November 25, 2015

Hey Health Care Professionals! Let's Solve Security

I love how readily the health care industry has taken to the IoT. You folks are leading the way in both enterprise and consumer-facing M2M technology, implementing solutions throughout your infrastructure with the goals of efficiency, cost savings, and most importantly, better patient health.

The only problem is that your security apparently has more holes than an exceptionally stinky Jarlsburg. I was at the IoT Security 2015 conference Sept. 22 and 23 in Boston, where we talked about everything there was to consider in engineering a better, safer, more private, and more secure IoT. Although it was clear that every aspect of the system needs work, with better encryption of data and connectivity signals a primary goal, better training of personnel and securing on devices seemed to be the key first steps for everyone.

The two strategies will work quite well together, in fact. New devices should be loaded with high-end authentication mechanisms that tie into cloud software so that biometric or other coding supplies staffers who need access to devices get the correct access while maintaining privacy.  

Meanwhile, they can be trained alongside existing HIPAA regulated trainings to properly interact with these connected devices so logging of patient information can be seamlessly achieved. Since all of this technology is already available, and the hospitals, clinics, and pharmacies are all aware of them, what’s the hold-up? Well, the panel of expert speakers from Symantec, San Diego Health Connect, Ryerson University, and Strategy Analytics seemed to be in agreement about that: the lawyers.

It’s not that anyone said the lawyers don’t mean well (someone totally did say that). Really, though it seems that the legal regulations are making everyone in the health care complex a bit gun shy when it comes to liability and possible litigation. As a result, the administrators are very careful to stay within the letter of the compliance regulations requirements to avoid getting sued instead of upgrading systems before being mandated to do so by HIPAA.

The thing is, these upgrades are totally within the spirit of the regulations. HIPAA was designed to protect patient privacy and make hospitals and the like responsible for maintaining that privacy. The best way to do that is to put better, secure technology into the hands of the health care professionals trying to do their jobs. Right now, many of the connected devices currently in use are vulnerable to anyone with the most basic knowledge of how connectivity works. Once that’s discovered, institutions only have two choices: disconnect the IoT functions, making the device much less functional for taking care of the patient’s health, or upgrade it with better security and get back into the grey area beyond the letter of the regs.

The only thing we have to fear isn’t fear this time. It’s poor health care. We need to get beyond this fear and make some progress into the connected world. The regulations want patients to be safer, which is possible with new devices, loaded with advanced encryption and authentication protocols. Without those devices, we have hospitals full of dumb devices that could be smarter, or smart devices that could potentially hemorrhage patient data into the hands of bad actors.

And that’s already happening big time. According to a report in The Washington Post, more than 120 million people have had their data compromised since 2009 in more than 1,100 separate reaches at organizations handling protected health data. The Post got its data from the Department of Health and Human Services.

We’re at the cusp of a crisis. The health care industry was one of the first to see the potential of the IoT, one of the earliest adopters of it, and is poised to make the most difference in the lives of consumers in a real way. If the industry doesn’t make devices that are clearly compliant with HIPAA and other regulations, health care organizations won’t feel comfortable continuing to lead the way. And if the health care organizations don’t put the pressure on to make that happen, they will lose their lead and advantage.

And if all that doesn’t happen, the real losers will be the patients. And they’re getting impatient.

That’s a little joke.

But if this doesn’t happen — and soon — no one is going to be laughing except the lawyers. Let’s work together so that doesn’t happen, shall we?

Edited by Ken Briodagh

Back to Homepage
Comments powered by Disqus