Every day, my Fitbit tracks my calories burned and steps taken. The app on my phone calculates how much protein and fat I’ve consumed based on the foods I ate. Another app uses GPS to track how far I’ve run and in how much time. These are just a few ways the Internet of Things (IoT) impacts my daily health, and it’s only just the beginning.
The healthcare industry is rapidly developing wireless medical devices that continuously monitor heart rate, blood pressure, sleeping schedules and more. These devices offer an unmatched amount of data that is useful for you and your doctor to track your health, send alerts if any thresholds are crossed, and reduce time spent at the doctor’s office. 
With the continuous development of these devices, it’s likely we will soon see major advances in healthcare tools, like medical apparatuses that are implanted into bodies to regulate insulin and sugar levels or to manage heart and lung functions. On an organizational level, tracking devices throughout a hospital can measure operational efficiency, reduce patient wait time by collecting data on a patient’s steps and identify patient traffic jams.
Connected devices can yield tremendous benefits, but also come with security, privacy, and business challenges. That’s the topic of this week’s National Cyber Security Awareness Month theme. Below, we look at some of the hidden costs that healthcare organizations must consider as they implement cutting-edge connected technologies, while still providing security, safety and privacy. (For even more hidden costs, read our Healthcare Informatics article “The Real Cost of a Healthcare Data Breach”):
- Many Health Insurance Portability and Accountability Act (HIPAA) breaches are caused by lost or stolen devices that contain Protected Health Information (PHI). As PHI devices multiply swiftly, the risk of breaches and stress of keeping track of devices increases. Combating these breaches involves maintaining, through customized or manual solutions, an inventory of all authorized devices used to collect patient information and a list of who is allowed to access each device. This is a labor intensive effort that usually goes beyond the initial cost of the technology itself.
- The wireless network in which healthcare tools operate is more vulnerable to exploit and potential data overload than the device itself. As the number of entryways into your network expand, proper authentication and managing of data becomes increasingly important to ensure continuous availability of information to those who need it. Limiting the amount of data each device collects and segregating this information also helps further decentralize exploits. For example, a heart rate monitor may track a patient’s number with corresponding heart rate information while the network that matches a patient’s number to their identity is stored on a separate system.
- New technology is dependent on its managers, users and software. Human error can be attributed to a vast majority of data breaches. Proper training and testing of workforce effectiveness is the best defense to human error. New tools come with new skills that require time to be learned and mastered. This time and resource requirement is often overlooked and neglected. Training for new devices should include all users of the tool, not just the IT back office. All users of these devices should be instructed on best practices and periodically tested for effectiveness.
- All the additional information that these devices collect adds to the growing “pot of gold” of PHI stored on your systems. PHI is the most valuable of personal information due to its permanency, advanced level of detail, and opportunity for insurance and medical fraud. Unlike credit card numbers, your patients cannot replace their medical history overnight. The use of PHI is the highest level of identity theft and involves some of the most personal and sensitive information about our lives. Healthcare managers cannot overlook this factor and need to invest in securing information collected along with the benefits this information provides.
- Finally, every responsible healthcare organization should do their best by planning for the worst. That includes creating a business continuity plan to maintain operations in the event of a breach or ransomware situation such as those experienced by numerous healthcare providers in 2016. While they require an investment of time, business continuity plans are essential features of a corporate risk management plan because they ultimately reduce the cost of a cyber incident by preserving access to critical business information and assets. Click Here for our Infographic on “Four Ways to Get Started on a Business Continuity Plan.”
Healthcare managers must keep the investment of people in mind regardless of how advanced and developed technology becomes. Consider the time it takes to train managers on new software and devices, train all users on proper and acceptable use procedures, and the overall effort to maintain access lists, inventories, and patch management. Vendors will offer training, but it’s up to the healthcare organization to ensure proper use and protection of information. After all, saving $2 million in operational efficiencies means less after a $2 million HIPAA violation fine.
