Arm Community
Arm Community
  • Site
  • User
  • Site
  • Search
  • User
Arm Community blogs
Arm Community blogs
Internet of Things (IoT) blog Securing Medical and Wellness Data
  • Blogs
  • Mentions
  • Sub-Groups
  • Tags
  • Jump...
  • Cancel
More blogs in Arm Community blogs
  • AI blog

  • Announcements

  • Architectures and Processors blog

  • Automotive blog

  • Embedded and Microcontrollers blog

  • Internet of Things (IoT) blog

  • Laptops and Desktops blog

  • Mobile, Graphics, and Gaming blog

  • Operating Systems blog

  • Servers and Cloud Computing blog

  • SoC Design and Simulation blog

  • Tools, Software and IDEs blog

Tags
  • Healthcare
  • TrustZone
  • Internet of Things (IoT)
Actions
  • RSS
  • More
  • Cancel
Related blog posts
Related forum threads

Securing Medical and Wellness Data

Karthik Ranjan
Karthik Ranjan
July 27, 2016
3 minute read time.

Your health data is one of most important pieces of a data that is personal and confidential to you. Through the advent of sensor innovations we are finding many more devices gathering this data such as your fitness bands, smartwatch, even your phone counting your steps automatically without you having to do anything. This is only the beginning. We are starting to see innovations in medical and wellness monitoring from all sorts of devices, from toothbrushes that can detect cancer, to patches you wear that monitor UV exposure or hydration. Innovations in microfluidic technologies are enabling analysis of your blood, sweat, and urine at price points where it can reach consumers hands in both developed and developing countries. 

This data, if used correctly, will keep us more informed of what’s happening inside and outside our bodies, and give us alert with the right information at the right time to make informed decisions. Taking it one step further, mobile and cloud platforms can enable a holistic system of health to inform our trusted family/friend circle about changes in health to help individuals make the right lifestyle choices. It will also help caregivers know the right time to intervene, potentially staving off a more severe condition.

Unfortunately, as with any technological innovation, it can also have potential malicious uses resulting in substantial financial and social consequences:

  • Insurance providers could use the data to increase premiums or cancel policies
  • Informed employers may choose healthier candidates (to keep costs down)
  • Dating applications could add medical filters

But how is the data being handled from when it gets created at the source? Is it being guarded all the way from the sensor to the phone, to the cloud? What happens to your data in the cloud? Is it shared with third parties? Have you read to read the Terms and Conditions for each of your digital devices to understand the answers to these questions? In this blog, we will aim to address some of the basic vulnerabilities of data as it travels from sensor->phone->cloud and explore a method to safeguard it as well as talk about some the initiatives taking place to help safeguard our health data.

Threats and hacks

There are two threat vectors that we will address in this video:

  1. Screen Scrape Attacks

  2. BLE attacks

Screen scrape attacks leverage the ability to “record” the frame buffer of the screen of a device to steal the data as an app renders to the screen. This technique has been used to steal everything from passwords to high value video content.

Today the majority of medical and wellness devices utilize Bluetooth LE to communicate between the sensor and use the phone as the “gateway” to go to the cloud. A large number of these devices tend to rely solely on Bluetooth link layer encryption. This presents a vulnerability in that data can be stolen at the “application layer” while it’s in motion on the phone or gateway itself. The video below demonstrates this threat.

Protecting medical and wellness data using Arm TrustZone-based TEE

Trusted execution environments (TEEs), for example from Trustonic or Sequitur Labs, provide a secure environment alongside a Rich OS like Android, to run trusted code. It can be found in hundreds of thousands of mobile phones already in the market today with that number increasing and services like payment, premium content, and enterprise BYOD increase. The idea here is simple, we encrypt data from the sensor at the application layer and so even after BLE link layer encryption has taken out the payload, it’s still encrypted and stays encrypted until it lands in the TEE, where it is decrypted rendered, validated then sent onward to the healthcare provider cloud, keeping the data secure even when it’s in motion on the phone.

Data ownership: privacy by default

We have so far discussed some of the technical vulnerabilities associated with your medical data as it transitions from sensor to phone to cloud, but how about the policies which governs how your data is handled and who is held responsible if your data is breached.

There are many entities who are looking at this very complex problem, which combines both liability as well as accountability for loss or misuse of data. The two references provided below start to shed some insight into the industry and governmental thinking behind how to make patient privacy front and center and to ensure protection and adherence to use of personal medical and fitness data gathered.   This is a rapidly evolving area and I'm excited to watch it unfold!

References

1.  Every Step You Fake: A Comparative Analysis of Fitness Tracker Privacy and Security

2.  European Union mHealth code of conduct

Anonymous
  • jackiehong
    jackiehong over 8 years ago

    Hi Desiree,

    Thanks and look forward to seeing his suggestion.

    Br,

    Jackie

    • Cancel
    • Up 0 Down
    • Reply
    • More
    • Cancel
  • Desiree Joplin
    Desiree Joplin over 8 years ago

    Hi Jackie,

    Thanks for your comment. Karthik is at a partner meeting for the next few days so please look for a response from him early next week.

    Desiree

    • Cancel
    • Up 0 Down
    • Reply
    • More
    • Cancel
  • jackiehong
    jackiehong over 8 years ago

    Hi Karthik,

    It's impressed to see your demo.

    I would like to perform same demo to our customers in Taiwan.

    Could you please share device name & flighlight name with me?

    Thanks.

    Br,

    Jackie

    • Cancel
    • Up 0 Down
    • Reply
    • More
    • Cancel
Internet of Things (IoT) blog
  • Building vision-enabled devices to capture the emerging wave in IoT

    Diya Soubra
    Diya Soubra
    IoT devices will drive an explosion in use cases with vision. Read more about the different use cases and what Arm technology is involved here.
    • December 9, 2024
  • The power of SystemReady for custom-built OS distributions

    Pere Garcia
    Pere Garcia
    Arm developed the SystemReady Devicetree band as part of the SystemReady program, learn more in this blog post.
    • November 22, 2024
  • Software, Tools, and Ecosystem for ML Edge Devices

    Reinhard Keil
    Reinhard Keil
    Learn how Arm and our Partners enable developers and the IoT software ecosystem to deliver smart, energy efficient ML edge devices.
    • July 17, 2024