As the healthcare industry increasingly adopts the Internet of Things (IoT) to improve patient health outcomes, it also opens up data to new cybersecurity risks. In September 2018, the National Institute of Technology Standards (NIST) published a draft NISTIR 8228 “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.” The implication for healthcare providers integrating IoT into their care plans is that they need to protect device security, data security, and patient privacy.
Healthcare providers use IoT to provide better patient care. However, to do so, they need to be thoughtful about the way in which they incorporate IoT strategies and secure electronic protected health information (e-PHI).
Bluetooth enabled weight scales and blood pressure cuffs with symptom tracking applications attached send updates to doctors daily. As a result, research shows that patients experience less severe symptoms.
Diabetics often use the Continuous Glucose Monitor (GCM) to continuously monitor their glucose levels. These devices then connect to smartphone and smartwatch applications providing better monitoring to detect trends.
The Open Artificial Pancreas System (OpenAPS) monitors glucose levels and automatically adjusts insulin delivery to keep blood glucose levels within a safe range.
Smart inhaler technology uses sensors to work with inhalers so that asthmatics can more consistently and regularly take medication.
Apple’s ResearchKit included a “Movement Disorder API” which helps monitor Parkinson’s Disease symptoms which eases the daily diary process and aids research.
NIST detailed three differences between medical IoT and traditional IoT.
NIST outlined that IoT healthcare devices change physical systems and impact them differently. Therefore, their operations’ requirements for performance, reliability, resilience, and safety may not align with traditional cybersecurity and privacy practices for traditional IoT devices.
Since these devices may require manual tasks, staff may not have the necessary knowledge and tools for addressing the new risks. Additionally, manufacturers and third parties having remote access or control can lead to new risks.
Because of the different ways in which medical IoT connect to the physical world and the information they store, transmit, and process, additional controls may need to be implemented to mitigate risks. However, these controls are not necessarily available.
Although similar to the Health Insurance Portability and Accountability Act (HIPAA) risks, the risks of medical IoT come with new struggles.
Distributed Denial of Service (DDoS) attacks and eavesdropping attacks can compromise the devices’ availability, accessibility, and confidentiality leading to a lack of data integrity or impacting human lives.
Protecting the confidentiality, integrity, and availability of personally identifiable information (PII) that the devices store, transmit, collect, or process can lead to data breaches.
Compromised PII can directly impact individuals.
To protect device security, NIST suggests four risk mitigation strategies.
Healthcare providers need to maintain current, accurate inventories of all IoT devices throughout the devices’ lifecycles.
To protect the devices, healthcare providers need to review software and firmware for known vulnerabilities.
To prevent unauthorized or improper physical and logical access to, use of, or administration of IoT devices, healthcare providers need to ensure appropriate access management strategies.
Healthcare providers need to continuously monitor IoT devices for potential security incidents.
NIST lists two strategies to prevent data security incidents.
Data-at-rest or in-transit needs to be protected from exposing or compromising the integrity of sensitive information.
Healthcare providers need to continuously monitor IoT device activity for potential data breaches.
NIST lists five strategies for protecting patient privacy.
Healthcare providers need to create mappings that show PII lifecycles, incorporating data action type, PII elements processed, party processing PII, and any other contextual factors that compromise privacy.
Permissions governing PII processing need to prevent unpermitted processing.
Patient users need to understand the potential data breach incidents that could occur from using the devices, including how to resolve problems.
With more users and locations that store information, healthcare providers may lack the ability to manage authentications.
Healthcare professionals need to continuously monitor device activitiy for signs of data breaches.
Managing these new cybersecurity risks may prove overwhelming for many practitioners. Best practices as set out by NIST can mean engaging in new technologies to maintain security control effectiveness. Looking to the future, practitioners may need to think about:
While the use of IoT in healthcare can lead to better patient care outcomes, it also creates risks that a practitioner may not be able to mitigate. In short, the cost-benefit analysis may require providers to choose between patient physical health or patient data health.
We understand that our healthcare providers’ primary interest is keeping patients healthy. To do that, they want to provide the best Do No Harm care possible. Unfortunately, using IoT may lead to unintended harm. This is why we created an end-to-end security first solution enabling small and mid-sized practices to maintain compliance with the Health Insurance Portability and Accountability Act (HIPAA). We help you identify risks, create policies that govern your security controls, monitor their effectiveness, and direct you toward an end-to-end cyber insurance policy that fits your needs. Get a free insurance quote today!