In previous blog posts, we’ve discussed the role of technology and HIPAA (related explicitly to HITECH regulations). However, the growth of intelligent devices and the Internet of Things (IoT) has led to a sea change in how Covered Entities (CEs) and Business Associates (BAs) manage their patients. Likewise, it adds new wrinkles to how these organizations manage their compliance requirements under HIPAA.
Here, we’ll discuss some of the overlaps between HIPAA requirements and risks posed by smart, IoT-based devices.
HIPAA Regulations and Securing Networked Devices
IoT devices in healthcare have many potential benefits, such as improved patient outcomes and increased efficiency of care delivery. However, it also comes with unique risks that CEs must address to protect patient privacy and ensure the security of sensitive healthcare information.
More specifically, an IoT device will either connect to networks with access to Protected Health Information (PHI) or carry that information directly–a fact that makes them a potential target for hackers.
Some of the specific risks associated with IoT devices in healthcare include:
- Unauthorized Access: IoT devices can be vulnerable to hacking or other cyber attacks, the same as any networked computer, which can result in unauthorized access to sensitive healthcare information contained on the device or transmitted via connected networks.
- Malware: IoT devices can also be infected with malware–again, just the same as any computer. Controlled IoT devices can essentially become “zombie” machines that can be used to steal data, launch advanced threats, or disrupt operations.
- Configuration Defaults: Most IoT devices will come with default settings that may not be changed upon installation, which presents a huge security hole. Hackers can scan public networks for devices (and, more specifically, device identifiers) so that they can launch dictionary attacks or well-known exploits in the hopes that the device isn’t updated.
- Denial of Service (DDoS): In a DDoS attack, the attackers typically use a network of infected computers, called a botnet, to send a massive amount of traffic to the targeted system, which may be a web server, email server, or other network infrastructure component. Hackers can harness Zombified IoT devices to focus or contribute to such attacks without the CE noticing.
- Main-in-the-Middle (MiTM): A MiTM attack is a cyber attack in which an attacker intercepts communication between two parties to eavesdrop, modify, or steal information. If hackers compromise an IoT device connected to a critical network, they can feasibly listen in on network communications carrying PHI.
These security threats are always present, and a misconfigured IoT device can provide attackers with multiple ways to breach your IT systems–leading to major security breaches and potential fines.
What Security Controls Can My Organization Implement to Maintain HIPAA Compliance?
To address these security risks, healthcare providers must take steps to secure and manage IoT devices effectively. This can include implementing strong authentication and access control measures, regularly monitoring and updating devices, using encryption to protect sensitive data, and conducting regular risk assessments and vulnerability testing.
Some specific HIPAA requirements that healthcare providers must meet for IoT devices in healthcare settings include:
- Perimeter Security: Perimeter security is an essential aspect of cybersecurity, as it protects the boundary or perimeter of a network or system from unauthorized access, intrusion, or cyber threats. It’s, therefore, critical that HIPAA-regulated organizations consider any deployed IoT devices existing within their security perimeter, affording all required security measures.
- Encryption: The HIPAA Security Rule does not mandate using a specific encryption algorithm or standard, but it is considered an important security measure for protecting ePHI. It does require, however, that CEs assess whether encryption is a reasonable and appropriate safeguard for protecting PHI in their particular environment, including obfuscating data processed or stored in IoT devices.
- Access Control: HIPAA requires covered entities to implement reasonable and appropriate policies and procedures for granting access to PHI. Unique user authentication requires each user to have a unique identifier to access resources which can be used to track who accesses and modifies PHI. Accordingly, this applies to IoT devices handling PHI.
- Audit Controls: Covered entities and business associates must implement audit controls to track and record system and user events for both ongoing security monitoring and forensic activities. This includes relevant IoT devices.
- Device Management: Covered entities and business associates must have policies and procedures for managing IoT devices that store or transmit ePHI. This includes ensuring that devices are regularly updated and patched to address security vulnerabilities.
- Update All Software and Firmware: It’s imperative that any IoT devices installed and connected to networks with access to PHI should be updated, patched, and secured. This also means changing all device defaults immediately to close security holes.
How Are IoT Devices Used in Healthcare?
IoT (Internet of Things) devices are increasingly used in healthcare to improve patient care and outcomes, enhance operational efficiency, and reduce costs. Some of how IoT devices are used in healthcare include:
- Remote Patient Monitoring: IoT devices can remotely monitor patient health and vital signs, allowing healthcare providers to track patient progress and health conditions related to vital signs, medication reactions, or other real-time events.
- Telemedicine: Since the pandemic, telehealth has become a major priority for many providers. IoT devices can be used to facilitate telemedicine, allowing patients to receive care remotely if they cannot travel to centralized hospitals. This introduces more healthcare resources for underserved populations but presents security challenges related to the transmission and protection of PHI.
- Equipment Management: IoT devices can track medical equipment and supplies, allowing healthcare providers to locate and manage these resources more efficiently while avoiding loss, fraud, or theft.
- Smart Hospital Systems: IoT devices can create hospitals and clinics that are more responsive to patient needs. For example, sensors can monitor patient flow and optimize staffing, while connected devices can be used to automate routine tasks such as room cleaning and temperature control.
- Drug Management: IoT devices can track the location and usage of medications, reducing the likelihood of medication errors and improving patient safety.
As is clearly the case, these uses. At the same time, a considerable benefit for healthcare providers and patients can also present significant opportunities for data theft if not properly secured based on HIPAA requirements.
Harden Your IT and IoT Systems with Continuum GRC
With increasingly distributed IT systems growing in the healthcare industry, having a clear vision of the risks and compliance requirements needed to manage them is an integral part of doing business. Don’t rely on old-fashioned audit approaches to accomplish this task, however. Count on a cloud platform that combines risk and compliance management for your entire system. Count on Continuum GRC.
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- FARS NIST 800-171
- SOC 1, SOC 2
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.