IoT and Healthcare Information Security

Reading Time: 7 minutes

Mobility has become mainstream: over 6 billion objects connected to the Internet this year and are expected to hit 50 billion by the year 2020.

The world’s largest conference dedicated to the Internet of Things (IoT) kicks off this month in Silicon Valley for the third year running, and the conversation is no longer focused just on FitBits and talking cars.

“As new industries have embraced the IoT, the depth and breadth of our topics and speakers have more than doubled since last year.

Whether we’re talking about making payments through your car, or healthcare sensors that will literally save lives, the IoT is on its way to affecting the quality of life for almost every person on the planet,” said Gavin Whitechurch, Founder of Internet of Things World.

He’s right. Nearly everyone will be touched by IoT, and now, more than ever, faulty cybersecurity could unleash colossal threats. The importance of a nurturing, secure infrastructure will only grow as IoT roots deeper into the framework of healthcare information technology.

This spring, MIT debuted its first online course on the Internet of Things. Twelve faculty members will lead the course and help steer the conversation around consideration of the possibilities and ramifications of IoT, taking into account how crucial this education is for engineering, computer science, telecommunication, and healthcare industries.

“Because the Internet of Things has the potential to awaken 99 percent of the devices around us, it’s more important than ever for educational institutions and organizations to remain on the cutting edge of this evolution,” Director of MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) Daniela Rus explained.

Just as academia bolsters for the future, the healthcare world has sprung into adaptation mode.

A Tale of Two IoTs: Internet of [Healthcare] Things Simply Isn’t IoT

The uptick in use of wearable sensors, networked devices, and home monitoring systems, each collecting medical information and sometimes treating patients, underscores the perils for healthcare providers if cybersecurity falls flat.

The nonprofit Healthcare Information and Management Systems Society’s annual HIMSS16 conference established how the Internet of Things is just so special when it comes to medical cybersecurity.

Speakers addressed how to apply risk models to device classifications in order to clarify threat levels, automated security management—especially with high numbers of connected devices—and inventory management options against existing technologies along with solid implementation plans.

As HIMSS16 speaker Senior Director of IT at Ascension Information Services Eric Miller put it “Vision is imperative to progress, but just as important as vision is the ability to make big ideas practical. The challenge is on how we make the vision a reality without reducing it. Explore our vision of the Internet of Healthcare Things and the plan to make it a practical reality today without reducing it (hint: efficiency and security are the key).”

Every day, patients and providers count on the connective network of systems and products reliant on the IoT. The pros often outweigh the cons when it comes to benefits of capturing health data on mobile medical applications and wearables. Hospitals can now track locations of medical devices, personnel, patients, and more through IoT.

A physician with Massachusetts General Hospital’s Medical Device Interoperability Program, Julian Goldman explained, “We’re looking at ways we can improve the quality and safety of healthcare. Unfortunately, preventable medical errors are all too common in hospitals today. In the U.S. alone the statistics are that around 200,000 to 400,000 per year die in hospitals due to preventable medical errors.”

“As we think about the complex system of the hospital environment with all the medical devices, information that has to be shared, and the increasing complexity of healthcare delivery, there clearly are opportunities to improve the quality and safety of healthcare.”

Where movement, storage, and administration of medications can improve healthcare workflow systems on one end, the Internet of Healthcare Things can also improve patient experiences, much like retail customer service. In the place of flash sales and speed returns, this could entail less readmissions, overall improved health routines, and upgraded access to health information.

Patients are already used to the idea of looking to social media for discovering their next physician. The Hospital Consumer Assessment of Healthcare Providers and Systems (HCAHPS) survey is considered to be a traditional tool in understanding patients’ perception of healthcare, however to better understand the patient experience, feedback from Yelp has proved more informative and is ranked 33rd in most visited websites in the United States, with 142 million unique monthly visitors.

Health Affairs states that Yelp is now the most widely used commercial website for hospital ratings in the country and, overall, 72 percent of U.S. Internet users sought out online health information in 2012, while 42 percent seek health-related reviews on social media.

As the patient experience evolves with online resources and our fast-paced digital lifestyle, daily needs of healthcare professionals are increasingly centered around mobility.

“We are seeing physicians using iPads or some level of tablets; we’ve seen patients engaging with iPhones or Android devices,” explained Harun Rashid, Vice President of Global Health Services and CIO at Children’s Hospital of UPMC in Pittsburgh. “The mobility factor has actually assisted significantly in helping [the] transformation of some of the care in some areas.”

Now, physicians can access tomorrow’s surgery schedule. Doctors can get up to speed with fetal heart rate patterns before a mother goes into labor in the delivery room. Providers can easily—and securely—sign in on mobile to sign off on medical notes. The notorious struggle of multiple surgeons vying for shared operating rooms becomes a less expensive hassle, freeing up more time for patients awaiting surgery.

In many ways, data gleaned from sensors and wearables can directly translate into healthcare cost reductions, informed, improved care, and empowered patients with more control over their clinical journeys.

If there’s one lesson to learn from the digital age of healthcare, it has to be “with great connectivity comes more threat.” As IoT continues to coalesce with healthcare, more unfamiliar clouds will appear on the horizon.

Eric Miller shared a recent project where white hat hackers at the Mayo Clinic had no difficulty hacking into several connected medical devices—an infusion pump delivering drugs and fluids into patients, for example. The hired hackers could all too easily connect his computer network with an infusion pump to gain remote control over manipulating the dosages.

“These devices need to be connected together in a very highly reliable way,” Stan Schneider, CEO of Real-Time Innovations noted. “You can’t have any dropouts. You have to know the data is there, you have to be very scaled. Our real goal is to make the connected, intelligent, distributed system part of the care team.”

“No Magic Answers” for Major Healthcare Obstacles

As helpful as the Internet of Things in healthcare may be, physicians may unknowingly be oversaturated with data and distractions. Hospitals may not know the long-term solutions and security protocols to safely navigate the techy waters of the BYOD and mobile health (mHealth) generation. Every day, new challenges surface in the drastically changing waters of healthcare information and its security.

Take mobility, for one. Obviously, in healthcare it’s not appropriate for every healthcare-related scenario. The COO at Intermountain Healthcare in Salt Lake City David Gardiner gives a perfect example, “It’s really hard to look at an X-ray really well on a phone. You probably need a bigger viewer to actually see whether you had a nodule in your lung.”

Gardiner goes on to suggest that he sees mobile as more of an extension of a job you’re trying to accomplish, rather than allowing for a mobile take over. “Healthcare is kind of complex, and you want to make sure that the complexity of the information, of the care that’s being provided is being captured in a way that represents [it], and it’s accurate,” he added.

Data makes for another perfect storm. How prepared are healthcare providers for all the new data coming their way? Hospitals without an action plan for new workflow needs and protocol for collecting and responding to different varieties of data depending on the urgency may feel like a fish out of water once real-time information comes in.

On the topic of data, even the tiny liaison between devices can be considered a threat. USB’s can be downright caustic when it comes to vulnerability for cyber attacks. One strategy that Executive Vice President, Chief Administrative Officer, and CIO at Phoenix Children’s Hospital David Higginson has taken is simple:

“There’s no magic answer, I would say. So you can take one strategy, which is we just shut off USB ports throughout the organization and try to stop people loading on content.”

However, that creates other issues, since folks still opt to share files via file-sharing accounts like Dropbox or OneDrive, which have files uploaded from US connection. Other hospital visitors, including lecturers and academics, usually only carry USB sticks. While encrypting any and all healthcare network data that leaves on that stick is becoming the norm, it often leaves USB drives with precious cargo—like family photos—inaccessible.

Of the 300 common healthcare data breaches reported to Baker Hostetler in 2015, one overarching lesson was clear: companies—with an emphasis on the healthcare industry—must focus on getting “compromise ready.”

Taking into account all of the companies in the study, healthcare made up 23 percent of the data security incidents last year and for the second year in a row, the industry made the top affected industries in the studies.

For peak preparedness, companies must have “preventative and detective security capabilities, procedures for gathering threat information, staff training and awareness, proactive security assessments, vendor oversight, updated incident response plans, regulatory understanding, and cyber liability insurance” in place.

The next steps towards better security are still being taken. While there may be no complete to-do list for healthcare providers, having clear goals, paying attention to the “patient engagement needle,” and embracing teamwork will fortify healthcare security.

During a SearchHealthIT Twitter chat with CIO of University of Pittsburgh Medical Center Rasu Shrestha, M.D., health experts clamored for improved patient experience. One idea that came about involved automated kiosks to expedite patient check-ins and assist in guiding them on their hospital journey.

Empowering healthcare professionals to join in the conversation is certainly a stride in the right direction. The Harvard Business Review explained that “Collaboration and ecosystems are particularly important in the emerging Internet of Things, where multiple companies across different industries must make sure that their offerings work with each other in a number of highly complex areas including health care, home automation, and smart cities.”

Outlining your next healthcare information security strategy? If you feel the need some rousing extracurricular practice, I personally recommend HealthIT.gov’s simulation game “Cybersecure: Contingency Planning.” Just like a perfect metaphor for moving into Industry 4.0, with each round, good decisions really can pay off.