It's time, once again, to talk security for mHealth technology. Why? Because the importance of "baking in" security from the outset of a mobile healthcare technology effort doesn't seem to be taking root.
According to Verizon security analyst Suzanne Widup, security is not being put front and center, especially in relation to how data is being exchanged from patients to mHealth devices. In fact, she said in a recent discussion with Information Security Media Group, security doesn't seem to be happening much of anywhere with regard to wearables or anything that can be implanted.
"We are seeing attackers increasingly taking alternative means of getting in [to healthcare IT environments] because the direct methods are getting more secure and difficult to get through," Widup said.
As sister site FierceHealthIT has reported, bolting on security as an afterthought on healthcare technology is not viable or valuable: Jocelyn Samuels, director of the U.S. Department of Health and Human Services Office for Civil Rights, said as much at last month's Health Privacy Summit in the District of Columbia. Shahid Shah, earlier this year, also made a compelling market case for baking in security from the get-go, in a post for Med Device Online.
The good news is, while many mHealth device makers may be behind on shoring up security, there are some resources for igniting such efforts. One is the IEEE Cybersecurity Initiative, which, in May, addressed medical device security with a new set of software development guidelines.
And while Suzanne Schwartz, director of emergency preparedness, operations and medical countermeasures at the U.S. Food and Drug Administration, has acknowledged there is no possible way to eliminate all the risks with medical devices, she has also said that a lot can be done with some substantial strategy, starting with a quest to bake security into the design of medical devices.
"That's why everything is a risk-related decision," Schwartz said. "You're never going to eliminate all risk; you're never going to eliminate all vulnerabilities. The idea of being able to manage that risk appropriately," is the best approach, she said at an event last spring.
A report touted at the event also notes that security must be a priority from the outset of device creation. The report, developed by the Atlantic Council in conjunction with Intel Security, calls for improvements to public-private and private-private security collaborations, as well as an "evolutionary change of the regulatory approval paradigm" for medical devices.
"Adding security features to products after their initial rollout is a losing battle," the authors write. "It is simply too costly and ineffective to try to secure systems already in the possession of the end user."
Given the current disarray in healthcare from a cybersecurity standpoint, its surprising that any company would be bold enough to develop a product without security being top of mind. - Judy (@JudyMottl and @FierceHealthIT)