Wearable medical devices are expected to have a major impact on the healthcare sector, but, before that can happen, the supply chain must be able to handle the security risks.
OEMs and suppliers certainly have a lot to gain if they can meet market demands for medical wearables. The devices are expected, for example, to allow patients to have constant access to their complete health records. In this way, patients can share information in real-time with physicians, insurance companies, and other parties. Massive volumes of data transferred from wearables could be a goldmine of valuable information for researchers and clinicians.
These applications are expected to stoke demand on a massive scale. According to analyst firm Mordor Intelligence, worldwide revenues of wearable medical devices are expected to explode from $2.8 billion in 2014 to $8.3 billion in 2019.
But as is the case when any kind of personal data is shared, security risks exist whenever data is transferred over networks and when third parties store the information on their databases. The data stored on the device will also need to be protected.
Indeed, if the forecasts hold true, there will be a staggering quantity of data to protect, which is especially sensitive since it likely will involve personal healthcare records of millions of patients.
Here are a few things supply chain professionals will need to keep in mind as medical wearable see wide-scale launch.
Lock Down the Device
Information transferred from wearable medial devices to databases poses the least threat. This is because the data transferred will largely consist of incomplete information about the patient when the wearable transfers it. Individual data points about blood pressure, glucose levels, or other specific health-related information usually do not pose a significant threat if intercepted by a hacker individually.
“[Data thieves] are probably not going to want or need only a portion of your medical information that is coming off wearables, such as heart rate, calorie intake, or oxygenation in the blood,” said Mick Coady, principal, U.S. health services for PricewaterhouseCoopers (PwC). “What is the relevance of it being associated with your name and your record in totality that could be used to commit fraud or identity theft?”
But the aggregate of this data that wearables might save and store on the device is obviously something that will need to be protected.
“Medical devices have been hacked and remotely controlled in the past, which again raises the concern of usage security and device-system integrity,” Madhav Nair, an analyst for Mordor Intelligence said.
OEMs will thus likely add capabilities to their medical wearables so the devices' information can be wiped and deleted remotely if they are lost or stolen. The data stored will also need to be encrypted, which involves very stringent component selection as electronic devices can be purchased that have existing security holes. As a remedy for patching security holes once wearables are already in the channel, the device should be able to be updated remotely.
Protecting data stored on the devices is something that OEMs and their suppliers throughout the supply chain will need to be involved with, said Nair. This means that suppliers, distributors, OEMs, and even after-sales services will have to play a part in developing or maintaining data protection for wearable medical devices. “The number of parties that need to be involved in the supply chain is high,” Nair said.
Complete personal medical records represent a potentially lucrative target for data thieves as well as well as for those who want to purchase it for marketing purposes. Indeed, databases that a healthcare service or insurance company manages containing detailed medical history and identity information uploaded from wearables is of value to both data thieves and marketing firms. “It is your name and record in totality that is of value,” said Coady.
For the OEM, data privacy, and more specifically data ownership, will become a concern, especially regarding which party is held accountable if the data is stolen or brokered. The OEMs will need to determine, for example, “whether the device maker or the storage provider for the data the device transfers to the server is liable,” said Nair.
The good news is that existing laws, mandates, and regulations such as Health Insurance Portability and Accountability Act of 1996 (HIPAA) should largely cover the encryption of data transfer and storage of wearable medical devices. Third parties that will store the medical data transferred from the devices OEMs will sell should also have had a few years of experience storing sensitive information before they can be relied on to handle data uploaded from possibly millions of wearable medical devices.
“Physicians and insurance companies have had a few years to become compliant and to abide by the laws in place, etc.,” said Coady. “So while wearables are a new technology that consumers are adopting, the parties storing the information have had a few years under their belt to properly store the data in a reasonably secure way that is compliant with existing laws, mandates, and regulations.”
Eventually, third-party medical service providers, and consumers will likely accept the security threat the devices pose on a massive scale—provided of course, that suppliers, vendors, healthcare providers, and other parties involved can demonstrate that they can reasonably protect the data, as mentioned above.
“I think that like other data risks we encounter in the financial and employment worlds, we will be willing to trade off these risks for the benefits we are likely to accrue,” said Greg Caressi, senior vice president of healthcare and life sciences for Frost and Sullivan. “Most wearable and telehealth solutions involve major gains for the individual in insight into their health, enable them to better self-manage their health, and add in the value of convenience that the brick-and-mortar healthcare world does not provide.”