In some respects, IoT is in a “Wild West” stage of its development. This isn’t to say shootouts at high noon are proliferating the space, but we are definitely experiencing a period where the ability to connect is surpassing some industries’ ability to protect the data it is transmitting and receiving. A recent Ponemon Institute/IBM survey found that a third of apps—across all industries—are not tested prior to deployment and that only eight percent are tested during production, development and post-development. The study also found that 65 percent of respondents believed security had taken a backseat to market demand or development needs.
Healthcare is an industry most welcoming of IoT adoption, however it is also saddled a great responsibility to maintain patient privacy. Of course, securing sensitive patient data is the right thing to do, but healthcare is legally obligated to do so. Regulatory mandates such as HIPAA and HITECH require all organizations from the smallest doctor’s office to the largest hospital system to equally ensure data is locked down, with the risk of significant fines and other penalties.
As health records moved from the file cabinet to the network, this data became a prime target for criminals of all varieties. Some estimates suggest electronic health records can grab as much as $50 on the black market, compared to $1 for a stolen Social Security number or credit card number. With IoT, there is a similar tone: The very crucial data produced by wearable devices and health-based apps are of great interest to criminals.
And that demand continues to skyrocket, as evidenced by the U.S. Food and Drug Administration’s finding that 500 million smartphone users will use a medical app this year alone, with that number rising to 1.7 billion in 2018. The American Medical Association announced this year the “development and dissemination of best practices to guide the development and use of mobile medical apps,” which will only foster greater utilization of healthcare IoT.
So the mandate for all healthcare stakeholders is clear: Expansion of healthcare IoT applications—and rapid expansion, at that—is occurring in real time, and it is critical that greater attention to securing these very important technological advances needs to be made. As William A. Tannenbaum recently, and intuitively, pointed out, there are six critical questions that healthcare organizations should ask before embarking on any IoT initiative:
- Do the devices store and transmit data securely?
- Do they accept software security updates to address new risks?
- Do they provide a new avenue to unauthorized access of data?
- Do they provide a new way to steal data?
- Do they connect to the institution's existing IT infrastructure in a way that puts data stored there are greater risk?
- Are the APIs – through which software and devices connect – secure?
We are witnessing a very transformative era for healthcare, as technology is making physicians privy to data that was once unattainable and patients have the ability to more proactively impact their own outcomes. But with this advance, the opportunity for perpetrators to do harm is just as great. A more dedicated commitment to innovation that secures the important information IoT creates is critical to creating an environment that keeps patients safe and healthcare organizations compliant.