Internet-connected medical devices are nothing new. From x-ray machines to infusion pumps, these devices have helped push major advancements in clinical care. Increasingly, we see health care technology moving out of controlled clinical settings. From Bluetooth-enabled blood pressure cuffs to fitness bands and mobile apps, internet of things (IoT) health care technology now fills our phones and adorns our clothing, necklines, arms, legs and wrists. However, along with these advancements, we see a multitude of privacy and security concerns arising. Here’s a summary of seven particular areas of concern:
- Network liabilities. Vulnerabilities stem from the very nature of IoT devices. They usually move to market quickly, rely on limited storage space or computing power, and run in “always on” mode. This affords hackers the chance to launch “man-in-the-middle” (MITM) or other attacks on apps and devices as they connect to institutions and data repositories. Devices are most vulnerable during connections to fix bugs or transfer data. While medical device manufacturers have upped their cybersecurity in response to FDA guidance and negative publicity, the same cannot be said for fitness bands and other devices that passively collect personal health information.
- Vulnerable data. New devices can monitor food intake, physical exercise, blood chemistry and even drug efficacy. They can also help us connect to providers and our own health records. These devices, however, are vulnerable precisely because their data is so valuable. This information can include names, addresses, unique digital IDs, location data and traditional information sought by criminals for financial or medical fraud, such as Social Security numbers, dates of birth, financial data, medical diagnoses and treatment information.
- Legacy operating systems. Medical devices tend to run on old operating systems and “off-the-shelf” software components that hackers know well. Some medical devices are connected to the internet through computers running very old versions of Windows XP, a version of the operating system that is known to have lots of exploitable vulnerabilities. These are easy to hack via brute-force attacks and using hard-coded logins.
- Data ownership concerns. There is also concern among users of the mobile health technology and wearable technology about privacy and ownership of the data. Many countries have laws in place to protect patient data. However, these laws are inconsistent and often vary from one part of the world to another. In the United States, HIPAA customarily governs medical devices in the controlled clinical setting. But, it does not always apply to the makers of mobile health devices, which can cause confusion regarding which entity or individual owns the data.
- Privacy and security not always synonymous. FDA guidance says that security is a shared responsibility between medical device manufacturers and health care providers. But the agency’s guidance documents can be vague and are nonbinding, creating uncertainty about which safety practices providers should follow to ensure medical device security. Notably, the FDA has stated that it generally does not address risks of privacy breaches. Of course, state and federal privacy laws create liability in the event of a breach, and manufacturers must take care to ensure data stays protected when accessible to others.
- IoT security issues. Mobile health companies, like other industries, are becoming more connected by interacting with other systems and applications to provide innovative, new services to patients and consumers. Sometimes, however, companies can lose track of where patient data is stored, who has access to it and how it is protected in transit. A lack of security and privacy controls could lead to intervention by the FDA, FTC and the HHS Office of Civil Rights (OCR), which could also lead to an expensive recall of the device itself.
- Big Data vs. data minimization. Big Data can improve patient outcomes, provide better understanding of what clinical services are in demand and reduce medical errors. But privacy issues abound. Technology companies seeking to monetize personal health information should have a right under HIPAA to use the data to advance these goals, as long as consumers provide authorization to do so. Additionally, companies may have to consider the Children’s Online Privacy Protection Act, state laws and the Common Rule when disclosing patient information. If not appropriately anonymized, data sharing can violate these statutes and lead to significant penalties.
If you find this array of potential pitfalls confusing, you are not alone. As IoT for health care continues to evolve, we expect to see federal and state statutes and regulations evolve to address privacy and security concerns.