Mobile devices and the IoT has given new and innovative ways to stay on top of our health from Fitbits to smartphone pedometers. However, the vast amount of data these apps collect on our health is a blessing and a curse.
Stephen Wu, a technology lawyer at Silicon Valley Law Group and the author of A Guide to HIPAA Security and the Law, knows that if healthcare data is not handled properly, patients risk having their information lost or stolen, which means healthcare providers risk compliance mishaps and hefty fines.
The healthcare industry is at a crossroads when it comes to technology.
The IoT in healthcare can absolutely help make people more proactive about their health and provide physicians with better information, but it also becomes a nightmare to manage all this data and move it from device to device. In the battle of healthcare vs. IoT, who will win?
Sure, innovation in IT is a huge win for healthcare as a whole. Wu points out four major areas where IoT can help in today’s healthcare.
- Industrial: “Examples of this are heating, ventilation, air conditioning, or powering the tug drones that wander around the hospital halls,” Wu said.
- Inventory management: “Here you can think of keeping track of pharmaceuticals, supplies, or devices for asset management purposes.”
- Workflow optimization: This could take the form of RFID tags on basically anything, or something like trackable wristbands or ID badges. “You could also have cell phone alerts that notify straight to staff communication devices if somebody’s stopped breathing,” Wu explained. Or you could even set up a sensor to alert when a diaper needs to be changed.
- Device integration: In a hospital, there are so many devices that could get connected. Not just wearables, but also implantables or ingestibles. “There are all kinds of home sensors that people could use to collect information. Even a pill bottle could be collected to say, ‘How often was this pill bottle opened?’ to see if a patient has been taking medication.”
The device list goes on. “Blood pressure cuff, weight devices, blood glucose meters, things like that. You think about x-ray machines or infusion pumps. All of these could be connected to the network so you could control them or get alerts if a sensor goes off,” Wu said.
In fact, there’s mostly no healthcare technology that can’t be integrated with some type of IoT implementation. “The possibilities are endless,” Wu said.
Okay, But What About Security?
And it’s not just about HIPAA here, either.
It’s true that there are real risks in information security and IoT in the healthcare field. You have to be able to evaluate not just the vulnerabilities of a device, Wu said, but also the entire ecosystem of technologies that work together.
Imagine there’s a surgical robot connected to the internet through the hospital’s network. It’s a robot, so it’s a mobile device that’s collecting and giving off data.
“So let’s say the robot made a mistake and hurt somebody during an operation,” Wu said. “It might not be because there’s something wrong with the device itself. It might be because the data feed to the device was defective in some way—or the software update.”
“We have to think about all of those possibilities or all those technologies that work synergistically. If you don’t look at all the technologies that are working together, you might be missing something. It all adds up to a big picture of pervasive computing and pervasive connectivity.”
You could basically mic drop here about the complexity of the issue, but it’s not even close to being over.
How is the law in general, much less HIPAA specifically, even supposed to keep up with the IoT? (Healthcare isn’t exactly known as being defined by advanced technology.)
HIPAA was passed as a law in 1996, and the security rule came out in 2003. “We’ve had some updates along the way, but nothing has been specific to IoT. But if you think about 2003, I mean, that was when iPods were out. It was before the iPhone. It was before tablet computing. It was right at the infancy of when the cloud was starting to take off.”
Healthcare providers who are concerned about liability—which should be all of them—need to understand risk assessment and how to implement safeguards to protect the information and its confidentiality, integrity, and availability.
The general principles in the HIPAA security rule, the regulation underneath the law, still can be applied to IoT implementations. “You can look at those general principles and apply them to some device that is connected to the IoT. You have to look at the general requirement applied to the specific situation, in order to have a HIPAA-compliance solution to implementing a new device.”
Eventually, Everything Connects
Some healthcare providers—and we aren’t naming names, but by some we mean most—are hesitant to embrace IoT. Maybe because they don’t have the vision for the technology or maybe because they don’t get compliance issues.
But they should do it anyway.
“This is something that’s going to happen,” Wu said. “There’s going to be a technology revolution with IoT, and it will be hard to just refuse to do it.”
Because before long, patients will be demanding it of their doctors. IoT will basically become part of the standard of care.
But it’s too risky, providers might object. “You have some risk if you don’t adopt the IoT,” Wu pointed out, “because if it becomes part of the standard of care and suddenly you’re not using something that is perceived to be something that everybody’s doing in the medical field, then your level of care might be deemed to be substandard. You could open yourself up to malpractice liability.”
Ouch. You don’t want to be that one hospital that refuses to dispense wearables or makes patients actually come in to the doctor’s office for something like basic monitoring.
Fortunately, people like Wu have developed a systematic process for risk assessment and implementing administrative physical and technical safeguards. (P.S.: It’s described both in his book and in full in this podcast, so take a few minutes to listen.)
“You can manage your risk to a reasonable and appropriate level,” Wu said, “and when you do that you can have the benefits of the technology while managing the risk of information security breaches and associated legal liability.”
And speaking of staying connected, follow Stephen Wu @stephenswu on Twitter and read his fantastic book.