The use of connected health devices in clinical and non-clinical settings offers both unique opportunities to positively transform health and social care, as well as multifaceted privacy and security risks. In order to strengthen the potential benefits from IoT-enabled health devices and systems and to find solutions to enhance their safety and resilience, the Royal Academy of Engineering organised an expert workshop on the 11th of July 2017 that involved representatives of the PETRAS IoT Hub.
Prof. Emil Lupu, Deputy Director of the PETRAS, Dr Mike Short, Chair or PETRAS Steering Board, and Dr Leonie Maria Tanczer, Research Associate of PETRAS’ Standards, Governance and Policy research stream were among the participants.
In the course of the event, presentations by industry, university and National Cyber Security Centre representatives were embedded in larger debates on the opportunities, regulatory contexts, and current practices of information security in the digital health realm.
One fundamental observation that marked the beginning of the workshop, was the differences between medical IoT devices that are used in the professional, clinical healthcare sector and that of wearable wellness and fitness devices that are used by individuals in private, home-based settings. Both fall under different regulatory frameworks, with the workshop having focused primarily on the former. However, participants raised the concern that users might misunderstand such fitness apps or services as being equally vetted and tested as formal medical devices, which demands for more clarity and user education.
Additionally, distinct challenges for the assessment of safety and resilience of connected health devices were discussed. Industry actors and procurer mentioned the lack of specification and limited guidance in what accounts for ‘best practices’ when developing, testing, and acquiring IoT health devices. The existence of such measures would be particularly valuable for small and medium-sized enterprises, who would currently struggle to identify and meet information security requirements.
The workshop also touched upon the current regulatory context in which connected health devices are developing. Participants critiqued the absence of cybersecurity in the current medical device regulations in Europe and outlined differences in the approach to privacy, safety and security in the European Union and the United States of America.
The event ended with attendees trying to draw parallels between cybersecurity specifications in other sectors such as industrial control systems and agreed to continue the conversation to make cyber safety and resilience of connected health devices become reality. As the workshop is part of an ongoing study by the Royal Academy of Engineering on the cyber safety and resilience of critical national infrastructure and the IoT, it is expected that tangible outcomes such as a report on the topic will follow.
This article was written by Dr Leonie Maria Tanczer.