By Tim Mullahy, executive vice president, Liberty Center One.
Remote monitoring. Smart sensors. Better communication and overall patient care. The internet of things has some incredible applications for the health industry — assuming we can overcome the security challenges it brings with it. But where do we start?
The potential of the Internet of Things to revolutionize the world has already been well-documented – as has its potential security shortcomings. I don’t believe it’s hyperbole to call IoT one of the most disruptive digital technologies ever developed, if not the most. But that disruption can easily be a double-edged sword.
Consider the healthcare industry, for example. Hospitals, care providers, and covered entities regularly work with some of the most sensitive data in the world, subject to some of the most stringent protections. They have an inarguable duty of care to keep protected health information (PHI) out of the wrong hands.
Incautious application of IoT technology runs directly counter to that duty of care.
Yet hospitals and other healthcare agencies use the Internet of Things for everything from maintenance and monitoring to patient care — nearly 60 percent have introduced IoT into their facilities, and 87 percent plan to implement more technology by next year. And of those organizations, 89 percent have suffered from some form of IoT-related security breach.
Unless you want your organization to be included in that statistic, you’re going to need to take a step back and re-examine your security practices. The Internet of Things is by its very nature unlike any technology you’ve used in the past. What that means is that it requires a completely different approach.
You must have some way of monitoring, managing, and locking down any endpoints that might have even a passing connection to patient data. You need to implement new processes and procedures regarding how devices are used and interconnected within your organization. Finally, you need to be aware of PHI no matter where it is and who’s using it — and if someone is accessing it who shouldn’t be, you need the capacity to lock down their access and protect that data.
For an industry where even standard IT can prove challenging, that’s a pretty intensive list. It’s a small wonder, then, that many healthcare organizations choose to work with managed services providers rather than deal with things internally. And if, after a security assessment, you find that your own IT staff lack the expertise, that might be the best bet for you as well (at least until your staff can receive proper training).
Of course, selecting an IoT services provider comes with its own laundry list of challenges. You’ll need to school yourself in the tactics and language the bad eggs use to try to lure in new clients, and you’ll need to ensure that any providers you work with are fully HIPAA-compliant. There are a few signs you should look out for in that regard:
- They hire and train compliant staff, holding them to strict HIPAA guidelines.
- They actively manage and report on their application’s performance and access logs.
- They offer a detailed service-level agreement with a clear process for managing downtime.
- They are explicit and transparent about their security practices, which are extensive, and (ideally) go above and beyond the baseline that is required by HIPAA.
- They are willing to participate in compliance audits and sign a vendor agreement.
The Internet of Things isn’t going away anytime soon – it is an inevitability. Its usage in the healthcare space is only going to increase. It’s up to you to ensure that you either partner with a service provider that can help you deal with that, or train your staff to do so.
Otherwise, your PHI will end up in the wrong hands, either through malice or ignorance. That’s an inevitability too.