BSI targets security of internet-enabled health apps
Standards for the development of health apps, published by the British Standards Institution, represent an important step in securing these vital medical devices.
Published as PAS 277:2015, “Health and wellness apps – Quality criteria across the life cycle – Code of practice”, it is designed to support developers in creating technology that can be trusted by health professionals and patients.
PAS 277 was sponsored by the UK government's technology organisation, Innovate UK, and developed with assistance from 14 healthcare and communications organisations.
As a publicly available specification, PAS 277 is not regarded as a British standard but allows for the rapid development of a standard to fulfil an immediate need. It could be replaced by a British standard at any time.
The development of increasingly complex and interconnected medical devices and apps has not always been matched by equally robust security measures. Two weeks ago, a vulnerability warning was issued by a US government department over poor security in an internet-connected drug infusion pump.
The Hospira Lifecare PCA3 infusion pump didn't require authentication for Telnet sessions, allowing an attacker to gain root privileges, and the wireless encryption keys were stored in plain text which would have allowed an attacker to access the Life Critical Network and control other connected devices.
However, it should be noted that PAS 277 does not address this scenario, either in its guidance or its table of example risks, focusing mainly on issues around data privacy.
By developing increasingly sophisticated apps and medical devices, the health industry is opening itself as a target for hackers, according to Intel Security.
“We've witnessed various examples of security vulnerabilities, such as app developers transmitting unencrypted health-related user data across international borders,” said Raj Samani, CTO EMEA, Intel Security. “The British Standards Institution's launch of guidelines for developers is an important first step, but beyond ensuring these companies make users aware of the security risks involved with their devices, we're still a long way off making sure sensitive health-related data is kept secure.”