HOME / ARTIFICIAL INTELLIGENCE /

The Cyber Security Issues of Connected Devices in Data-Driven Cities

BY  Khahlil A. Louisy and Fredrik Heiding • June 26, 2023

The concept of smart cities has gained traction in the past several years, with many urban centers adopting advanced technologies and utilizing data from connected devices to enhance the efficiency, sustainability, and health of their citizens. A key element of smart cities is the collection and transmission of vast amounts of data which is then used to inform decision-making. For example, data from Internet of Things (IoT) devices and sensors programmed to detect toxic chemicals and the presence and levels of certain compounds in the atmosphere and water supplies can offer valuable insight into public health trends, risks, and threats, because they provide real-time information. However, using these devices also presents significant cybersecurity risks as many IoT devices have poor cybersecurity standards.

Research has found severe vulnerabilities that allow cyberattackers to gain access to connected devices and steal, erase, or manipulate the data they collect. As cities become more reliant on connected devices and the data they generate, it is crucial to address these risks before they are exploited. This article will focus on the concerns around using smart city data for health decision-making, in particular the classification of data from connected devices. In the United States, data from most IoT devices are currently classified as consumer data, which lacks the level of protection offered by regulations safeguarding individual health data. The evolution of the data presents a significant challenge, and one that requires urgent resolution, in that it is not protected. For example, a log of location data extracted from an individual’s mobile phone and used for contact tracing, would not be classified as health data under existing regulations even though it was used in health practice. Consequently, anyone may use that data in unintended or unethical ways.

Example of Cities Using Connected Devices to Monitor Health Data

Several cities around the world utilize data from both fixed and mobile sensor nodes to collect data and make decisions, including citizen devices and existing digital infrastructure. Mass surveillance systems were central in monitoring the movement of people during the COVID-19 pandemic. In Bengaluru, India, Command Control Centers (ICCC) were used to monitor citizen adherence to lockdown measures and crowd tracking during the COVID-19 pandemic. They also used Closed Circuit Television (CCTV) cameras, to transmit live feeds of movements of people. In both cases, these technologies and connected devices were used to enforce compliance to lockdown restrictions. Also, in Mangaluru, India, Android-based Geographic Information Systems (GIS)-tagged tablets are used to tackle malaria at the city level.

In the city of Pisa, Italy, the Smart Healthy Environment Project (SHE) designed and deployed Information and Communication Technologies (ICT) solutions to monitor the environmental conditions using a series of both fixed and mobile sensor nodes capable of measuring environmental parameters. In the United States, many cities are moving towards becoming “smart,” by utilizing data from continuously monitoring connected devices to make decisions about health and safety. For example, the city of Dallas uses a system of smart water monitoring devices, and New York City has several initiatives that include both water and wastewater management technologies, and San Jose, California’s main “Smart City” initiative is to use air quality and climate sensors to monitor the quality of the atmosphere in the city.

Need for Reclassification of IoT Data Applied to Health Practice

As is often the case, the speed of technological innovation far outpaces the law. Data from many connected and wearable devices are currently classified as consumer data under U.S. regulations, making collection and use of data from everyday devices like smartwatches, smart home appliances and other wearable devices easy to obtain and used by companies as they see fit, even in instances where the data is used for health purposes. For example, data from Google’s Fitbit and Apple’s Smart Watches can be used to monitor changes to the wearer's health status and monitor menstrual cycles, sleep patterns, and heart rates.

US Congressman Bill Cassidy introduced the SMARTWATCH (Stop Marketing And Revealing the Wearables And Trackers Consumer Health) Data Act in 2021 which would protect the privacy of personal health data from wearable devices like Fitbit and Apple Watch. However, progress on that piece of legislation has not continued since and has only won the support of one other bipartisan member of Congress.

Security Problems in IoT Devices

When designing IT systems in critical societal functions, such as healthcare, developers typically focus on safety (maintaining operability) rather than security (resisting digital attacks). This made sense, as the systems of each industry were isolated environments. Consequently, these systems tend to be highly operable with rigorous backup routines to remain functional even during severe crises like a tornado or an earthquake. Older devices are often excellent at ensuring structural stability and operability. They usually have less complexity than modern systems and we know precisely how they work and what they do. In short, we trust them. Therefore, it is still possible to find heavily outdated systems, such as Windows XP computers, in modern hospitals and power plants. From a safety perspective, they are great, but for security, they are a disaster.

In the modern technical landscape, it is nearly impossible to operate in an isolated environment. Cities are moving towards a systems-of-systems concept, where everything is connected in complex patterns of dependencies. The increased connectivity exposes organizations to cyberattacks from all around the world. Thus, if the transition to high connectivity and technical dependency is not meticulously planned, digital weaknesses are likely to occur, and bad actors will exploit these vulnerabilities. This is true for industries, private households, and society. Unfortunately, transitions are rarely smooth, a fact that is reflected in the number of cyberattacks worldwide. For example, when analyzing attacks targeting healthcare organizations in the last ten years, the number of physical attacks (requiring an attacker to physically break into the complex) has reduced drastically, while hacking attacks (an attacker who accesses the organization remotely via its connected devices) have increased significantly.

The situation is further problematized by the high-quantity nature of IoT. Industrial connectivity is often implemented on large scales, meaning a substantial increase in devices. With so many devices, it is hard to ensure that every unit is secure. Furthermore, the devices can be produced in other countries (pages 133-134) or might contain components produced in other countries, which is specified as a significant cybersecurity risk by the U.S.-China Economic and Security Review Commission's treaty on US supply chain vulnerabilities and resilience. Related research has found many vulnerabilities in connected devices, including permanent and persistent backdoors (hidden information channels that leak the data collected by the device) or poor security protocols (making it easy to access the device without authentication).

Implications for the Health Sector

Due to this rapidly increased connectivity, cyber-attacks are proliferating. Health data is a common target, including personal devices using health data and organizations from the health sector. In 2020, a German hospital was struck by a cyberattack that rendered the organization's data inaccessible (ransomware). A woman suffering from an aortic aneurysm required immediate relocation to continue her treatment but died in transit. The attack could have been avoided if proper cybersecurity routines had been applied. Unfortunately, similar attacks are common and becoming even more frequent. From 2005 to 2009, cyberattacks exposed 13 million health records in the US. Between 2010 and 2014, 78 million records were exposed, and between 2015 to 2019, 157 million. Today, more than 50 million US health data records are exposed annually. The average health sector data breach cost is estimated at $10 million (2023).

A 2021 study by Proofpoint and the Ponemon Institute found that mortality rates increased in roughly 150 out of 600 healthcare facilities surveyed, following a ransomware attack - a cyber attack in which hackers lock or encrypt networks and other critical software applications and then demand payment to regain access. Data from the CyberPeace Institute revealed that there had been 501 cyber attacks on health systems across 43 countries. These attacks place enormous stress on already overburdened and in many cases, fragile, healthcare systems.

The distinction between commercial and health IoT has become thin. Smartphones and other IoT devices change how we use, store, and interact with data. Modern users expect to access services and information anywhere, at any time. As a result, the Internet of Medical Things (IoMT) is proliferating as medical devices are connected in almost every part of society. In addition, online-based health centers are increasingly popular and often contain application-based interfaces, sometimes allowing integrations and data sharing with third-party applications. Old paradigms for data storage and classification must be revised and updated to match modern use cases.

Regardless of how or where the healthcare data is collected, it differs from other types of user data. Manipulation of health data does not only cause organizational and monetary concerns, it can endanger citizens and facilitate biological warfare from foreign nations. In medicine, manipulated healthcare data can sabotage operations and cause erroneous treatments. For example, stolen medical information can be used to obtain the medication prescribed to a patient or falsify insurance claims. In extreme cases, healthcare data can inform attackers about critical medical conditions or sabotage operations (such as exploiting lethal allergies). Sensitive medical data, such as information on sexual diseases or abortions, can be used to blackmail individuals or damage their reputations. The latter concern is especially relevant in today's political landscape.

Due to the sensitive nature of healthcare data, it ought to be treated with greater care than other types of user data. The Health Insurance Portability and Accountability Act (HIPAA) addresses these issues and provides guidelines, such as requiring entities to implement physical, technical, and administrative safeguards to protect health data records and requiring adequate notification routines if a breach occurs. Yet we need to ensure that all health data are correctly classified to be protected by the act.

Conclusion and Recommendations

Health data is changing. It has become easier to access for users, easier to collect for manufacturers, and far more widespread than can be contained only in traditional healthcare sectors. Smartphones and other connected devices let users (organizations, cities, and private individuals) collect vast amounts of data and read the results in real-time. Due to the increased connectivity of modern cities, and the changing demands of modern users, it is unfeasible to stop or halt the transformation of health data. Instead, we must embrace the changes and take appropriate measures to ensure health data remains protected. Two immediate and significant steps are needed to protect health data in connected cities:

  1. Reclassify user data from connected devices to health data, rather than consumer data, wherever appropriate.
  2. Ensure HIPAA and other health data regulations are amended to include improving cybersecurity awareness of the employees and clients handling health data.

Reclassification is essential to ensure that all types of health data are given the protection they require. We must analyze the different kinds of health data carefully to understand where, how, and by whom it is used and where, how, and by whom the data is collected. When the guidelines are updated and the affected data are correctly classified, we must ensure that the guidelines are implemented and followed. Modern technical systems have high complexity, multiple dependencies, and often function in a black box paradigm, where users only understand a small part of the system without understanding the underlying mechanics. This creates an excellent environment for vulnerabilities, one that is exploited by cybercriminals who know that users are often the weakest part of security. As modern health data are also present in personal devices, institutional cyber training alone is insufficient. We must improve cyber awareness of all citizens in our increasingly connected societies.

About the Author

Fredrik Heiding

Fredrik Heiding is a research fellow at Harvard John A. Paulson School of Engineering and Applied Sciences (SEAS), pursuing a Ph.D. in electrical engineering from the Royal Institute of Technology, Sweden. In 2022, Fredrik got media attention for hacking the King of Sweden and the Swedish European Commissioner (the hacks were, of course, conducted after consent had been given). Fredrik has recently published three research articles on ethical hacking and is currently analyzing Darknet marketplaces to find malware targeting the 100 most common IoT devices from US smart cities. Lastly, he is investigating how to automate his previous hacks using GPT-4, and how to automate phishing and spearphishing attacks using GPT-4.

About the Author

Khahlil A. Louisy

Khahlil is a Senior Data-Smart Fellow at the Data-Smart City Solutions program at The Bloomberg Center for Cities at Harvard University and a former Technology & Human Rights Fellow at the Carr Center for Human Rights Policy at the Harvard Kennedy School. Khahlil is an applied economist focused on issues of public and global health, economic development, and technology and innovation. His work centers on the development and application of technologies for public purpose, while researching their implications for issues of inequality, health outcomes, and human rights. He is the former Head of Global Implementation at PathCheck Foundation - an organization founded at the Massachusetts Institute of Technology (MIT) to develop novel technologies in response to health emergencies. He currently serves as President of the Institute for Technology and Global Health and Co-Head of AI and Technology for Public Health -Outbreaks, within the joint World Health Organization (WHO) and International Telecommunications Union (ITU) initiative on Artificial Intelligence for Health. His work has spanned several countries globally and he remains committed to issues of equality, equity, and global poverty.

Also on Data-Smart Solutions