Business Law Articles
By: David E. Restrepo
The Internet of Things (IoT) is a term used to reference the ability of various everyday objects to connect to the internet through the transfer of data. It includes products or systems connected to technologies or networks which allow the transmission and receipt of data without human interaction. These systems are transforming industry, government, transportation, and our homes. Practical examples include cell-phones, cars, home appliances, popular health-related consumer products, such as Fitbit, and other wireless-enabled wearable devices that track a variety of activities, such as steps walked, hours slept and heart rate. It is estimated that by 2020, more than 24 billion internet-connected devices will be installed globally, more than four devices for every human on earth.
Like other industries, health care is adopting connectivity options and using IoT in its clinical care settings, often with mobile or wearable devices. However, an increase in integration for entities within the health care sector creates additional privacy and security concerns.
Security and Privacy Concerns
The health care industry has become a preferred target for hackers due to the significant value of patient information on the black market, and the surge in the amount of devices collecting and storing data creates more targets for hackers. According to a report published by IBM, cybercriminals attacked the health care industry at a higher rate than any other sector in 2015, with more than 100 million health care records reportedly compromised.
The Health Insurance Portability and Accountability Act (HIPAA) mandates that covered entities such as health systems, providers, and hospitals protect electronic patient information against reasonably anticipated security threats. The rule is flexible, mandating that covered entities assess their security needs based upon several factors, including the entities’ size and scale.
While the increased use of internet-connected medical devices may have not been anticipated when HIPAA was created, data collected on wearable devices given to a patient to use by a hospital or physician, is protected under HIPAA, and providers need to avoid enabling unauthorized access and misuse of personal information. Covered entities should keep existing policies current and systems in place which cover mobile or internet-connected devices and the patient data transmitted on them. While some data collected on IoT devices may not be classified as HIPAA-protected, covered entities need to make sure that specific medical information, for example heart rate or blood pressure, is not or cannot be linked to the patient. If possible, covered entities should seek to limit the information collected by a device to the data required for the device’s particular purpose, and ensure that access to the information is limited to authorized persons. Further protections such as the utilization of encryption technology, particularly used as close to the generating source as possible, can effectively render the information useless to hackers and should be considered for all IoT devices. Also, health care entities should not overlook the physical security of the devices themselves, making sure that devices are configured to prevent access to data storage through the device’s physical components.
Benefits to Providers and Patients
Despite the challenges and obstacles associated with the use of new technologies, adopting systems using IoT can benefit both patients and providers. Medical device locations or usage activity can be tracked, reducing downtime. Utilizing IoT systems can also assist the supply chain with order or loss control, track drug management and capture equipment inventory. Building systems such as fire alarms or the temperature and humidity in operating rooms can be monitored and controlled remotely. Patients can be tracked throughout the system, allowing clinical staff to adjust for overcrowding in emergency rooms or backlogs in surgical suites. Patients can capture and share their health data remotely, allowing providers to monitor chronic disease conditions at home or in locations outside more expensive hospital settings. An implanted device monitoring the vital signs of a diabetic or heart patient could improve health status through early intervention and lower care costs before the condition becomes more serious. Increased integration of IoT devices that collect real-time biometrics and can detect symptoms of an imminent medical event may increase the awareness of the health condition, lessen emergency response time, and increase the effectiveness of treatment.
As health care IoT is adopted more widely, new systems fostering population-based evidence reporting, along with sophisticated analytical capabilities, could lead to more personalized and effective care plans. However, entities should perform a careful evaluation of existing security measures and policies in order to mitigate the risks that come alongside the many advantages offered through increased connectivity.
 FTC Staff Report, Internet of Things – Privacy & Security in a Connected World (Jan. 2015), https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.
 BI Intelligence, Business Insider, There Will Be 24 billion IoT Devices Installed On Earth By 2020 (June 9, 2016), http://www.businessinsider.com/there-will-be-34-billion-iot-devices-installed-on-earth-by-2020-2016-5.
 Anne W. Mathews & Danny Yadron, The Wall Street J., Health Insurer Anthem Hit by Hackers (Feb. 5, 2015, http://www.wsj.com/articles/health-insurer-anthem-hit-by-hackers-1423103720.
 IBM Security, 2016 Cyber Security Intelligence Index, A Survey of the Cyber Security Landscape for Healthcare, http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SE912352USEN (last visited Dec. 12, 2016).
 Kristen Lee, TechTarget, Wearable Health Technology and HIPAA: What Is and Isn’t Covered, http://searchhealthit.techtarget.com/feature/Wearable-health-technology-and-HIPAA-What-is-and-isnt-covered (last visited Dec. 1, 2016).
 Bo Dagnall, The Guardian, Bringing IoT to the World of Healthcare (Dec. 1, 2016),