their identity. From glucose monitors to patient movement sensors, fetal monitoring systems, or the much-hyped BioPatch, in-hospital wearables tend to raise eyebrows around two primary security questions:
- How much personal information can the devices access and store?
- How vulnerable are these devices to hacking?
Regarding the first question, many thought leaders (including Edith Ramirez, chairwoman of the FTC), allege wearable innovation is happening so fast that developers are giving more attention to consumer fads than data privacy measures. A 2014 PricewaterhouseCoopers survey revealed that over 80 percent of wearable users are concerned about privacy invasions, and an estimated 52 percent of “quantified self” applications have no official privacy policy. What kind of patient data do the wearables in your hospital store? Or perhaps a better question is what data do they need to store? Date of birth? GPS location? Social security number?
When it comes to wearable device vulnerabilities, opinions vary. Some say that security threats are exaggerated, while others hold a crucifix at arm’s length. At the 2014 DEFCON conference, security researchers demonstrated the evident weaknesses of wearable health devices by hacking into attendee health trackers and extracting personal health data, usernames, passwords, and other information. Other evidence also points to vulnerabilities such as generally loose or non-existent authentication methods designed to allow easy access, or the fact that few health wearables are designed with enterprise-grade security in mind.
While nurses are using medical software to remotely monitor a patient’s vital signs, a hacker could be stealing that patient’s medical data from an unknown access point, especially if the data is not encrypted. Some healthcare CIOs are also concerned about the Conficker worm, which was responsible for 31 percent of last year’s top IT threats.
The Advantages of Wearables
There’s no denying that medical IoT devices bring uncertainty—new, complicated data handoff patterns, more information being exchanged through the airways via bluetooth and wireless, not to mention wearables that go home with patients to monitor chronic illnesses or recovery periods. But for as many potential threats that wearables pose, they also offer numerous advantages:
- Solving the problem of limited patient mobility: Instead of being connected to stationary machines and constrained to a hospital bed, patients can move about the facility during their stay. For example, during labor and delivery, nurses can continue to monitor fetal signs while the mother walks laps to speed dilation or ease pain.
- Helping ensure patients are attended to in a timely manner: The Chino Valley Medical Center in southern California uses remote patient monitoring devices to calculate when a patient needs to be turned to prevent pressure ulcers. Use of the sensors has increased compliance with internal protocols from 64 percent to 98 percent.
- Keeping patients from being disturbed for manual checks: Instead of sending nurses in every two to four hours, thus awakening ill or frail patients for routine checks, a medical-grade wearable device (such as Zephyr’s BioPatch) can transmit vital signs and other information to a nearby nurse’s station.
- Providing tools for remote monitoring of in-home care: A notable example would be the wearable Cardiac Telemedicine System developed by two doctors at Sathyabama University in India. The device is a modified electrocardiogram (ECG) recorder linked to the user’s cell phone. If it detects imminent heart failure, the device will send an SMS message to the nearest hospital. Researchers are also working to incorporate GPS technology into the system so patients can be easily located.
Closing Thoughts
So, do wearable devices in hospitals pose security risks? Yes. Inasmuch as they add to the number of connected devices in a hospital’s network, they multiply existing vulnerabilities. But do they make hospitals less safe? Perhaps, but they certainly don’t have to.
Healthcare CIOs should take calculated steps to ensure their facility’s security measures protect against packet-capturing programs and rogue access points, and that wearable devices, nurse stations, and proprietary systems are protected with passwords and encryption. Biometric identification is a strong barrier as well. With these measures and a stringent use policy in place, patients and doctors can enjoy the advantages of safe, data-driven care that’s more responsive and less-intrusive.