IoT Security and Medical Devices
The Internet of Things (IoT) enables medical devices to communicate with the masses of hungry consumers wherever they may be located. The RxPense medication management and remote patient monitoring system takes that one step further. The RxPense allows other IoT devices, like health and fitness sensors, to consolidate their data with the patient prescription compliance information to present a unique view of medication compliance and health vitals. Considered PHI (Protected Health Information), this sensitive data must be protected with compliance to HIPAA in the USA, PHIPA and PIPEDA in Canada, to not only ensure security, but to also ensure that privacy is maintained.
For example, to be HIPAA-compliant, an app or device needs to come with a number of safety features, including ones that enable users to keep their data secure, recover the information if it’s lost and delete their personal health information at any time if needed.
This level of security includes data encryption, firewalling and authentication schemes that are well known and understood. However, there are additional business requirements and personnel screening that must encompass an all-inclusive, compliant security policy and procedure. But let’s just consider physical security for the moment.
We know that, on the Web, user names and passwords, two-factor authentication and other schemes are prevalent. But what about physical security? How can we protect a medical device and better prevent unauthorized access? How can we prevent theft of medications or malicious access by others, possibly around the world, attempting to hack into an IoT device? With connectivity, comes responsibility.
User authentication schemes on a physical device may include those commonly used for the web, but because you are physically near and can touch the device, additional security methods are possible. On the RxPense for example, when it is time to access one’s medications, we accept a pin code and NFC swipe from an authorized NFC tag. At the trademarked icon: you would simply tap the tag near the icon. Since each tag is pre-registered to an authorized user, and we have the ability to snap a photo of the individual at the time of access, security is strong. The RxPense can also require secondary authentication such a NFC swipe + fingerprint or PIN. Other biometric security controls are possible, but as with any commercial product, we must balance security, need and convenience.
Near Field Communication (NFC) is a standards-based short-range wireless connectivity technology that makes life easier and more convenient for consumers around the world by making it simpler to make transactions, exchange digital content, and connect electronic devices with a touch. NFC is compatible with hundreds of millions of contactless cards and readers already deployed worldwide. – NFC Forum.
The device itself must be physically locked, completely preventing those without authentication from accessing the contents. With NFC, which supports data security at multiple levels, we can assign roles to each tag. For example, a patient has different rights than a caregiver or delivery person. A Physician or Health Care provide has different access rights from that of a support technician. The ultimate goal is to only allow access to the device and each of the features/function of the device, appropriate for the user requiring access.
According to the NFC Forum, there will be 38.5 billion connected devices expected by 2020. The RxPense is only 1, but we take security seriously.