IoT Devices and Systems in Healthcare
About one-fifth of the U.S. GDP is spent on healthcare, and the size of the medical IoT devices market is expected to surpass $530 billion by 2025. Digital healthcare can help improve and increase access to testing, treatment, and preventative care, and could save the industry $300 billion annually. Other opportunities for the improvement and enhancement of patient care abound with IoT technologies that can bridge the digital and physical worlds and improve physician and patient relationships.
The use of smartphones, smart devices, sensors, and integrated networks are integral to these new digital systems, but they have become a major source of privacy breaches. Software vulnerabilities, security failures, and human error, amongst other factors, can all lead to unauthorized access, theft, or loss of sensitive patient and health information.
According to the NCBI, roughly 250 million people globally were affected by healthcare data breaches between 2005 and 2019. In 2018 alone, there were over 500 global healthcare breaches in 65 different countries. According to an IBM report, the average cost of a data breach in the US in 2019 was about $8.5 million, while the average healthcare breach in the US over the same period cost over $15 million.
How can IoT devices be secured from such attacks? What is the role of HIPAA in medical IoT? How can a safe and secure system be set up? What are some of the best practices that developers and service providers should follow when it comes to building a HIPAA-compliant healthcare product or service?
In this post, we delve into each of these questions. We begin by providing some background on HIPAA and what constitutes protected health information (PHI). From there, we discuss what can happen if HIPAA rules are breached and what developers need to know before creating a safe, secure, and HIPAA-compliant system. We also discuss other relevant rules and regulations such as HITECH that apply to medical IoT devices and PHI.
What Is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act, which was passed in 1996 to standardize the electronic transmission of healthcare information (all forms of patient information as well as transaction data such as insurance claim data). It also aims to streamline healthcare provision and improve access to care and insurance coverage.
HIPAA itself is a wide-ranging and comprehensive piece of legislation, but whenever people mention HIPAA-compliance, they most often mean HIPAA’s privacy and security rules. HIPAA’s privacy rules set the standards for using, disclosing, and protecting PHI. These rules also address the rights that individuals have to understand and control how their PHI is used while simultaneously supporting the flow of health information that is needed to deliver high-quality healthcare. Similarly, HIPAA’s security rules set the standards for storing and securing patient data. They require relevant entities to put physical and electronic safeguards in place that ensure PHI can be safely transmitted, received, and stored, and that it is accessible only by authorized individuals or entities.
What constitutes protected health information? HIPAA defines PHI as all personally identifying health data. Any data that includes names, dates, telephone numbers, geographic data, Social Security numbers, email addresses, medical record numbers, health plan numbers, full-face photos, and various biometric identifiers, to name a few, is classified as PHI. Digital, paper, and oral transmission of any such data is protected, as are some forms of data gathered by wearable tech.
To help illustrate the distinction between PHI and non-protected information, consider a Fitbit device that tracks the hours you sleep. Your data – when viewed as a single data point and nothing more – is not PHI and is not protected by HIPAA. However, if that data is linked to a specific individual by his or her name, phone number, email address, or any other unique identifiable marker, it is then considered PHI and is protected by HIPAA.
How Medical IoT Works
Medical IoT technology is used to gather and aggregate health data. When deployed, IoT healthcare devices and platforms typically work as follows:
- A smart device gathers health information from a patient or user. Smart devices may include motion detectors, heat sensors, and cameras.
- Digital data can be stored and transmitted digitally, while analog readings or measurements must first be converted into a digital stream.
- Once all of your data has been aggregated and digitized, it can be transmitted to your data center – typically in the cloud – where it can be cleaned, sorted, and stored.
- Physicians, medical professionals, or virtual assistants can then analyze that data to make better-informed decisions and extract insights on improving patient care.
Managing IoT devices and all relevant systems requires maintaining the security, privacy, and integrity of the PHI that they gather, store, or transmit. Individual blocks of IoT architecture require peer-to-peer communications with other devices, systems, or users, which can increase the potential attack surface of the entire network. Therefore, IoT device security must be built into your systems from the ground up.
Benefits of IoMT
Smart healthcare devices and systems can radically impact how we deliver health services, identify patient issues, and make medical decisions. Doctors, patients, health systems, and other entities operating in the healthcare space may enjoy the following benefits of med-tech IoT:
- Lower patient wait times.
- More accurately tracked patient records.
- Improved staff management, resource allocation, and inventory management.
- Improved doctor, patient, and family access to important health information.
- Ability to predict medical device maintenance needs.
- Improved cost-effectiveness of healthcare services and devices.
- Lower error rates.
To illustrate how IoT devices can deliver these benefits, consider the use cases below:
- Patients may use tools and wireless apps such as fitness trackers, heart rate trackers, and glucometers as personalized solutions that accurately sense and monitor important health metrics (tracking calories burned, receiving reminders to take medication).
- Medical professionals can use aggregated, filtered, and cleaned data to pinpoint healthcare gaps, streamline management, and improve treatment.
- Healthcare facilities can use IoT devices and platforms to lower the costs of facility management, streamline operations, track device and/or patient locations, and improve the utilization of medical equipment, resources, or drugs/medicines using real-time data feeds.
IoMT devices have the potential to revolutionize the provision and management of healthcare in many other ways as well – if used the right way.
Here are a few ways in which IoT devices are already bringing about transformative change in the healthcare services space:
- Remote patient monitoring can help improve access, reduce travel times, and reduce treatment costs for underprivileged or underserved populations.
- Glucose monitoring and connected inhalers can be used to help individuals with diabetes or asthma.
- Smart devices can improve the interoperability of disparate systems and data types with well-organized data, forward-thinking technology, and better data management.
- Smart contact lenses and hearing aids can detect glucose levels, vision illnesses, and hearing issues.
- Wireless pill bottles can help patients manage dosages and can provide reminders or notifications if a dose is missed.
- Fitbits and other wearables can track a wide range of health metrics, remind you to take medications, check your blood pressure, measure your heart rate, measure calorie burn, and integrate other health metrics into a comprehensive health plan.
- Ulcer sensors can be used by bedridden patients to help avoid bedsores. Ambulatory patients can use these sensors to help prevent the development of ulcers.
- Implantable devices such as neurostimulators, cochlear implants, gastric stimulators, and insulin pumps can help a wide range of patients with many different ailments.
- Cancer treatment: A recent trial used a Bluetooth-enabled weight scale and a blood pressure cuff with a symptom-tracking app to send updates to patients’ physicians on symptoms and responses to treatment every weekday.
- Coagulation testing: There are already Bluetooth-enabled smart coagulation systems on the market.
- Parkinson’s Disease: Apple recently added a new ‘Movement Disorder API’ to its open-source Research Kit API. This allows Apple Watches to monitor the symptoms of Parkinson’s Disease. These symptoms are typically monitored by a physician at a clinic via physical diagnostic tests and patients must maintain a diary of the symptoms they experience when they are not under observation. Apple’s APIs can automate and streamline this process.
Other applications of med-tech IoT devices include air quality sensors, drug effectiveness tracking, capturing data on vital signs, sleep monitors, sleep safety tools for infants, depression detection, cancer detection, robotic surgery, hygiene monitoring, RFID tagging of medicines or materials, GPS smart soles for patient monitoring, and much, much more.
In Part II next week, we’ll finish out our discussion of the legislation surrounding medical data, and delve into strategies for building a safe, secure, and compliant med-tech IoT platform or service.