There are now more things connected to the Internet than people on the planet, and the number is growing rapidly:...
within five years, according to Strategy Analytics, there will be four devices for every person. The Internet that once consisted of only computers, smartphones and tablets, now includes connected blood pressure monitors, smoke detectors and washing machines. Experts predict this trend will only continue, doubling the number of devices over the next five years. That's a tremendous number of devices, generating a tremendous amount of data.
Where will all this data go? How will individuals and service providers protect the confidentiality, integrity and availability of sensitive information generated by the Internet of Things (IoT)? What about when that data includes personal health information? The staff of the Federal Trade Commission (FTC) tackled these questions in a workshop and released its findings in a report entitled, Internet of Things: Privacy and Security in a Connected World.
What is the Internet of Things?
While IoT is a fairly recent buzzword, it embodies a trend that has emerged over the past ten years. Everyday objects now connect to the Internet to send and receive data on a routine basis. Companies offer WiFi-enabled slow cookers, sprinkler systems and light bulbs. IoT promises to transform the world, facilitating the automation of everyday tasks and enabling data analysis on a massive scale.
One of the most promising areas of IoT development lies in healthcare benefits. Many individuals now use personal fitness trackers to collect information on their physical activity. Blood pressure monitors, blood glucose monitors and scales all collect health-related vital signs and upload them to cloud servers for tracking and analysis. These new devices and services promise to offer wonderful health benefits, but also introduce concerns about the security of IoT and the privacy of users.
Security and privacy risks in an IoT world
What risks do we face when we use IoT to store, process and transmit health information? The FTC workshop explored this issue in detail and identified three categories of risk that require attention from security and privacy professionals. These risks are quite similar to those traditionally found with Internet-connected devices, but using them for health and safety purposes introduces new concerns.
First, IoT may enable unauthorized access and misuse of personal information. Vulnerabilities in an IoT device, a cloud service or the communications channels between them may allow external parties access to sensitive information. In the case of health-related devices, the private health information of individuals may be exposed for intruders or the world to see.
Second, IoT devices may facilitate attacks on other systems. It is often difficult to apply security patches to non-interactive devices, which may leave them open to security vulnerabilities. If an intruder compromises an IoT device, they may use it to gain a foothold on a network and launch attacks against other systems containing sensitive information.
Finally, in the worst case, IoT devices may create risks to personal safety. Participants in the FTC workshop cited the example of an Internet-connected insulin pump. If attackers gained access to the pump, they could theoretically alter the amount of insulin delivered to the patient, resulting in injury or loss of life. Government officials take this threat seriously and actually altered the pacemaker implanted in then-Vice President Dick Cheney to protect against external attack.
These risks require attention and mitigation. Companies bringing IoT devices and services to the market must carefully assess the risks associated with their products and produce comprehensive security and monitoring plans to protect the confidentiality, integrity and availability of their products.
Safeguarding health data in an IoT-enabled world
The FTC report, which focuses on the privacy and security of the Internet of Things, acknowledges the complexity of IoT applications and suggests companies follow a set of best practices to protect health information. From a security perspective, organizations should conduct a risk assessment and test security measures prior to launching products. The FTC also recommends organizations practice data minimization -- limit the amount of information collected and discard it when it is no longer needed. Consumers should be provided with notice and a choice regarding data collection whenever possible. The final, and most controversial, recommendation in the report is that Congress should "enact strong, flexible and technology-neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach."
How organizations should react
What's the impact of this report on you and your organization? Not much. The report is a product from the FTC staff and is not a regulatory action. It merely raises some thought-provoking questions about the security of IoT and offers informal guidance on a path forward for protecting data. In fact, FTC Commissioner Joshua D. Wright publicly dissented from the report, saying he felt the work product was insufficiently researched for such a broad topic. "Before setting forth industry best practices and recommendations for broad-based privacy legislation relating to the Internet of Things … the Commission and its staff should, at a minimum, undertake the necessary work … to identify the potential costs and benefits of implementing such best practices and recommendations," Wright said.
Protecting the security of the Internet of Things
We have a long way to go before government and industry settle on a common standard for best practices surrounding IoT security. In the meantime, organizations handling health-related IoT data should remain vigilant and build robust security programs around that data. The standards we've used for years to protect health information apply equally to data gathered through Internet-connected devices. Use common sense and keep data safe.
About the author:
Mike Chapple, Ph. D., CISA, CISSP, is a senior director of IT with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He is a technical editor for SearchSecurity.com and Information Security magazine and the author of several information security books, including the CISSP Prep Guide and Information Security Illuminated.