Recognize What Kinds of Data Could Be Compromised
First, IoT devices connecting to a server may have access to information about an individual user. That data could be personally identifiable and could also contain information about the individual’s health, making it protected health information (PHI). If it is possible for a malicious actor to impersonate a valid device, they may be able to gain access to that data.
The first line of defense? Design your architecture so that devices only “push” data to servers, and don’t have permission to pull it. If this is not possible, choose a secure machine-to-machine (M2M) authentication pattern such as Client-Side SSL.
Beware of Malicious Firmware
Even if your server will never mistake a malicious device for one of your own, a bad actor might still be able to hijack your device by sending it a modified version of firmware over the air. This would give them access to all of the sensors collecting data from a targeted individual. To prevent this, firmware images should be cryptographically signed and verified by the device before it begins the update process.
Though they may not be essential to protecting consumer data, secure M2M authentication and firmware signing are critical to maintaining a healthy device infrastructure. Their use should be considered mandatory if a team wants to deliver a reliable product.
Communicate Clearly with Consumers
Both consumers and producers of wearable devices should be aware of the implications of how data is used. Everyone should be clear about how the data will and will not be leveraged by the producers and their business customers.
Another consideration for IoT data is whether or not companies will use consumer data for algorithmic decision-making. For instance, a large producer of wearable technology might sell data to health insurance companies for the purpose of providing “discounts.” Consumers should be aware of this kind of activity. (It's already happening in the auto insurance industry.)
What Data Should Be Protected for HIPAA IoT Compliance?
Current HIPAA rules do not require wearables manufacturers to comply unless the data is being shared with a healthcare professional. If a wearable is not listed as HIPAA compliant, there may not be anything to worry about. Just make sure the company is encrypting data where necessary, gives you the authority to delete your data, and that it is clear about its use. Plenty of companies follow excellent data security practices but are not HIPAA compliant because the law doesn’t require it.
On the other hand, the biggest risk to consumers for non-HIPAA compliant data may be insurance companies. As mentioned above, insurers may access PHI data without users’ consent through a lucrative deal with a wearables manufacturer.
In this event, the GDPR would require full, clear disclosure of this fact. However, as mentioned, GDPR is currently only in effect for citizens of the EU. Other laws, including those in the US, are much less explicit for now.
Only You Can Prevent Security Breaches
How can brands offer privacy and security benefits to consumers in the wake of increasingly common security breaches?
Almost all security breaches stem from a failure to implement very standard encryption and security protocols in the proper places. The weakness of all security protocols, though, is human error.
In some data breaches, all encryption protocols were followed properly. However, individuals mistakenly left an encryption key in an easily accessible place. This renders the encryption methods useless.
In addition to documenting your data encryption strategies, companies should adopt and document proper procedures for handling and storing encryption keys. This will ensure that the keys don’t fall into the wrong hands.
As hackers get more sophisticated and brands explore what they can do with data, IoT developers have to stay current on security rules. If you’re looking for a team that can help you with proper IoT security, get in touch with us today.