Publication

Industry Insights

How to Make HIPAA Compliant IoT Healthcare Solutions

These best practices in security and health tech will provide fantastic guidance in building compliant healthcare IoT solutions.

May 23, 2018

While the world of IoT in healthcare may be a relatively new area of expertise, there is still a wealth of best practices we can pull from in both general IoT security and well as health technology development to build HIPAA-compliant IoT solutions.

Here are some key steps you can take to set your healthcare IoT business in the right direction from Day 1.

Start from ground zero with security in mind

The best time to begin building secure solutions is before you even build them. Companies should begin reviewing areas of vulnerability within their organization composition as well as technology model to best prevent vicious attacks from capitalizing on easily-avoidable weaknesses.

Risk manage your data aggregation

A huge mistake in IoT security is making the assumption that a solution must collect as much data as possible from a user for future analytics. By only collecting what’s absolutely necessary for a device or platform’s functioning protects your business from accidentally slipping up on HIPAA regulations on less critical data. All PHI collected should have a clear and detailed purpose for usage. If there is no specific reason to collect a data point – don’t. 

To make the point stronger, think back to when you bought an item on Amazon. Did it ask for your Social Security Number? No, because each personally-identifiable data point collected is a liability to the company. This stands true for healthcare IoT as well. A connected blood glucose monitor should not unnecessarily ask for a patient’s phone number unless it is a requirement for successful functionality.

Store and transmit all PHI in secure environments

Every bit of personally-identifiable data needs to be stored in HIPAA-compliant environments. Luckily, over the past few years, a number of cloud platforms have adopted environments that are fully HIPAA-compliant. Amazon Web Services is one of these cloud platforms. Amazon shares responsibility with its clients by providing all security for the cloud itself and handing off the security of the data in the cloud. By ensuring PHI is stored in secure environments, companies can focus on the security of the data itself and worry less about the vulnerability of the data storage. In addition, cloud storage is often cheaper and gives quicker access to data than having on-site data storage servers.

Manage points of vulnerability

People: Companies have a responsibility to educate their end users on best practices to keep their information safe. In the case of healthcare IoT, many of these end users will be those working in covered entities under HIPAA – they may be familiar with the best practices for security, or they may not be. It’s critical to train these users regularly to keep them up-to-date on meaningful use of the data.

Sensors/devices: If you are utilizing another company’s devices or sensors for your IoT platform, choose devices carefully. Make sure that the individual components of a sensor or device are not openly vulnerable to attacks. Even though they may be a third-party, the company with the relationship is also liable for any breaches that occur through the connected devices or sensors, regardless if they are built in-house or contracted. Verify with specialists if you are unsure if a sensor/device is particularly vulnerable.

Portals: All portals created that give access to PHI should have local session timeouts and re-authentication after inactivity built in. What does this look like? Sign onto your bank’s mobile app and leave it sitting for 10-15 minutes. Bet you dimes to donuts you were signed out and are being asked to login again to access your information. Financial technology has been successful at widespread adoption (and acceptance!) of local session timeouts; this should be rolled over to the healthtech industry as well.

Utilize role-based access control (RBAC)

Not every user of an IoT solution needs to see every piece of information collected. Employees should only be able to access data that allows them to perform their tasks effectively. An organization can decide what bestows more data access privileges: job title, responsibility, tenure, or intensive data security training. By utilizing RBAC, companies can ensure to a higher degree that their employees will not become a source of vulnerability to breaches.

Understand what you and your team can do, and what needs to be tackled by experts

Don’t expect your brand-spankin’ new engineering team to be all-knowing HIPAA security specialists. Each team member should understand their role and how they can help uphold data security. They should also understand when to hand off vulnerability and penetration testing, or other facets of the business that deal with PHI, to experts.There is a whole field built around expertise in healthcare platform security for a reason. 

As examples, Protenus utilizes AI technology to protect patients’ data in the hands of healthcare organizations, and Aptible streamlines HIPAA compliance for web and mobile developers to more easily work in healthcare and worry less about documenting infrastructure. It is critical to have your architecture reviewed and tested by data security specialists regularly to ensure top-level compliance. There is no guarantee that over time, vulnerabilities can appear, and it’s best to have a handle on these early before data can get into the hands of the wrong person.

As time goes on and we begin to see even larger rates of IoT adoption into healthcare and covered entities, we will better understand the parameters associated with HIPAA and IoT. Until then, best practices in security and health tech will provide fantastic guidance in building healthcare IoT solutions.

Explore More from the Publication