Health IoT Adoption in the HIPAA Compliance Landscape

In Security by Carolina Curby-LucierLeave a Comment

Health IoT Adoption in the HIPAA Compliance Landscape

By 2022, the healthcare IoT will likely reach a valuation close to half of a trillion dollars. While many advancements push the connected healthcare market forward, ePHI (electronic protected health information) security remains a distinct challenge.

Discover the Growing Healthcare IoT Market

IoT in Healthcare Also known as IoMT (Internet of Medical Things), the healthcare IoT market puts sensor capabilities and big data analytics to work for the benefit of individual and population health. Wearable devices exist on the cusp of a vast field of connected medical devices. From telemedicine to smart pills, technology will touch almost every aspect of healthcare in coming years.

IoMT creates new pathways for knowledge sharing and analytics, but also opens the door to critical security challenges. Ransomware attacks in 2016 showed the world the vulnerabilities of healthcare organizations. The IoT-driven DDoS attack on Dyn Inc. only affected websites in late 2016. However, the next IoT-driven attack could render heart monitors or connected surgical tools unusable and put lives at risk. A vital factor in the future of data security is the understanding of both IoT and HIPAA compliance. 

Explore Changes in the Healthcare IoT Market

Current HIPAA regulations, specifically the Security Rule, discuss the accessibility, integrity, and confidentiality of all ePHI (electronic protected health information), but they don’t specifically govern IoT devices. All insurance companies, care providers, and clearinghouses that create, receive, use or maintain ePHI must protect any sensitive information.

For other entities, however, compliance isn’t as clear. Many unanswered questions highlight the need for additional legislation dictating who’s responsible for the protection of ePHI and IoT. For example, does an app/IoT device manufacturer owe consumers a HIPAA level of security for maintaining records of weight, heart rate, blood pressure, and other health insights?

In addition to the possibility of new covered entities, healthcare companies must consider the limitations of the HIPAA Security Rule. Like many cybersecurity standards, the rule only helps an organization provide reasonable care for ePHI. It does not outline case specifics for existing or new technologies.

The IoT industry may face additional regulations from the FDA, FCC, and the FTC among other entities, plus healthcare-specific regulations. In early 2015, the FTC released a report underscoring the need for security in the IoT industry. The Commission cited four main areas for consideration: data handling, consumer notification and choice, security, and the creation of formal legislation. Later this year in November 2017, a Drug Supply Chain Security Act (DSCSA) regulation will come into effect to track and trace medication, including serialization, reporting and verification tracking guidelines.

To protect themselves, IoT device manufacturers, software developers, and ePHI handlers can implement secure hardware and software measures according to industry best practices.

For instance, Apple recently revealed that they’re developing sensors to non invasively monitor blood sugar levels to treat diabetes. However, what they do with that data is critical; Apple’s health data will need to be stored in a secure, HIPAA-compliant data repository once it’s launched.

Develop Industry Best Practices for HIPAA Compliance and Beyond  

HIPAA may not yet address IoT devices specifically, but regulation and technology are inevitably connected. As industry standards evolve, use these best practices to protect patients and devices from dangerous attacks:

  1. Recognize all vulnerabilities. Users, hardware, software, and data transmission all represent possible IoT vulnerabilities. Take steps to secure each backdoor from attacks. Use automated systems to monitor access control, security programs, and device usage patterns. Encrypt data using industry best practices to decrease the risk of ePHI exposure. For instance, device manufacturers need a plan to provide safe updates to the healthcare organizations they serve, as vulnerabilities can results from errors in software code. On the flipside, healthcare organizations can put pressure on their vendors to stay current in risk management.
  2. Invest in devices carefully. Individual device components may represent possible IoT threats. As the field of IoT advances, security from technologies such as blockchains may help healthcare organizations prevent, identify, and address threats more quickly than ever before.
  3. Communicate clearly with end users. IoT means businesses need to worry about more than employee device usage. They also need to consider patient use. All end users need to understand best practices for using IoT devices in the medical industry.

As the industry evolves and rules like HIPAA expand to govern IoT devices, take steps to protect your company from cyberthreats. HIPAA represents industry best practices that apply to all sensitive data.

Additional Resources on This Topic:

IoT Devices are Hackable in Under Three Minutes, Researchers Warn
New Healthcare IoT ideas on the Rise
Medical Internet of Things and Big Data in Healthcare

This article was first published on

As OnRamp’s Marketing Manager, Carolina leads the content strategy, SEO, product launch, and communication efforts at OnRamp. With experience in managed hosting, cloud computing and VoIP, she translates complex concepts into simple terms that potential customers and partners can understand and use to build compliant IT solutions.

Connect with Carolina Curby-Lucier on LinkedIn

Leave a Comment