Simply speaking, the elements that may obtain, collect, send, or process data using a computer network (the constitutive components of the IoT) may be present in all areas of human life, that is, at home, at work, during travel, and indeed, wherever humans may find themselves, the only precondition being access to a network ensuring connectivity between those devices. This is schematically presented in Fig. 2.
Fig. 2. Areas of IoT applicability
The author of the IoT probably did not anticipate the vast number of devices that would be consistent with his novel concept, which has been growing rapidly over the past years. According to Gartner’s predictions, the global sales of IoT devices are going to reach 25 billion by 2050, which means a more than eightfold increase on 2013 (approx. 3.0 billion). According to sales data from the manufacturers of mobiles devices, in 2015 Apple sold 78.1 million smart devices for daily activity and vital sign monitoring, a major increase from 28.8 million the year before.9
SMART PERSONAL PROTECTIVE EQUIPMENT SYSTEMS
Smart personal protective equipment (PPE) systems have also been defined in different ways. According to the current definition by the European Committee for Standardization (CEN) , these are products containing smart textiles or having built-in electronic elements to facilitate the user’s integration with the work environment. Another definition, very similar to the one above, further specifies the design and functioning of such devices as individual PPE products or sets thereof incorporating smart and/or active materials or sensors and micro-electromechanical systems enabling additional, specific functions, and especially active interaction between the user and the environment.
Thus, the definition of smart PPE systems depends not only on technological advancement, but also on assumptions concerning the materials and features that such products must possess. While the CEN’s definition mentions only “smart textiles” (a term that could be substituted, more broadly, with “active materials”), it is a critical part of the definition referring to materials or technology.
Given that smart PPE has become a familiar notion in the occupational and health literature (OSH), and being aware of the evolution of its definition with scientific developments, we hereby propose the term “smart PPE systems,” which consist of personal protective products with integrated sensors and other hardware and software components enabling the transmission and storage of data from those sensors. If those data further lead to the generation of information triggering user interaction, the system should be deemed “smart.”
DATA AND INFORMATION CIRCULATION IN SMART PPE SYSTEMS
An example illustrating the circulation of data and information in a work environment is presented below (Fig. 3). It describes a system consisting of sensors integrated with PPE products. The constitutive elements of the system are:
an electronic identifier (a chip card),
a sensor module integrated with PPE enabling the monitoring of such parameters as the heart rate, skin temperature, breathing rate, motion (presence or absence of movement), and position,
a computer with software controlling the system,
an alarm module alerting the user to health hazards or restricted locations,
a computing cloud.
Fig. 3. Sample scheme of data and information circulation in a system consisting of PPE with integrated sensors
In the example given above, the user has an electronic identifier, such as a chip card containing his or her ID data. In order to initialize the system, the user must log in by means of, e.g., his or her name, position, function, etc., to enable the software to correlate the data received by the sensors with a given person. Those data are sent on-line to the cloud via electronic modules. Thus, sensors should be understood as elements containing both detectors and data transmission systems. Once in the cloud, the data are sent to a computer with software operating the system. The software also contains applications that generate information about the user’s health and location. That information is redirected to the cloud, where it may trigger an alarm (in the case of a health hazard or a restricted location). Information about alarms is also sent via the cloud to a computer which records the history of such alarms.
Data may also be stored in identifiers and electronic modules. Given that electronic identifiers fulfil the function of an ID card, the safety of the data recorded in them is largely the responsibility of the users. Indeed, users should be aware of the fact that in the event of a loss or unauthorized sharing of the identifier, a third party may log into the system. In the case of modules enabling data transmission to the cloud, it is recommended that they do not record data, and in particular personal details, for the sake of data security. Modules transmitting data to the cloud are typically integrated with the PPE, either permanently or not. In the latter case, such modules may be external to the sensors and placed in a specially designed pouches or pockets. The permanent local storage or personal data would pose the risk of unauthorized access (e.g., by technical staff or cleaning personnel, etc.).
The above example of data and information circulation in a work environment shows that in order to ensure the security of the data and information generated by the system, one should implement independent security solutions for the three layers of the IoT architecture, that is, the perception, transport, and application layers.
Perception layer security means preventing access of unauthorized persons to all physical elements of the system presented in Fig. 3, that is, computers, electronic identifiers, sensors, etc. In this case, authorized personnel includes:
smart PPE systems,
system maintenance specialist,
Importantly, users, who obviously have access to the sensors and alarm modules integrated with PPE, should not be able to modify their function. Any and all activities linked to the operation, maintenance, and calibration of those modules may be performed only by the designated person responsible for those areas. Identifiers should be accessible not only to the users, but also to the maintenance and supervising personnel. Access to the computer with software operating the system should be restricted to the maintenance and security staff, as well as the data administrator. Last but not least, only the administrator should be able to access the data in the cloud.
In the transport layer, data security should be ensured by encrypting data and information transmission in all the instances shown in the diagram. The encryption of data transmission is the responsibility of the maintenance personnel.
In the application layer, protection involves encrypted access points to all applications available in the cloud and on the computer (using a login, password, fingerprint verification, etc.). In this layer, it is the data administrator who is responsible for data security and who should verify passwords (for strength), login procedures, and the status of the resources stored in the memory of the computer supporting the system and in the computing cloud.
RECOMMENDATIONS FOR SECURE DATA AND INFORMATION CIRCULATION IN SMART PPE SYSTEMS
Integrity, confidentiality and accessibility must be ensured for all data. Integrity means that the collected data are complete and collected with sufficient accuracy to generate the desired information while providing appropriate processing methods. According to the principle of confidentiality, the collected data / information should be only available to the authorized personnel. Finally, accessibility means that authorized persons should have access to the data / information whenever necessary. In order to ensure the safety of the data generated, stored and transmitted by smart PPE systems operating within the implemented security architecture, it is crucial for the employer to fulfil the following conditions:
Fulfilling the legal requirements. The procedures for generating, storing and transmitting data should comply with the applicable regulations (GDPR). The employer should appoint an administrator responsible for the security of personal data as well as a supervisor overseeing the work of smart PPE users and a maintenance officer responsible for the entire smart PPE system.
Training and keeping workers informed. Smart PPE users should be informed about procedures for data generation, storage, and transmission. They should also be trained in the use of smart PPE systems and data access protocols.
Obtaining consent from workers. Smart PPE users should express informed consent for their personal data to be processed.
Securing access. Access to the various components of the smart PPE system should be enabled only for authorized personnel.
Preventing data leaks. To prevent data leaks, it is not recommended for monitored data to be sent to the employer's servers or computing clouds. Ideally, the data should be recorded locally on the device used by the worker. Data may be sent only in justified cases. Under no circumstances should one post data (in particular sensitive data) on social networks.
Deleting data that are no longer needed. At the end of work, all inessential data that were collected by smart PPE systems should be deleted, if possible, automatically.
System control and supervision. The efficient operation of smart PPE systems, both in technical terms (including penetration tests, sensor inspections, etc.), as well as in terms of compliance with procedures for the verification of passwords and personnel authorized to access the various elements of the system, is an indispensable element of data and information security.
Fig. 4 shows a schematic diagram of the seven elements listed above, crucial to the secure circulation of the data and information generated, stored and transmitted by smart PPE systems.
Fig. 4. Schematic representation of the elements crucial to the secure circulation of the data and information generated, stored and transmitted by smart PPE systems
To efficiently implement the above-mentioned best practices, it is essential to follow general data protection and cyber-security recommendations applicable to all systems, and to smart PPE systems in particular. Of key importance is also a good understanding of the applicable regulations pertaining to the protection and flow of personal data.