Countering HITECH Privacy Risks from Internet of Things Products

HITECH Privacy RegulationsBy Chris Tyrrell, Compliance Practice Lead, Conventus
Twitter: @ConventusCorp

Ready or not, the Internet of Things is poised to change the world – and the way we deliver and receive medical care. Sensors and transmitters are now cheap and small enough to be placed into virtually any product, making it possible for products as diverse as electronic toothbrushes, Fitbits and Apple Watches to connect to the Internet and allow users to control and monitor activities and gather data.

The Internet of Things has profound implications for the healthcare sector. Doctors can use connected devices for tasks like monitoring patient vital signs, analyzing data on exercise activity and much more. But along with the new possibilities comes an increased risk of a data breaches and non-compliance with HITECH privacy rules and HIPAA patient protections. The challenges aren’t necessarily inherent to the devices themselves; they arise from an increase in vulnerability to the network as a whole.

Internet of Things devices that connect with healthcare provider networks introduce a new point of entry to the network, which means devices and connections can be compromised and used to access sensitive data. For healthcare providers, this makes the following questions important: Who is securing the device? Who is controlling communication protocols? It’s similar to the challenges businesses of all types are confronting in the “bring-your-own-device” era, in which workers use personal smartphones and tablets to handle business activities.

The important thing to remember is that a network is only as secure as its weakest link. This was true before Internet of Things devices became a growing trend: The business operations side of healthcare organizations have to contend with employee device security challenges and vulnerabilities associated with partner organizations just like any other business. The difference is that with Internet of Things devices coming online and being used by patients and healthcare providers, there are more opportunities for the security chain to break.

What are the potential weak links? The device itself could be compromised. The device user’s tablet or smartphone could be hacked. The home network that transmits the data to the healthcare provider could be breached. The point is, the nature of the threat hasn’t really changed – the number of entry points has expanded. And that means healthcare providers should be proactive about addressing the issue.

So how can healthcare providers mitigate the risk? One good place to start would be to educate patients who will be using remote devices on security basics. Commonsense tips would include not downloading apps or files from unknown sources and being careful about whom they trust with their data: A password management system, for example, should only be used if it comes from a trustworthy, well-established source.

For healthcare providers, precautions include making sure cloud-based data handlers are compliant with HITECH privacy regulations and that the staff fully understands their obligations, including the most recent HIPAA Omnibus privacy protections. Providers should conduct a thorough analysis of their security environment – including connection points – and have a system in place to perform ongoing assessments as the network evolves.

The Internet of Things has the potential to transform the healthcare industry, giving doctors and patients new tools to monitor health status and wellness activities. But there are significant risks involved. It’s important to remember that everything is based on trust, to some extent. Generally, there’s not much financial incentive for hackers to target individual patients’ data, but metadata from a population can be incredibly valuable, so healthcare providers should use caution and partner with an InfoSec specialist who understands their unique needs.