Scarcely a day passes when we don’t hear about some new electronic gadget designed to make our lives more productive, convenient, healthy, or entertaining.
Take Google Glass, for example. Google’s new wearable computer is among the current crop of technologies that may sound like science fiction, but they present real privacy risks. Here are a few developments that healthcare privacy professionals and organizations should be thinking about now.
A BYOD privacy challenge
Depending on whom you ask, the recently announced Google Glass is either every geek’s dream or a scheme to turn ordinary people into “surveillance cyborgs.” The first release of Google’s wearable computer, shaped like a pair of eyeglasses, can respond to voice commands to compose emails, shoot and transmit photos and video, perform Internet searches, and get directions. The limited functionality of the device may limit its adoption in the near future, but the potential is there for hackers to see everything the wearer does, turning unwitting innocents into spies to stealing passwords, door entry codes, financial, medical, and other personal information. Today, Google Glass is designed to provide personal entertainment and convenience, but just like tablets and smartphones, this heads-up computing technology is sure to make its way into the medical work environment, adding to the challenges of maintaining security in a bring your own device environment.
Multiplying mobile risks
Google Glass is not the only cutting-edge technology creating privacy and security risks. The dangers of mobile computing, in fact, lie not only in the devices, but in the applications they run and the data they generate; both are expanding exponentially. In 2013, almost 40 percent of worldwide phone sales were smartphones, and by January 2013, iOS and Android users had downloaded more than 80 billion applications, many of them capable of sophisticated data gathering. A recent article in the Wall Street Journal reports that corporate mobile and web applications can collect and analyze everything from camera type and geolocation of posted photos to “vibration information” that can extrapolate whether the user is travelling in a car.
In the future, medical applications may be designed to take advantage of these sophisticated data-gathering capabilities. (Wouldn’t it be interesting to do a remote sleep study using vibration information to find out whether a patient snores?) But just as with heart monitors and other medical devices, healthcare organizations will need to plan for security in the transmission, storage, and use of these potentially massive amounts and new kinds of data. They will also need to make their patients aware that would-be thieves may be behind “free” applications, and to provide consumer guidelines for the safety of personal devices that may be used for medical purposes.
The ‘bottom’ line on privacy
Experts are already evaluating the privacy risks of implantable devices such as heart monitors. The privacy concerns of mobile medical devices have now extended from the heart to the derriere. According to The New York Times, a start-up named Pixie Scientific has developed a diaper that the company says can detect possible urinary tract infections, kidney dysfunctions, and dehydration, accompanied by a smartphone app that can transmit the information to a physician. In this case, the diaper simply incorporates test strips that analyze the diaper’s contents, then a caregiver photographs the test strips and transmits the image to a healthcare provider, so the security of the information is more a function of the smart phone client application than the diaper itself, but the article also mentions several more communications-capable “quantified self products,” including shirts that measure and transmit biometric data, all of which raise medical privacy concerns for consumers and for healthcare organizations that gather this data. (The diaper is initially being marketed for infants, but it could no doubt be used for adult patients in the future.)
Never underestimate the power of a hacker
At this point, you may be thinking: “There’s no way that criminals would take the trouble to steal all this obscure medical data.” Well, based on the stories I see and hear, you can never underestimate the creativity of data thieves. A recent blog post by security expert Brian Krebs shows just how creative cyber-attackers can be. Annoyed at Krebs’ data security evangelism, a Russian hacker known as “Flycracker” organized an online campaign to raise money, buy heroin online, and have it delivered by mail to Krebs, and notify the police in order to frame him. Krebs was able to track the plot and notify the police before the heroin arrived, but the story illustrates how resourcefulness, cohesiveness, and determined these criminal networks really are.
A positive outcome
Enough of the dire warnings. Here’s an uplifting idea that may be good for your organization and for someone who has served our country: A new non-profit organization is offering military veterans and wounded service members a free six-month security training and certification program to help them find private sector employment and to provide security experts to meet the ever-increasing need.
Related articles:
6 steps to health information superiority
Is ICD-10 triggering an IT vendor conundrum?
Q&A: HHS CTO Bryan Sivak on disrupting government culture
