A consultation with a doctor is widely imagined to be a very private affair; most take place behind a closed door, or a line of curtain. Patient confidentiality has also been considered the responsibility of the doctor since Hippocrates, but now, the ability to share information beyond a single doctor is often essential to provide continued treatment. Whether it is used to ensure a prescription can be picked up from a new location or to access life-saving expertise, this new pooling of patient data also poses an increased risk of loss, theft, or manipulation – making its security paramount. This article explores the interplay between cybersecurity with the healthcare sector, particularly in regards to medical trackers within the Internet of Things (IoT).
“And whatsoever I shall see or hear in the course of my profession, as well as outside my profession in my intercourse with men, if it be what should not be published abroad, I will never divulge, holding such things to be holy secrets..”
– from the Hippocratic Oath, the earliest expression of medical ethics in the Western world
What is the Internet of Things?
The Internet of Things describes the consistently expanding range of devices within our homes, offices, and streets – each equipped with sensors, electronics, and software that allow them to share and exchange information. By 2020 it is estimated that there will be around 30 billion IoT devices active around the world. Increasingly, the IoT also includes our medical data. Healthcare organisations use laptops, mobile devices, and specialised instruments for measuring and inputting medical information – spreading sensitive material across several devices. On top of this, the increasing interest in wellness and monitoring means that many millions of us now wear devices on our bodies able to track our health independently.
What’s so special about medical data?
While the importance of safeguarding personal data is well documented, medical data poses its own unique challenges. Firstly, it isn’t static; the health of a human body changes constantly and the data recorded must match. Whether this is documenting a change of address every few decades or, in the case of vital signs, minute fluctuations taken every few seconds – the data must be recorded and structured accordingly.
Secondly, this data has a long shelf-life, which isn’t limited to the length of an illness, or even to the life of the patient. Anonymised data is also used for research projects, reconsidered in the light of new medical advancements and assessed as part of performance benchmarking. As such, stewardship and curation are just as important as the initial storage. This also means that the volume of medical data is constantly increasing, posing challenges of how it should be stored (remotely, on a data cloud, or in a hybrid approach), which has financial, spatial, and security implications.
Finally, sharing patient data requires all storage systems to be ‘interoperable’, where data is transferred, read, and altered seamlessly between different facilities, departments, and professional bodies. This connectivity has major advantages for both efficiency and cost-effectiveness, so much so that Thales (2018) estimates that 96% of global health organisations are using IoT technologies. The most common examples are internet-connected heart-rate monitors, implantable defibrillators, and insulin pumps.
Despite these advantages, interconnectivity can open up devices to vulnerabilities. Earlier last month, for example, a data breach due to a coding error affected 150,000 patients in England, exposing confidential healthcare data. Similar incidents have happened in the United States, Australia, and Singapore since January 2018 alone. In their 2018 report, Thales noted that only 30% of global healthcare organisations have avoided a security breach, and 39% have had one within the last year.
The Fitness Tracker boom and its implications
Healthcare data is also no longer just the preserve of medical professionals. Due to the rising trend for bio-tracking, citizens can now view, record, and monitor a variety of different health indicators. This is no minor trend; as of February 2018, 25.4 million people were active FitBit users and over a quarter of US adults under 45 regularly used a smartphone app to track their fitness in 2017. While public interest and awareness of their personal health can only be beneficial, there are accompanying security risks. The data leak from fitness app Strava in January this year – which exposed the location of US military training bases by mapping popular running routes – shows that storing even seemingly ‘harmless’ health data can have significant consequences.
Nevertheless, citizen-led ‘health-hacking’ has had some fascinating success stories, such as the open-source diabetes monitoring group NightScout, which use open-source technology to make it easier for those affected by diabetes to monitor their own or their loved ones’ glucose data. Nightscout adapts existing medical technologies for everyday convenience – sending live blood glucose data to smartwatches and smartphones.
Understanding the cause
An instinctive response to the idea of a cybersecurity threat is to call for greater levels of technical security – stronger firewalls, for example, and more widespread encryption. However, as with many engineering problems, the issue lies not with the capability of the equipment, but with the capability of the users. A recent report on 2018 data breaches in Australia found that human error was responsible for 59% of the breaches within healthcare, with providers sending information to the wrong people as the leading cause.
In a harried situation, particularly in a healthcare context, the immediate needs of the patient can take priority over the security of their data. The slow process of ensuring adequate training and vigilance for handling data often presents problems in the face of rapid, evolving, and changing medical records, treatments, and illnesses.
An essential part of engineering in any sector is uniting technological capabilities with (often fallible) human practice. Healthcare is no exception. This month explores the many ways that the Internet of Things interacts with our security and with our healthcare. What innovative solutions have you seen that address these challenges, and are there further elements that this article does not cover? Let us know on Twitter.