Securing Wearable Device Data

1. Published byMedical Expo. Open access. Interviewed byGuyRamsay. Access link: http://medicalexpo.com/emag/5/ Securing Wearable Device Data Seyedmostafa Safavi*, Zarina Shukur Unit of Cyber Security, Faculty of Information Science and Technology, Universiti Kebangsaan Malaysia,43600 Bangi, Malaysia Abstract: With the Sony Entertainment hacks, data security has become an issue in the press and a headache for database administrators. Sensitive data generated by wearable devices are presumably no exception. Are there any particular security concerns with data from wearable devices? Are doctors doing enough to protect patient data? We asked Doctor Seyedmostafa Safavi, an associate fellow at the Cyber Security Unit at the National University of Malaysia and co-author of a recent review on the subject to elaborate. Keywords: Internet of Things, cyber-crime, information network attacks, data breaches, Hyper-Connectivity Society, Act on Promotion of Information and Communication Network Utilization and Information Protection , Direct Hacking , Internet-Connected Device , Data Breaches , Security Threats . Just how sensitive is data from wearable devices? SS. We categorize this as trespassing on the user’s privacy. Any negative personal information exposed on the Internet is at best only embarrassing. For example insurance companies might refuse insurance if they knew you were in poor health. Or a health product business might be in trouble if its founder was ill and that was leaked. Of all the stakeholders involved in data from wearable devices, is there a weak link? SS. Weak links emerge where the focus has been on making features faster, lighter or cheaper at the expense of standardization and security. Security matters also need to be considered, as well as price and benefits. Is the risk of hacking wearable devices greater at the local, wireless level or at the cellular connectivity level? SS. The risk emerges when application developer or device manufacturer didn’t or wouldn’t consider the possibilty of a security breach. So there is a risk at both levels, both locally and regionally. Complete data encryption, and using secure connectivity protocols, like VPN built into the device can ensure safer data transmission[1]. What should doctors be aware of when patents offer data from wearable devices? SS. Doctors have to be careful with data collection. They need to ensure that the data has been recorded in standard manner and that the device has been certified for accuracy. What can doctors do to ensure greater security of patient data? SS. If the hospital or clinic has an Information Security Management System (ISMS) doctors should adhere to that framework. If not, we would recommend a security

2. Published byMedical Expo. Open access. Interviewed byGuyRamsay. Access link: http://medicalexpo.com/emag/5/ awareness course. In general, the basic thing that doctors can do is to update their applications regularly, and to not share their user-IDs or passwords[2]. What degree of responsibility do doctors have for the protection of confidential data? SS. When we talk about confidential data, it can be digital or it can be non-digital. Both are confidential. You cannot just throw printed patient data into the dustbin. For the same reason you shouldn’t be able to copy patient data onto a USB drive. A systematic process must be in place, starting with the data collection. If ISMS is practiced in the hospital, doctors should find out about it. Our advice to doctors is to ensure that security is updated, to employ firewalls and antivirus applications, and that the server must be designed and impleted with proper protections, both from online hacking and from unauthorised physical access. What are the security certification requirements that cover data from wearable devices? SS. Since we are focusing on information privacy for wearable devices, we would recommend adhering to the Markle Common Framework guidelines. Are the private clinical database-hosting services doing enough to ensure security? SS. In my opinion they are doing their best to prevent security flaws, but to have proper practices in place for security and privacy in the healthcare industry requires an end-to- end risk management process. This includes risk assessment – a determination of the organization’s level of acceptable risk – and then deciding what controls must be implemented to reduce that risk to an acceptable level. In addition, they have to monitor, measure, and report compliance to security and privacy standards[3]. What guidelines should software developers and database administrators follow for better security? SS. Firstly, there are the technical controls: firewalls, VPN for patient connectivity and biometric authentication services. Secondly, developers should check for policy flaws and design errors during the developmental stage – to prevent software vulnerabilities and human error factors, as well as correcting hostile code and misconfigurations. Solving these security issues requires ongoing awareness training, implementing appropriate policies and standards, and doing audits. A background check of the personnel involved is also a good idea. We suggest that software developers follow the Secure Software Development Life Cycle (SSDLC) standards. Although I don’t believe they always do because if they had, we wouldn’t have had half of the attacks at the moment that are resulting in personal information being leaked.

3. Published byMedical Expo. Open access. Interviewed byGuyRamsay. Access link: http://medicalexpo.com/emag/5/ Links: Cyber Security Unit, National Universityof Malaysia: http://www.ukm.my/ftsm/cybersecurity.php PLOS One paper: http://www.plosone.org/article/info%3Adoi%2F10.1371%2Fjournal.pone.0114306 Markle Common Framework: http://www.markle.org/health/markle-common-framework References: 1. Safavi, Seyedmostafa, and Zarina Shukur. "Improving Google glass security and privacy by changing the physical and software structure." Life Science Journal 11.5 (2014): 109-117. 2. Safavi, Seyedmostafa, Zarina Shukur, and Rozilawati Razali. "Reviews on Cybercrime Affecting Portable Devices." Procedia Technology 11 (2013): 650-657. 3. Safavi, Seyedmostafa, and Zarina Shukur. "Conceptual privacy framework for health information on wearable device." PloS one 9, no. 12 (2014): e114306.