In Part I of this blog series, we discussed the implications of HIPAA on IoT devices and systems used in healthcare. n Part II, we delve into the legal implications of HITECH and the IoT Improvement Act, and leave you with some strategies to consider when launching an IoT system for healthcare applications.
HITECH and Why It Matters to IoT
President Barack Obama signed the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) in 2009 to stimulate the adoption of electronic health records and their supporting technologies to improve patient outcomes and streamline healthcare services using technology. It provided incentives for the development and use of better EHR tools and technologies and aimed to expand data breach notifications to protect electronic PHI, sometimes referred to as ePHI. The legislation also increased penalties for repeat and/or unaddressed HIPAA violations.
Broadly speaking, HITECH requires that all technologies and standards that apply to healthcare do not compromise HIPAA privacy and security laws and that healthcare organizations, as well as relevant businesses and service providers, be held responsible for upholding HIPAA laws and disclosing breaches.
The IoT Improvement Act
HITECH was a precursor to the Internet of Things Improvement Act (proposed in March 2019, passed in December 2020). This act requires IoT devices that are purchased by the US government to meet certain security standards. As the number of IoT devices in use grows, so do concerns about the security risks they pose. The IoT Improvement Act aims to ensure that there is a baseline for security that IoT devices of any kind must meet before they can be connected to a government network.
Some of the provisions of this legislation directly affect IoT device manufacturers and users. Many cybersecurity measures that are commonplace in other forms of tech are not found in IoT devices, as unfortunately many IoT device manufacturers prioritize cost and convenience over security.
The IoT Improvement Act also calls for the NIST (the National Institute for Standards and Technology) to issue recommendations that IoT device manufacturers will have to follow in regards to development, patching, and identity and configuration management throughout the lifecycle of IoT devices. Rules regarding vulnerability disclosures are also included in the bill.
This bill emphasizes the importance of preventing backdoor access by hackers into sensitive government networks, but the lesson for healthcare IoT players is clear: without standards, disclosure policies, and routine vulnerability assessments, your systems can always be at risk.
Legal Implications of Medical IoT
Current HIPAA rules do not require manufacturers of health wearables to comply with HIPAA’s privacy and security laws unless the data in question is being shared with a healthcare entity (a business, professional, or services provider) that is required to comply with those rules. Many companies have excellent data security practices in place but are not HIPAA compliant, simply because the law does not require them to be.
If HIPAA applies to you, complying with HIPAA is not optional and you can face serious penalties for failing to meet HIPAA regulations. You may even face jail time if you are deemed to have willfully neglected your responsibilities to comply with HIPAAwithin the devices you use, work you do, or services that you provide.
Under HITECH, a person, company, service provider, healthcare facility, or health plan entity – including anyone working for or on their behalf – can be liable for breaching HIPAA rules. Mistakes as seemingly insignificant as improperly using PHI, not securing PHI, or giving access to unauthorized users or recipients of PHI data constitute a breach of HIPAA security and privacy laws.
Anyone working in the healthcare IoT space must familiarize themselves with the laws that apply to them and how technologies that are used in the med-tech healthcare services space use HIPAA-protected PHI.
Developing new technologies that comply with relevant laws may seem daunting, but compliance is an important part of avoiding liability, ensuring patient privacy and confidentiality, and developing trust between consumers and other entities operating in the healthcare space.
HIPAA guidelines clearly outline what healthcare entities can and cannot do with patient data, but the rules are not as clear when it comes to IoT technologies and platforms. Anyone working with a covered entity such as a health system must comply with HIPAA and HITECH regulations, but organizations that create health products or provide health services and deal with health data but are not directly linked with a HIPAA-covered entity may find themselves in a gray area when it comes to what they should and should not do with user or patient data.
HIPAA rules currently do not cover many consumer goods such as Fitbit devices and other health wearables even if they gather, store, or transmit data that can be classified as PHI. However, under no circumstances should such entities ignore industry regulations. In general, healthcare technology – including medical IoT technologies – should be designed with HIPAA compliance in mind. As health tech grows, legislation will undoubtedly be passed to cover new tools and technologies, so it is best to meet or exceed current standards and best practices from now rather than worry about patches and getting up to speed later.
Barriers and Concerns
Some of the barriers and concerns that come up when discussing health IoT include data protection, outdated legacy systems, data overload, and the costs of implementation.
Healthcare systems are composed of a huge number of interconnected systems, businesses, and individuals. Massive inputs of data, outdated software infrastructures, the complexity of integrating multiple devices and protocols, and implementation costs are some of the barriers to IoT adoption in healthcare. For example, in remote patient monitoring, a substantial portion of the costs go toward covering network and communications costs, so IoT systems must be thoughtfully planned based on needs, available resources, and desired outcomes.
Similarly, user training, needs assessments, ensuring compliance and system security, and budget concerns are also important issues that need to be discussed when designing an IoMT system. The benefits of these systems can outweigh their costs – but only if you get your implementation and deployment right. We talk about how to do that in the next section.
What Developers Need to Know
What do businesses and developers need to know before creating or using an IoT solution for healthcare services? Here is a quick primer on how to go about building a safe, secure, and compliant med-tech IoT platform or service. Remember that when it comes to connected devices, you must secure your devices as well as the larger attack surface that your network is composed of.
Get the Basics Right
First, developers must understand that most healthcare security breaches are a result of a failure to implement standard encryption and security protocols in the right places. Weak security standards and protocols are preventable human and infrastructure design errors. For example, even with the proper encryption protocols in place, an authorized system or individual may inadvertently leave encryption keys in an easily accessible place, such as in an unencrypted folder or network, or even in plain sight on an office desk.
Create and Follow a Strategy
You must document your data encryption strategies and adopt and document proper procedures for handling and storing encryption keys to ensure that they do not fall into the wrong hands.
Identify Sensitive Data
A simple solution to IoMT threats is to encrypt all data at all times, whether in storage or transport to or from a device, system, or user. Remember that this applies to personally identifiable data. This means that sensitive data should be protected and untraceable, not just from malicious actors but also from the people collecting it. The General Data Protection Regulation (GDPR) gives consumers in the European Union the right to be forgotten by any entity that may collect data about individuals. Although the GDPR is only currently active in the EU, it may soon be adopted by other countries.
Next, you must prevent IoT security risks. Once you have determined that you do use, collect, or transmit sensitive data, you must ensure that it is encrypted in transport as well as while it is at rest on your servers. Use encryption methods that are approved by the NIST or FIPS (the Federal Information Processing Standards). Many of these solutions are freely available in open-source packages.
For communications between clients and servers, always use HTTPS, not HTTP. This goes for WebSocket connections as well. You can use SSH tunneling to encrypt port traffic if you use a native socket and use public-key cryptography with native socket connections between machines or devices on your network. Socket connections pose the most common risk of information leaks on a given network.
As email is not encrypted, never use it to transmit sensitive information. It is illegal to transmit ePHI over email, although there are some email providers (such as Gmail) that provide HIPAA-compliant email.
Use Digital Certificates and Authentication
IoT devices connect to servers and other devices, so if a malicious actor can impersonate a valid device, they may be able to gain access to its data and other network endpoints to which it connects. You should design your architecture so that devices can only push data out to servers. They do not need – and should not be able – to pull data. Machine-to-machine (M2M) authentication and client-side SSL are protocols that can be used here.
In addition, usernames and passwords are no longer enough to ensure security. Enable multi-factor authentication whenever it is available. Systems that support public-key cryptography for access control should use MFA, firewalls, and provide access via SSH as needed.
Secure Firmware Updates
Watch out for malicious firmware. One common IoT device hack is when malicious actors wirelessly (over the air) send your devices a modified version of firmware. This can give them access to that device, including any sensors or systems to which it has access. Cryptographically signing and verifying firmware images by the device before an update is initiated is one way to prevent such an attack. Digital certificates, secure credentialing, and firmware signing are not always seen as essential for protecting consumers, but they are critical for maintaining a healthy device infrastructure.
Invest in User Training
Consumers and end-users should be made aware of how, when, and where their data is used, as well as the implications of misuse. You also need to consider whether the data you will collect will be provided to other parties, such as health insurance companies. A downstream breach of data that you collected can have implications on you as well.
The IoMT space is growing rapidly, but risks abound. Device manufacturers and healthcare service providers owe it to the public – and in many cases are required by law – to secure patient data and protect sensitive systems from unauthorized access. A failure to do so can be catastrophic – not just in financial terms but in the harm that can be inflicted on unsuspecting patients, caregivers, and families.
To learn more about secure medical IoT solutions and how cutting-edge enterprises are building future-proofed med-tech solutions, reach out to a Kajeet Solutions Engineer.