Apple, Fitbit, and Samsung are pre-qualified under a FDA fast track regulatory approval process for digital healthcare devices. Find out why this pilot program is ringing IoT security alarm bells.
The Internet of Things (IoT) is a significant part of the unstructured big data intake at healthcare organizations. It's paramount to secure the input from healthcare IoT devices to maintain data privacy and prevent data breaches. A recent decision by the FDA will make it more complicated for big data custodians at healthcare institutions to keep pace with all of the IoT devices used in those settings and ensure that data the devices transmit is secure.
The FDA announced in July 2017 that it would fast track the regulatory approval process for digital healthcare devices by evaluating the companies behind the solutions instead of the actual solutions. Under the proposal, pre-certified companies will not need to provide the same level of pre-market data for each new digital health product, with some "low-risk" tools not needing any pre-market data at all. Among the companies that are initially pre-qualified under the proposed fast track program are Apple, Fitbit, and Samsung.
The goal is to allow companies to develop their technologies more rapidly while avoiding the FDA's standard application and approval process, which can take 3-7 years from concept to market. Plus, it allows new healthcare technologies to become available to the public faster, while reducing the time and cost associated with development.
However, the program presents new risks in the areas of device and data security.
SEE: Enterprise IoT Research 2017: Benefits, Trends, and Security Concerns (Tech Pro Research)
"These risks fall into three main categories," said Antwanye Ford, CEO of Enlightened, a provider of cybersecurity and public safety solutions. "One is compatibility, because if different companies are creating different sensors to track things like heart rate, motion, blood oxygen, and glucose, these tools may work on different protocols and therefore not be compatible to work with other sensors to comprehensively provide data to healthcare providers. A second is unknown vulnerabilities, because cybersecurity tends to be an afterthought during the research and development of new devices, which leads to vulnerabilities that can potentially result in data breaches of patients' private health records. The third is healthcare risks, because if a company is wrong about its assumptions about how a device will interact with the human body, it could result in serious injury."
Today, these risks are mitigated by standardizing certain protocols so devices are interoperable; also, manufacturers and sites test for data breaches through penetration testing and peer reviews of devices. Healthcare risks are checked through a robust process that sees what effects new devices have on the human body. Many of these checkpoint functions could become risk areas if Fast Track is implemented.
What healthcare providers and companies can do
"One step that companies and healthcare providers could take, assuming Fast Track is implemented, is a cyber validation process that would provide a method such that devices and systems can be certified by an independent assessor to meet Cyber-Security standards," said Ford. "Standards like NIST 800 53 and NIST 800-171 could be adapted to meet critical requirements for certification. The implementation of this Fast Track Cyber-Certification process would ensure that devices and systems going through the Fast Track process are secure from Cyber threats and ready to be placed on the open market."
Ford believes that a "Fast Track Cyber Validation" process could be adopted within 3-6 months in a pilot phase with full adoption within 9-12 months. But, will companies pursue this?
"There are companies that don't want to see the Fast Track Process impeded with bureaucracy," Ford acknowledged. "Overcoming these barriers can be accomplished by demonstrating the value proposition of a safe device (e.g., marketing acceptance, safety factors), while allowing standards boards such as NIST to work in parallel with a pilot program."
SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
3 steps IT leaders and big data pros can take
It remains to be seen whether device manufacturers will pursue a Cyber Validation Process for Fast Track. This leaves big data custodians and IT managers at healthcare institutions with the task of rethinking their security measures for incoming IoT data as the flurry of new devices in the marketplace continues.
"The best step companies can take is to ensure that they have a maintenance agreement in place where they have access to all of the device manufacturer's maintenance activities," said Ford. "Companies with a robust cyber program may periodically issue a patch to secure a 'hole' in the device's infrastructure."
Another step that healthcare IT can take is requiring vendors to conform to their own internal security and governance standards, especially if a pending contract is large.
Finally, connection points into the enterprise should be checked.
"Today, many cyberattacks occur because of an insecure connection point to a secure network, introducing a pathway for the cyber threat," said Ford. "It's like implementing a security system in your house, but not securing the basement entrance."
- Apple, Samsung join FDA pilot to speed up health service approval (ZDNet)
- FDA one of many 'toothless dragons' with no will to tackle medical device security (ZDNet)
- Video: As wearables have evolved to standalone IoT devices, security demands have changed too (ZDNet)
- The Four Volume Cyber Security Bundle (TechRepublic Academy)
- Video: Why cybersecurity solutions are essential for new IoT products (TechRepublic)
- IoT security: What you should know, what you can do (free PDF) (TechRepublic)
- IT leader's guide to big data security (Tech Pro Research)