5 Steps to Cope with Medical Wearables—the Next HIPAA Battleground
The Internet of Things and advances in communications are fueling a revolution in healthcare that presents wondrous opportunities to improve both healthcare and create new businesses, says Dr. Chris Furmanski, director of innovation & technology at Stanford Health Care.
Devices that communicate what’s going on in your body—like cyber birth-control pills or implanted devices that talk to smartphone apps—are at the heart of these systems. They have the potential to save lives and improve the quality of healthcare.
Wearables Challenge Security and Compliance
But as recent attendees at an 8x8-hosted San Jose conference on “wearables” and other healthcare innovation also learned, these promising new devices could turn into information security nightmares.
If those devices aren’t secure, and the information they send is compromised, the potential for harm is huge. Nobody wants people eavesdropping on text messages sent to doctors from within their bodies, so HIPAA and other security and compliance standards are critical when it comes to wearables. And of course, nobody wants Homeland-style hackable pacemakers and insulin pumps.
How to Design Security and Compliance into New Innovations
A huge part of securing these wearables is in secure coding and code designs. Here, it helps immensely if security is designed into the system, not bolted on later as an afterthought.
5 Steps to More Secure Coding
There are no panaceas—neither in healthcare or nor in coding—but following these secure steps is key to designing secure, HIPAA-compliant systems:
- Use secure development methodologies such as the Open Web Application Security Project’s, available at owasp.org.
- Scan code under development statically to look for insecure code, and scan executable code dynamically to look for problems that could breach security in running systems.
- Work with secure-coding tool companies—like Veracode, IBM and HP—that specialize in helping coders code securely.
- Ensure that all your third-parties meet your minimum security and coding standards, and can provide you with third-party verified compliance with standards such as such as FISMA or ISO 27001.
- Look into using third-parties that can provide cost effective software development kits (SDKs) that enable secure installation in insecure devices such as smart phones. These companies create a secure cocoon in which the application can run, even in insecure smartphone environment.
They provide software development kits (SDKs) that instantiate HTTPS/TLS data-in-motion (essentially while being transmitted from place to place) and AES 256 for data at rest (stored data). Some of these SDKs even come with a software-based Intrusion Protection System that notifies users of attacks against applications under development.
These steps go a long way toward securing your code. Remember, when it comes to security, no system is totally un-hackable, but by taking some common-sense steps, you can often become more trouble to hack than you’re worth, and hackers decide to look elsewhere for easier victims.