Close this search box.
healthcare IoT

Healthcare IoT Adoption in the HIPAA Compliance Landscape

By 2022, the healthcare Internet of Things (IoT) will likely reach a valuation close to half of a trillion dollars. While many advancements push the connected healthcare market forward, ePHI (electronic protected health information) security remains a distinct challenge.

Discover the Growing Healthcare IoT Market

Also known as IoMT (Internet of Medical Things), the healthcare IoT market puts sensor capabilities and big data analytics to work for the benefit of individual and population health. Wearable devices exist on the cusp of a vast field of connected medical devices. From telemedicine to smart pills, technology will touch almost every aspect of healthcare in coming years

IoMT creates new pathways for knowledge sharing and analytics but also opens the door to critical security challenges. Ransomware attacks in 2016 showed the world the vulnerabilities of healthcare organizations. The IoT-driven DDoS attack on Dyn Inc. only affected websites in late 2016. However, the next IoT-driven attack could render heart monitors or connected surgical tools unusable and put lives at risk. A vital factor in the future of data security is the understanding of both IoT and HIPAA compliance.

Explore Changes in the Healthcare IoT Market

Current HIPAA regulations, specifically the Security Rule, discuss the accessibility, integrity, and confidentiality of all ePHI (electronic protected health information), but they do not specifically govern IoT devices. All insurance companies, care providers, and clearinghouses that create, receive, use or maintain ePHI must protect any sensitive information.

For other entities, however, compliance is not as clear. Many unanswered questions highlight the need for additional legislation dictating who is responsible for the protection of ePHI and IoT. For example, does an app or IoT device manufacturer owe consumers a HIPAA level of security for maintaining records of weight, heart rate, blood pressure, and other health insights?

In addition to the possibility of new covered entities, healthcare companies must consider the limitations of the HIPAA Security Rule. Like many cybersecurity standards, the rule only helps an organization provide reasonable care for ePHI. It does not outline case specifics for existing or new technologies.

The IoT industry may face additional regulations from the FDA, FCC, and the FTC among other entities, plus healthcare-specific regulations. In early 2015, the FTC released a report underscoring the need for security in the IoT industry. The Commission cited four main areas for consideration: data handling, consumer notification and choice, security, and the creation of formal legislation. Later this year in November 2017, a Drug Supply Chain Security Act (DSCSA) regulation will come into effect to track and trace medication, including serialization, reporting, and verification tracking guidelines.

To protect themselves, IoT device manufacturers, software developers, and ePHI handlers can implement secure hardware and software measures according to industry best practices.

For instance, Apple recently revealed that they’re developing sensors to noninvasively monitor blood sugar levels to treat diabetes. However, what they do with that data is critical; Apple’s health data will need to be stored in a secure, HIPAA-compliant data repository once it’s launched.

Develop Industry Best Practices for HIPAA Compliance and Beyond

HIPAA may not yet address IoT devices specifically, but regulation and technology are inevitably connected. As industry standards evolve, use these best practices to protect patients and devices from dangerous attacks:

  1. Recognize all vulnerabilities. Users, hardware, software, and data transmission all represent possible IoT vulnerabilities. Take steps to secure each backdoor from attacks. Use automated systems to monitor access control, security programs, and device usage patterns. Encrypt data using industry best practices to decrease the risk of ePHI exposure. For instance, device manufacturers need a plan to provide safe updates to the healthcare organizations they serve, as vulnerabilities can result from errors in software code. On the flipside, healthcare organizations can put pressure on their vendors to stay current in risk management.
  2. Invest in devices carefully. Individual device components may represent possible IoT threats. As the field of IoT advances, security from technologies such as blockchains may help healthcare organizations prevent, identify, and address threats more quickly than ever before.
  3. Communicate clearly with end users. IoT means businesses need to worry about more than employee device usage. They also need to consider patient use. All end users need to understand best practices for using IoT devices in the medical industry.

As the industry evolves and rules like HIPAA expand to govern IoT devices, take steps to protect your company from cyber threats. HIPAA represents industry best practices that apply to all sensitive data.

Are Your IoT Devices HIPAA Compliant?

With the proper security safeguards in place, healthcare organizations can avoid risks and embrace rewards of IoT devices.

Security and compliance not only protect businesses from excessive regulatory fines, it also protects their critical data from threats and breaches. Fortinet’s high-performance security platform has solutions for the core, the edge, and access. The network operating system is flexible enough for deployments of all sizes and environments, from carriers to small businesses.

Use LightEdge’s and Fortinet’s network security fundamentals to protect, monitor and act against threats. Start today by beginning your free Fortinet Cyber Threat Assessment Program and receive a report on your security and threat prevention, user productivity, and network utilization and performance.

In addition to Fortinet’s network security assessment, LightEdge offers secure data center colocation solutions at our Des MoinesKansas CityOmaha, Austin, and Raleigh data center facilities. As a top-tier colocation services provider, we provide a high level of availability and reliability through secure, certified data centers and dedicated staff onsite.

LightEdge also offers a free risk assessment from our Chief Security Officer and Chief Compliance Officer as a free resource to all of our clients. LightEdge’s highly-trained compliance and security experts take the guesswork out of keeping your business protected. Compliance and security are top priorities to guarantee that your data is protected. LightEdge is compliant with:

If you are interested in getting enrolled in the Cyber Threat Assessment Program, or touring of any of our 7 world-class data centers, contact us here. We have network security experts standing by to answer your questions or to help you begin Fortinet’s free Cyber Threat Assessment Program.

If you would like to learn more about compliance and security download our free E-book, Patient Privacy and Data Security: Utilizing IT Vendors to Meet HIPAA Compliance and Avoid Risks, or you can download our How to Tech Guide for Encryption for Data Security.

Related Posts:


Share Article