Feb 22, 2021

WSO2 launch consent tool for patient data

patient data
consent management
electronic health record
Leila Hawkins
2 min
WSO2 launch consent tool for patient data
WSO2's consent management tool speeds up compliance and gives people more control over their healthcare data...

Open source technology company WSO2 have launched a new consent management tool, aiming to simplify compliance rules and give patients more control over their data. 

WSO2’s Consent Management is a portal for gaining consent in a manner consistent with US regulatory requirements and Fast Healthcare Interoperability Resources (FHIR) standards, the global industry standard for passing healthcare data between systems.

The new portal provides an ongoing process for requesting, collecting, enforcing and logging activity related to patient or member data acquisition and management. It's available with the latest release of WSO2 Open Healthcare, an interoperable platform for healthcare payers and insurers, healthcare providers, hospitals and pharmacies. It also integrates securely with electronic medical records (EMR) systems, health databases, and software-as-a-service (SaaS) applications. 

WSO2’s Consent Management will add the following new functionalities: 

  • Healthcare organisations working with Medicare and Medicaid can exchange health information and claims data, and share this with patients electronically and securely via an API. This ensures compliance with regulatory bodies and avoiding potential fines of up to $1 million. 
  • Individuals will be able to control access to their own health information and that of the people they care for, such as children or parents. 
  • Third-party app developers can enable personalised privacy by assigning consent policies to apps, such as those running on personal fitness devices or clinicians' medical diagnostics systems. 

“The pandemic has served to accelerate the move toward digitally-enabled health and wellness services among healthcare organizations and consumers alike" WSO2 Vice President of Solutions Architecture Mifan Careem said. 

"In this context, failure to give patients control over access to their data is a costly mistake, both in terms of potential fines and lost customers. With the new FHIR-compliant Consent Management functionality in our WSO2 Open Healthcare solution, we’re lowering the technology barriers to managing consent. Now healthcare organisations can streamline their compliance in 2021 and focus on the digital innovation that will fuel their future growth.” 

Share article

Jun 17, 2021

Peloton vulnerable to cyber attacks, McAfee research finds

2 min
​​​​​​​Software security experts McAfee discovered exercise bikes by Peloton are vulnerable to cyber attacks, which the company have since resolved 

Peloton, the popular exercise bikes, were found to be vulnerable to cyber attacks in the latest research from McAfee. 

Peloton is a brand of electric bikes that combines high end exercise equipment with cutting-edge technology. Its products use wi fi to connect to a large tablet that interfaces with the components of the exercise device, and provides an easy way for physical activity enthusiasts to attend virtual workout classes over the internet several times a week.

Peloton has garnered attention recently around the privacy and security of its products. So McAfee decided to take a look for themselves and purchased a Peloton Bike+.

The problem

Researchers looked at the Android devices and uncovered a vulnerability  that could allow an attacker with either physical access to the Bike+ or access during any point in the supply chain to gain to hack into the bike’s tablet, including the camera, microphone and personal data. 

For the person using it there would be no indication the Bike+ has been tampered with, potentially putting Peloton’s 16.7 million users at risk.  

The flaw was found in the Android Verified Boot (AVB) process. McAfee researchers were able to bypass the Android Verified Boot process, which normally verifies all code and data before booting. They were then able to get the device to boot bypassing this step. 

This could potentially lead to the Android OS being compromised by an attacker who is physically present. Even worse, the attacker could boot up the Peloton with a modified credential to gain privileges, granting them access to the bike remotely. 

As the attacker never has to unlock the device to boot it up, there would be no trace of their access on the device. This type of attack could also happen at any point from construction to warehouse to delivery, by installing a backdoor into the Android tablet without the user ever knowing. 

The solution

Given the simplicity and criticality of the flaw, McAfee informed Peloton while auditing was ongoing. The vendor was sent full details,  and shortly after, Peloton confirmed the issue and released a fix for it. 

Further conversations between McAfee and  Peloton confirmed that this vulnerability had also been present on the Peloton Tread exercise equipment. 

Peloton’s Head of Global Information Security Adrian Stone, commented on the research: “This vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread. Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls and safeguards become increasingly important.

"To keep our members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June and every device with the update installed is protected from this issue.”

Share article