Integrating Consumer Health with Smart Devices: A need to Weave Privacy and Cybersecurity into the Technology Fabric

By Kevin Littlefiled

Patients are becoming more involved in managing their personal health with the assistance of consumer health products that augment personal healthcare management capabilities. Consumer health technology have expanded from personal fitness tracking to now include a broader set of capabilities which include weight scales, imaging devices, glucose meters, electrocardiogram solutions, diagnostic tools and others that integrate these peripherals with mobile and smart home devices allowing interaction with remote physicians. The Internet of Things (IoT) has come to home healthcare driven by consumer demand, however cybersecurity and privacy controls remain discretionary by product manufacturers and patients themselves. Technology convergence may expose and amplify risks that have already been seen in non-health related smart devices. While integration and interoperability may improve the healthcare landscape by facilitating access to health resources and compelling patient involvement in healthcare management, challenges remain. Patient treatment courses are driven by the data, and should that data be altered by malicious actors, misdiagnosis or improper treatments may undermine patient safety.

Consumer healthcare technology plays a role in bridging a healthcare accessibility gap. According to a Pew Research Center report, 96% of Americans have a cell phone, with 81% owning a smart phone device . National Public Radio and Edison Research recently released a report showing 53 million Americans own a smart speaker device, with ownership rates nearly doubling between 2017 and 2018 . The nation’s rollout of 5G telecommunications technology promises to extend high speed Internet access, which may further catalyze the home use of IoT across the U.S. These factors set a foundation for rapid telehealth adoption.

While patients have embraced healthcare and IoT technologies, and Internet providers, consumer electronics manufacturers and software developers strive to meet the demand, privacy and cybersecurity for consumers has lagged. Healthcare regulation has been focused on healthcare delivery organizations, insurers and their business associates. The US Food and Drug Administration (FDA) has been vocal on securing medical devices used in hospitals. But attention to consumer healthcare products has been discretionary.

IoT devices are hackable . Vulnerabilities in communications protocols ranging from ZigBee, Bluetooth, and WiFi have been shown to have vulnerabilities that have allowed malicious actors to discover access passwords to home networks, compromise devices, and use devices as pivot points to launch large-scale denial of service attacks against other entities. Devices have also been found to be susceptible to high frequency audio attacks as well as line of sight attacks using lasers. While sophisticated attack vectors continuously emerge, even basic security controls such as authentication methods have not been enabled in smart speakers. These threat types have been found in automated home technologies. The foundational technologies that enable the automated home will power consumer healthcare devices.

Consumer personal health devices coupled with telehealth improves the healthcare landscape, acting as a force multiplier especially in rural and underserved areas and potentially containing the ever-increasing cost of healthcare. However, as consumer technology enters into the healthcare delivery supply chain, the patient needs to be equipped with capabilities that have privacy and cybersecurity measures built into the fundamental technology fabric.

    1. Mobile Fact Sheet. Available: https://www.pewinternet.org/fact-sheet/mobile/
    2. The Smart Audio Report. Available: https://www.nationalpublicmedia.com/wp-content/uploads/2019/06/The_Smart_Audio_Report_Spring_2019.pdf
    3. https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8267-draft.pdf

Kevin LittlefieldKevin Littlefiled

The MITRE Corporation
klittlefield@mitre.org