DOTMAGAZINE: What do you consider to be the most important criteria for rating the security of e-health devices?
MAIK MORGENSTERN: Well, I think there are different aspects to consider here. From the perspective of patients, it certainly is about data security and data privacy, so one should make sure that e-health devices do consider this and have high standards here. But also from the perspective of health institutions, we have to think about a whole infrastructure that e-health devices are operating in, and this infrastructure has to be functional and it has to be secured against hacker attacks. So it's not just a single device but the whole environment that needs security.
DOT: So what should care facilities, the medical profession, and end customers be aware of when they're choosing an Internet-enabled medical device?
MORGENSTERN: Well, first and foremost, it's important to consider that health data is usually very sensitive. So make yourself aware of what data is being collected, where it is stored, who has access to the data, and what happens with the data. Do you trust the involved parties and are the systems adequately secured against unauthorized third-party access? So these are all the questions that private persons, but also institutions should ask themselves.
DOT: How can manufacturers and vendors improve the security of their e-health devices and the related digital services?
MORGENSTERN: There are different options here. As always, high cyber security standards are necessary; they are a must. So all involved systems – hardware and software – have to be secured with state-of-the-art approaches. Systems have to be kept up to date so that security updates are always installed; anti-malware software has to be used; secure configurations should be made. This is one part. But the second part which is also important is to maintain sensitive handling of the data that is being collected. This involves things like: the less data that is being collected and stored, the better. So, only collect and store data that is really required; transmit and share data only if really necessary; anonymize data if possible, and delete it when it's not required anymore.
DOT: Does AV-Test actually assess the handling of data and the underlying systems when you do a rating of a device?
MORGENSTERN: Yes. When we look at the security of the device, we are not just checking the technical side of the device to see if encryption is applied and if it's safe against hacker attacks. We are also checking what I just said: What kind of data is being collected by the device or by the smartphone app? Where is the data stored and where is it possibly going to? And we are also looking at a privacy statement, in which a company describes what kind of data they want to process and what they want to do with this. This is also part of our assessment.
DOT: What is for you the most exciting innovation that you've seen in the area of e-health devices?
MORGENSTERN: For me, the most exciting development and innovation is that now, everybody can track their health if they want to. So this starts with fitness apps on your smartphone, which are able to record your daily activities and even measure some of your vital signs. This also involves other generic devices – such as fitness trackers and smart watches – that can do similar things, up to small scales and more specific health devices such as smart blood pressure monitors. And these devices all help single individuals to track their health on their own without the need to see a doctor for at least some specific things. I think this is a real innovation: For the first time ever, you have really good options to track some of your health data.
DOT: Would you personally make use of an e-health device or e-health service and what would influence your decision about a service?
MORGENSTERN: Yes, I would use such services and actually pretty much all of us are doing so already. In Germany, we've got health insurance cards and I guess in other countries it's similar. And these insurance cards hold data about a patient and health institutions can digitally access this data and can work with this data. And also, as mentioned before, a lot of devices that we use daily such as smart phones or smart watches do collect health-related data and I use these services and some of those devices. And if I do so, I try to make sure I understand what kind of data is being collected and stored and shared. I can't always know who gets access to the data, but I can usually get an idea of the kind of data that is being collected and I can then make my decision about whether I'm okay with third parties having access to this kind of data or not.
Maik Morgenstern has a diploma degree in Engineering and is a CEO and the Technical Director of AV-TEST GmbH. He manages the planning and implementation of new test scenarios, our technical innovations and our continuous reaction to new threats.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.