September 10, 2015 By Milan Patel 4 min read

The Internet of Things (IoT) cuts a wide swath across the technology landscape. IoT has the potential to radically modify the quality of human life. The dream was articulated as early as 1961 when MIT professor Aaron Fleisher wrote “The Influence of Technology on Urban Forms.”

“The idea that there exists in technology a potential capable of radically modifying the conditions of human existence has made prophecy a matter for general concern,” Fleisher stated. Today, predictions continue to expound on the potential and pitfalls of the IoT.

Health and Fitness Devices Lead to New Risks

Nowhere is this truer than the use of wearable devices in the health and fitness industry — from the simple fitness trackers for health enthusiasts to smart apparel that helps optimize the performance of athletes to health monitors and medical devices designed for personal and clinical use. This next era of interconnected devices has the potential to radically improve human health and fitness.

But the growing list of cybersecurity vulnerabilities in health and fitness devices pose challenging risks to patients whose privacy or health management depends on the proper functioning of these instruments. In June 2015, for example, Computerworld reported that attackers compromised medical devices such as blood gas analyzers with malware to gain access to the hospital networks.

Often, consumers are unaware of the security and privacy risks that many of these devices pose until after an event creates media waves. They expect the developers to build it right and build it secure; they assume the hospitals or doctor’s offices have the proper security controls to maintain the safety and privacy of their information. For the manufacturers of these devices, the concerns are: Will the devices be hacked and forced to perform outside of design specs? Will a virus infect the device and trigger a malfunction, thereby jeopardizing patient health? Will the data they collect about their customers be hacked and exploited by organized cybercrime gangs?

In January 2015, the Federal Trade Commission (FTC) issued guidance on privacy and security protection that should be included with the IoT, including medical devices. Addressing the security and privacy concerns associated with the usage of these devices is the key to unleashing the benefits they offer to society. It also requires a disciplined and structured approach that includes the design and development of these devices, manufacturing in a secure ecosystem and then the deployment and management of these devices, the data they produce and the actions this data drives.

Watch the on-demand webinar to learn more about securing the internet of things

Security and Privacy in Health and Fitness Devices

1. Design

When creating medical devices connected to the IoT, organizations must establish a secure hardware and software development process that includes code management, build management, automated testing, streamlined packaging and software delivery mechanisms. It should include source code analysis to identify vulnerabilities as well as security-related testing to identify runtime vulnerabilities.

Ensure integrity in the manufacturing and delivery of these devices. Establish a trusted ecosystem of suppliers and partners. Each component supplier should adopt secure design and development process to ensure no unintended malware or security bugs enter the supply chain. A trusted supply chain must include a focus on effective management of design, manufacturing, transportation, fulfillment, import and export, intellectual property management, support and maintenance.

Software delivery also applies to device firmware/software updates. As more and more software is running in a wide range of distributed devices, the need to update that software in a secure, timely and cost-effective manner also increases in importance. A secure, verifiable and audited software/firmware update is part of a secure development and deployment process.

2. Deploy

Deploying these devices in a secure way is just as important as their design. Attention should be paid to device provisioning and authentication. The deployment process should cross-authenticate both the device and the network to ensure it does not transmit confidential information to a ghost network. Similarly strong encryption should be deployed to ensure the integrity and privacy of the data on the device, in the cloud or during transmission from device to cloud.

If possible, consumers should be given access and the ability to set up user and usage privileges for their data. For example, they may want to give full viewing rights to their doctors but only reveal a subset of the information to other service providers. They should also be given the option to anonymize their data to further maintain their privacy.

All communications channels should be secured such that sensitive information is protected from observation, change or corruption. Validate input and output parameters to ensure that inadvertent command invocation or escalation of privilege is not possible.

Utilize authentication and authorization for devices, users and applications that will interact with one another as a part of the entire IoT solution. Mobile security factors into this since many of the user interfaces for health and medical applications will be surfaced via mobile devices.

3. Manage

Insert auditing and logging of both successful and unsuccessful requests for processing, and utilize monitoring and alerting technology distributed across the set of computing systems. This implies that there should be some level of audit logging and monitoring devices, networks and the cloud. Also necessary is detection of denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks against devices and the systems that support them.

Be attentive to availability and safety. Above all else, the system must be engineered to do no harm as a result of its connectedness. A fail-safe operation — dropping down incapability but bringing the system to a safe state — must be built into the connected device.

The future of the health and fitness industry is going to be increasingly intertwined with the growing number of mobile devices connected to the IoT. With proper security, these gadgets can deliver better medical service and reduce the costs of health care, improving quality of life for users. Taking a systemic approach to securing the devices and the data they collect will help keep the criminals at bay and allow society to radically improve its health and fitness.

More from Software Vulnerabilities

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today