Insights
Julia Hesse Featured in HealthIT Security Magazine
This article originally apeared in HealthIT Security magazine.
The healthcare sector continues to adopt IoT technologies and move into the cloud at a rapid pace. But while these technologies support a value-based care model and can improve patient care, the tools can pose serious risks that organizations must address before introducing them to their network.
According to a recent report from Zion Market Research, the smart medical products global market will reach $67 billion by 2024. Smart medical products fall under the larger Internet of Medical Things (IoMT) market and are predicted to top $410 billion by 2020.
The market is driven by vendors and providers seeking new ways to reduce spending around chronic conditions, as well as bolstering population health.
Meanwhile, many providers are turning to the cloud for ease of storage and to support a hybrid service delivery model. According to a recent report from Gartner, the global public cloud services market is predicted to reach $186.4 in the next year.
Cloud, IoT and other smart devices can help support value-based care, patient engagement, and population health. However, many healthcare organizations still struggle with security around basic health IT tools. And these internet-enabled devices can add even greater risk to provider organizations.
It begs the question: how can organization’s safely implement these tools? And what’s at stake if they don’t?
Introducing Risk
To Julia Hesse, a leading HIPAA attorney and partner with Choate, Hall & Stewart, there’s a lot to consider, as each device comes with their own system and risk.
But an even greater issue is that the people within the organization making purchasing decisions often don’t communicate with the security leaders. As a result, they may be adding undue risk.
“It continues to be a problem when those upfront risk assessments aren’t performed and when purchasing decisions are made in a disparate function,” said Hesse. “We’re still seeing folks making purchasing decisions for these devices, but the infrastructure isn’t in place to support the device.”
“And with IoT devices, it’s not always clear that it’s necessary – or worth the risk,” she added.
For example, during a health IT conference two years ago, Hesse said she found an internet-enabled lightbulb. Without breaking down siloes between purchasing departments and those who handle risk, organizations may be opening themselves up to risks that they could actually avoid.
“Organizations are still struggling with the holistically appropriate way to integrate IoTs,” said Hesse. But IoT integration can’t be avoided and asking if it’s necessary is a “moot point because it’s happening.”
“The market is saying it’s necessary whether the lawyers in the back of the room are saying it’s not,” she added. “The trend toward increasing IoT is everywhere and it’s continuing in the healthcare space… It goes beyond there being a shiny new object.”
These transparency issues exist for the cloud, as well. But Hesse explained that it pertains more to the contracting process, along with just what security protocols are in place. For example, regulators don’t really know how much market share is held by some of the largest cloud providers.
“And many hospitals have their cloud held by [the cloud vendor] directly, and business associates also have their cloud held by them,” Hesse said. “Sometimes they don’t even know they were putting their data in the cloud, as it could be done directly through the business associate.”
“It’s a systemic question to ask, when one vendor becomes as important as a utility,” she added.
Providers also struggle to audit the security protocols of cloud providers, she explained. “The security protocols aren’t entirely transparent to the provider community. They can be difficult to validate and ascertain.”
Legal Concerns
There are two primary components to the potential legal risks posed by cloud and IoT: possible malpractice lawsuits and standard breach liability.
The theory posed in the legal community is whether there could be a potential malpractice risk around a biomedical device that will be touched by a human or is tasked with monitoring a patient’s care. Hesse explained that if a provider chooses a device without regard for the risk, could they be held on malpractice?
For example, if a cardiologist chooses a pacemaker with a known vulnerability or its difficult to patch – or perhaps there is no patch – and there’s a failure or a compromise of the device. Hesse asked: “Should I, the physician, be held responsible? Could a physician be held for making that choice?”
“It really hits home. It’s tangible for the provider community. That’s just one malpractice theory,” she said.
The other is standard breach liability. Hesse said she’s seeing a lot of interesting trends out there that could add to regulatory concerns, including the uptick in state Attorneys General breach settlements.“Those that do it well have an integrated risk assessment process that has people from the purchasing folks connecting with the people doing risk assessments.”
Most recently, Aetna settled with California over its 2017 privacy breach. The insurer had already settled with Connecticut, Washington, New Jersey, and Washington, D.C., after a lawsuit settlement with those impacted.
“They’re actively engaged in enforcing HIPAA violations,” said Hesse. “Looking at the breaches just posted on the Office for Civil Rights’ wall of shame that are now being evaluated at a state level. The legal discussion groups speak on how those state Attorneys General are more tied to a local community.”
“So, while the breach or security incident may not sound large on a national sphere, it could impact locally,” she continued. “It allows [the states] to raise their profile and get their constituents to care about data breaches. We’re seeing that.”
Best Practice IoT Implementation
For Hesse, the providers that have done the best job implementing IoT and other smart devices have taken a holistic approach, by integrating the purchasing department with the security leaders when bringing those devices into an organization.
The issue is that many organizations have a disparate decision-making process, and risks aren’t being assessed within the context of the whole organization – or even within each department, Hesse explained.
“Those that do it well have an integrated risk assessment process that has people from the purchasing folks connecting with the people doing risk assessments that can evaluate the internet-enabled devices,” said Hesse. “They’ll have someone assess the risk of the device and determine if it’s necessary.”
“That’s what we see doing well,” she added.
Cloud Contracting Considerations
Legal communication is one of the biggest considerations when contracting with a cloud provider. The process is not just outsourcing to cloud, it’s looking at the bigger picture to ensure an organization isn’t introducing new and or unnecessary risk.
To combat some of the risk around the lack of transparency, Hesse stressed that providers need to focus on the contracting process and ensure its in line with HIPAA and state regulations.
Hesse said that most providers have improved the contracting process, actively discussing security protocols. The vendor may promise they have certain security in place, but it’s not enough without due diligence and routine assessments of the vendor’s processes.
“Where it may break down, is that the conversation ends with ‘we’ve put it in the cloud, and now it’s all set,’” Hesse said. “Without further digging in to exactly what the security is in place and asking are those protocols being set appropriately.”
“It’s an opportunity for providers and business associates to do a better job explaining what they want – and effectively communicating that back to the vendor in the contract,” she continued. “I think that’s a place where the community may need to do more work to truly understand what security protocols are being employed.”