As healthcare data begins to flow into mobile devices, mobiles are beginning to be prime targets for cyber thieves.
Christmas day was a wash for millions of gamers who—after unwrapping their X-Box and PS3 holiday gifts—were greeted with both networks down for the count, thanks to hackers.
Unfortunately, hackers are not seasonal workers. And unlike the Grinch, they work year-round. While some target major multinational corporations, generating costs of $445 billion a year according to an Intel study, many will be targeting individuals in 2015 through their smartphones and other mobile devices.
Healthcare institutions already spend $5.6 billion per year on data security breaches, and the number is likely to keep climbing, experts say. Most of these leaks are due to the theft of easy-to-steal, data-rich laptops, but the number of savage network attacks is growing. In fact, as of summer 2014, healthcare cyberattacks were up 100% from just four years ago.
As bad as those numbers are, they could be dwarfed by mobile hacks in coming years. Mobile and connected health devices open up a new, relatively unguarded, place for hackers to find and steal patient identity data. With patient identity information such as Social Security numbers, insurance data and treatment history migrating to mobile settings, while selling for 10 times what credit card numbers are on the street—smartphones, tablets and other mobile devices are likely to be targeted.
Mobiles are vulnerable
According to a University of California, Riverside Bourns College of Engineering study, Android phones are particularly vulnerable to a common hack that worked 92 percent of the time in the college’s laboratory.
Researchers said the attack is actually quite simple. Hackers get the smartphone user to download a “seemingly benign” app, like background wallpaper for the phone’s display. Once installed, the researchers were able to exploit a side channel—the shared memory statistics of a process—which can be accessed without needing a password or special privilege. Then, boom—bye-bye private health information.
Apple mobile devices are also at risk. For some time now, researchers have warned that a bug in the iOS operating system allows intruders to access data and even control iPads and iPhones. To break into Apple phones and tablets, hackers only have to persuade users to download malware, which they do by sending users poisonous text messages, e-mail and Web links.
Even government-reviewed apps are exposed to attacks. The reality is that hackers no longer have to get into healthcare databases. They can steal private health information directly from consumers’ phones, if they have one of those FDA approved apps installed.
And if these trends are worrying, then what went on at CES might be something to watch. According to a San Jose Mercury News report from the show, a huge range of connected health devices were on display, all of which are designed to link up and transfer data freely.
The show featured connected toothbrushes from Kolibree and Oral-B, and even a baby pacifier called Paci-fi, which is being positioned as the "world’s first Bluetooth smart pacifier." And not surprisingly, there were a large number of healthcare bands on display, like Basis Peak, which sends your pulse rate to your smartphone and to the cloud. If you’d rather keep an eye on your heart rate, body temperature, EKG and posture, then Vital Connect—a band-aid sized patch— will send all that info to your smartphone and even to your doctor.
How secure will these new devices be? It seems like nobody knows.
Can government really help?
All that data transfer to the cloud and doctors’ offices has the Federal Trade Commission more than a little worried.
According to the Mercury News piece, Federal Trade Commission Chairwoman Edith Ramirez was at the CES show, where she expressed concern that connected devices share
"vast amounts of consumer data, some of it highly personal, thereby creating a number of privacy risks."
In its 2011 public statement on mobile security, the FTC told legislators that it was developing a Mobile/Internet Lab, replete with technologists, attorneys and investigators. To date, however, the agency hasn’t announced any concrete results from this entity. In other words, if the FTC wants to protect consumers against mobile cyber attacks, it had better get moving.
Meanwhile, the Food and Drug Administration has more or less thrown its hands up and admitted defeat. A senior official there admits that with 500 or more mobile health applications created each month, it doesn’t have the resources to review every mobile and wellness app. As of summer 2014, the FDA had only reviewed 80 apps.
While the FDA does plan to monitor apps that are accessories to medical devices, or apps that convert a mobile device into medical devices, most commercially available apps don’t fall under its oversight.
If neither the FDA nor FTC are taking aggressive action to monitor mobile health data security, is there any entity—public or private—that can step in and improve mobile security? At this point, none has apparently emerged.
Anne Zieger is a veteran journalist who’s been covering the U.S. healthcare scene for over 25 years. You can follow Anne on Twitter @ziegerhealth.
The nuviun blog is intended to contribute to discussion and stimulate debate on important issues in global digital health. The views are solely those of the author.