Mobile healthcare, telemedicine, telehealth, BYOD

Policy News

Best Practices to Follow for Internet of Things Security

By Vera Gruessner

- Mobile security and privacy protocols are vital when it comes to the Internet of Things space, which is why the Online Trust Alliance (OTA) published a draft trust framework specifically for Internet of Things devices that entails specific best practices for data privacy and protection manufacturers should follow.

Internet of Things Devices

According to a company press release, this trust framework could pose as the building blocks of a certification program among manufacturers of Internet of Things devices. To learn more about the trust framework from OTA, mHealthIntelligence.com interviewed Craig Spiezle, Executive Director and President of the Online Trust Alliance.

mHealthIntelligence.com: “Could you give me a background on what your trust framework for Internet of Things (IoT) devices will likely include and which product types it will cover?”             

Craig Spiezle: “By design, we as a working group are focusing on two big areas today. Wearable technologies focus primarily on health and fitness and connected smart home devices. The reason for the focus is due to the amount of personal sensitive data and the number of products on the market.”

“By design, we are not directly addressing medical devices but we think much of what we’re saying is applicable. Medical devices have to be approved by the FDA and there’s more of a process there.”

READ MORE: How Patient Demographics Affect mHealth Tool Usability

“We’re really focusing on the intersection of the security of the device and the data. When it comes to the security of the device, we identify how it can be compromised. For security of the data, we answer – how secure is it on the device? How secure is it in transit? How secure is the application that supports it? How secure is the backend service?”

“The third area is sustainability and lifecycle of the product. What happens if that company discontinues the product? What happens to your data? What happens if there’s a vulnerability? We look at those three big areas.”

mHealthIntelligence.com: “What are some best practices for product privacy and security you would suggest?”

Craig Spiezle: “With best practice, we are very concerned that in health and fitness, companies are rushing to market and not necessarily thinking about the sensitivity of the data they’re collecting.”

“For best practice, we tell everyone ‘Be thinking about every data attribute you’re collecting today and collecting tomorrow and how you’re going to secure that.’ The second part is – for the consumer, does the user know you’re collecting that?”

READ MORE: WHO Creates mHealth Adoption Research Standards Guide

“We believe in making security best practices a forethought versus an afterthought. It’s important to make everyone in your organization – whether web developer or hardware specialist – consider the security and privacy implications today and down the road.”

“One of the specifics that is very concerning is – does the consumer understand this prior to purchase? In acquiring these products and services, are they being informed or are companies relying on the old privacy policies? Is that sufficient in this day and age?”

“That was acceptable on the typical mobile app for a game, but now as you’re collecting personal sensitive information related to one’s fitness, is that the right way of getting disclosure and consent? Should this be on the product packaging? Should this be in product literature? How are we communicating? These are the things that we’re trying to raise questions on to help companies. In general, companies want to do the right thing but they lack today that framework on what to do to protect data.”

mHealthIntelligence.com: “In what ways do Internet of Things devices put consumer information at risk of data breaches?”

Craig Spiezle: “Data breaches is one area in which we know that no one is immune. We need to recognize that, in reality, as an entity, if you collect data, you’ll probably have some type of breach or loss incidence. That’s a reality. We then have to say – how are you going to secure that data? How are you going to help prevent it from getting compromised? How are you going to check it? How are you going to remediate it as it happens?”

READ MORE: mHealth Management Tools Sought by Younger Diabetic Patients

“In other words, you need to have a thorough plan in advance to mitigate the impact of a breach. As you think about the sensitivity of someone’s health information, how can that be used against them? It could be perhaps used against someone in a certain way. The bar has been raised based on these sensitive issues.”

mHealthIntelligence.com: “How can manufacturers and healthcare organizations work toward improving interoperability of medical technologies while at the same time minimizing privacy and security risks?”

Craig Spiezle: “This question goes back into the ecosystem of the supply chain. The manufacturer is only as strong as the weakest link of the product. If there are protocols that allow one device to connect to another, you’re now looking at not only the security of your device, but the security of everyone else’s device in that ecosystem.”

“We’re also pushing for better data sharing among the ecosystem. Banks are a good example. Banks recognize that they are constantly being compromised on a daily basis. They’ve learned how to share information from one bank to another. One institution may see something attacking an app and will then let their competitor banks know.”

“That’s going on in many sectors today. One of the things that we want to see is how can we share information. One observation from one company can be that canary in the mine that can help the rest. We have lots of innovation and lots of products out on the market and we’re able to leverage each other’s data, but are we really thinking about the inherent risk with Internet connectivity?”

mHealthIntelligence.com: “What’s next on the horizon for OTA?  I understand you are soliciting public comments.”

Craig Spiezle: “We are asking for comments from the public and private sectors including academia and device manufactures to comment by September 14th.  The goal is for the working group to review every submission for possible inclusion in the framework and to roll out a release before the end of the year.   Details and info on submitting comments and joining the working group is posted at https://otalliance.org/IoT.”

 

X

Join 20,000 of your peers

Sign up for our free newsletter to keep reading our articles:

Get free access to webcasts, white papers and exclusive interviews.

Our privacy policy

no, thanks