The Internet of Things (“IoT”) is a concept that is becoming more and more important in HIPAA compliance. The Internet of Things generally is the network of physical devices, vehicles, home appliances, and other items embedded with electronics, software, sensors, actuators, and connectivity that enable these things to connect, collect, and exchange data. IoT involves extending internet connectivity beyond standard devices, such as desktops, laptops, smartphones, and tablets, to any range of traditionally dumb or non-internet-enabled physical devices and everyday objects. Embedded with technology, these devices can communicate and interact over the internet, and they can be remotely monitored and controlled.
Our risk analysis always begins, after the risk analysis team or individual has been appointed to conduct it, with an inventory of all existing protected health information (“PHI”), wherever located, where it is maintained, and how it is used and transmitted. Our Risk Analysis ToolKit and consultants leading a risk analysis effort always remind those conducting a risk analysis to include all portable devices that may receive, contain, or transmit PHI whether or not they are the property of the entity, such as personal laptops, cell phones, personal memory devices, and the like. But as the technology has developed and more risks are discovered involving other types of devices, covered entities and business associates need to consider the IoT security principles.
Consequently, because the HIPAA Security Rule and the National Institute for Standards and Technology (“NIST”) Cybersecurity Framework, which the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) recommends as a resource, have certain areas of overlap, but health care organizations might need help in understanding how the two could work together to create a comprehensive security program, OCR has released a crosswalk to help covered entities identify “mappings” between the HIPAA Security Rule and NIST Cybersecurity Framework. And even if your organization has already aligned your security program to one or both approaches, the crosswalk can help you identify any potential gaps.
This blog post will discuss what devices may contain or transmit PHI other than the ones that we usually think of, such as cell phones and personal computers. Subsequent blog posts will discuss risks inherent in the IoT and security measures therefor.
A more specific definition than the general one, above, for health care is the Internet of Medical Things (“IoMT”): the collection of medical devices and applications that connect to health care IT systems through online computer networks. Medical devices equipped with Wi-Fi allow the machine-to-machine communication that is the basis of IoMT. IoMT devices link to cloud platforms, on which captured data can be stored and analyzed. IoMT is also known as health care IoT.
Among other devices than the common ones that we all think of, such as cell phones, laptops, thumb drives, and the like, include the following:
- Wireless pill bottles. Devices that help patients connect with health needs, such as dosage, reminders, treatments, and so forth, and provide phone notifications or text messages when a dose is missed.
- Fit prescription bottles and notify patients when it is time to take medicines.
- Wearable health care devices. Think of Fitbits, for example. Devices that track your workout or a medication device that reminds you to take medicines, checks blood pressure, measures heart rate, calorie burn, going for a walk, or all other activities to bring improvement in health care.
- Quell relief. A wearable device that calibrates a patient’s optimal stimulation level to provide maximum relief of symptoms. It is a smart device that knows what level of stimulation the patient needs during the day, delivers it, and adjusts to an appropriate level at night.
- Smart contact lenses. Google has developed a contact lens for diabetics that takes a teardrop and measures one’s glucose level. It is also engineered to restore the eyes’ natural autofocus of those who wear contact lenses.
- Ulcer sensors. A device that senses when it is time for bedridden patients to turn to avoid bedsores and for ambulatory patients when they have been sitting too long, which can contribute to causing ulcers.
- Implantable devices, including these:
- Deep brain neurostimulators.
- Cochlear implants.
- Gastric stimulators.
- Foot drop implants.
- Cardiac defibrillators/implants.
- Insulin pumps.
And there are literally dozens if not hundreds of others.
Certainly not all of these IoT devices pose a high risk of a breach or other security and privacy issues. But unless you know that each individual IoT device that your practice encounters does not pose such threats because you have included all of them in your inventory so that you can perform a risk analysis of each device, you are taking a big risk yourself. And an unnecessary one.
Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, with the accompanying HIPAA Documents Resources Center CD, also 6th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at https://www.veteranspress.com/product/hipaa-risk-analysis-toolkit. Also, Jon Tomes is scheduled to present a webinar on Thursday, November 15, 2018, on “How to Do a HIPAA and HITECH Risk Analysis.” You can sign up for it at https://www.complianceiq.com/trainings/LiveWebinar/2255/how-to-do-a-hipaa-and-hitech-risk-analysis.
If you need guidance on how to draft the policies and procedures that your risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation. Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you.
Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist.
If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.
As always, thanks for reading Jon’s blog, buying his books, attending our seminars and webinars, and hiring Jon for HIPAA consulting. We wish you every success with your HIPAA compliance efforts.