The “Internet of Health Things:” Privacy and Security Issues in an Interconnected World
The Internet of Things ("IoT") – a network of interconnected devices that collect, store, and transmit data and communicate with people or other objects – is quickly becoming ubiquitous across industries. The Federal Trade Commission ("FTC") estimates there are currently more connected devices than people, and by 2020, there may be as many as 50 billion "smart" devices in use worldwide – nearly one for every two persons who have ever lived (108 billion, according to the Washington Post
Not so long ago, the specter of so much data, in so many places and about so many people, might have been unwelcome, if not unreal. Now, it may not be long before interacting with the IoT is as commonplace as tying your shoes. The United States Supreme Court recently noted that digital devices and media, "[w]ith all they contain and all they reveal … hold for many Americans 'the privacies of life.'" Riley v. California
, -- U.S. --, 134 S.Ct. 2473, 2494-95, 189 L.Ed.2d 430 (2014). Just one year later, the Minnesota Supreme Court predicted, "[t]his trend will only accelerate as we enter the 'Internet of Things' in which hundreds of billions of objects will become digital devices." State v. McMurray,
860 N.E.2d 686, 698 (Minn. 2015).
The IoT is expanding in health care at an accelerated pace, and includes a growing variety of consumer-facing devices. Health and fitness trackers, connected medical devices, mobile medical device applications, and smart clothing amount to what Forbes
and MarketResearch.com estimate will be a $117B market by 2020. It is easy to see the benefits of the "Internet of Health Things" ("IoHT"): individuals can participate more actively in their health and health care, providers have additional sources of patient data, and everyone enjoys the ease and immediacy of information. But with these boons come burdens, in the form of unique privacy and security concerns that traditional health information channels do not fully address.
Across sectors, the devices that comprise the IoT are as diverse as the industries that use them. These devices, however, share two important attributes: they can collect, store, and transmit personally-identifiable information ("PII"), and they can be compromised. Some devices collect PII easily recognizable as damaging in the wrong hands, such as names and addresses, social security numbers, dates of birth, and government and financial identification numbers. Due to the recent spate of large-scale data breaches, most consumers are aware of the potential for financial identity theft if this information is breached. Other, "softer" PII – information about purchasing and other habits, hobbies and activities, reading material, and location and movement – can, if compromised, jeopardize physical safety and subject an individual to adverse insurance, credit, or employment decisions. Whether a breach results from device malfunction, negligence, loss, theft, or intentional intrusion, the user and the device manufacturer face significant financial and reputational injury.
For IoHT devices, the risks include these and more:
Enhanced privacy risks: Health data is among the most sensitive information about us. Most people would prefer to keep their health-related details private, and control the conditions under which it is used and disclosed. Individuals may suffer embarrassment, social exclusion, or adverse employment, insurance, or credit decisions if certain health conditions were widely known.
Further, health data is a hot black market commodity. Wrongdoers may intentionally seek it to commit or enable "medical identity theft" – misappropriating a medical identity to obtain or bill for health-related goods and services. As FTC Commissioner Terrell McSweeney remarked in March 2015:
One of the most lucrative avenues for identity thieves has become the stealing and exploitation of medical records. Unlike other forms of identification, our medical records offer nearly complete portraits of our lives and data. These factors have made medical records, and more specifically children’s medical records, the most valuable consumer information in the black market. Scammers can use the medical records of children to steal identities and commit frauds that have a good chance of remaining undetected until a child turns 18. (Remarks to the Identity Theft Resource Center, Washington D.C., March 18, 2015).
Picture the result if one person uses another’s health identity to obtain even a routine blood test and antibiotics. If the wrongdoer’s health information combines with the true patient’s, the result is a mixed medical record – a single, corrupted record that does not reflect either person’s true condition. If the wrongdoer and the true patient have different blood types, or different medication allergies, either could be injured or die the next time the medical record is consulted for care.
Enhanced security risks: No machine, device, or data repository is 100% impervious to intrusion. In the IoT, an attack on one device can facilitate attacks on connected devices or even other systems. This can be particularly disastrous in the IoHT environment, where the devices at issue monitor, or even treat, serious health conditions. Any intrusion into an IoHT device – where directly, or through "spread" – can cause physical injury. For example, the FTC reports an instance in which an individual hacked remotely into two insulin pumps and changed their settings. Intrusion into a fitness tracker could give away an individual’s location and movement patterns, making physical attack easier.
It is vitally important that all health information, including IoHT Data, regain confidentiality, integrity, and availability. What standards are in place for identifying risks and vulnerabilities to IoHT Data, and managing them to an appropriate level?
Thoughts around health information privacy and security automatically turn to HIPAA – the Health Information Privacy and Security Act, together with the Health Information Technology for Economic and Clinical Health ("HITECH") Act amendments. Administered by the Department of Health & Human Services, Office for Civil Rights ("OCR"), the HIPAA Rules regulate privacy, security, individual rights, and breach notification for some (but not all) health information. Moreover, they require certain (but not all) persons who process that health information to put physical, administrative, and technical safeguards in place to protect it in all forms, and to institute a security management process (including risk analysis and risk management) to protect it in electronic form. That sounds exactly like what IoHT device users want.
The HIPAA Rules, however, do not apply broadly enough to encompass all IoHT Data. Rather, they apply only to certain entities (covered entities and their business associates), with respect to a certain category of health data (protected health information ("PHI")):
Protected health information is individually-identifiable information, created or received by or for a covered entity, relating to the provision of or payment for health care.
Covered entities are health plans, most health care providers, and health care clearinghouses.
Business associates perform services for a covered entity that involve creating, receiving, maintaining, or transmitting PHI.
Therefore, the HIPAA Rules do not apply to IoHT Data unless they (1) are individually-identifiable; (2) relate to the provision of or payment for health care; and (3) are created or received by or for a covered entity.
Numbers 1 and 2 are often true for IoHT data – number 3 typically is not unless the device manufacturer/developer is a covered entity or business associate, or the data are in the hands of a covered entity or business associate. Note that an IoHT device manufacturer or developer is not a business associate subject to HIPAA simply because it sells devices or applications to health care providers or plans. An entity is a business associate only when it performs services "[o]n behalf of" a covered entity (45 CFR 160.103) – in a sales transaction, the seller typically acts on its own behalf.
Covered entities and business associates who create, receive, use, or disclose IoHT data that are PII should, of course, follow the HIPAA Rules and applicable state law to guide privacy, security, individual rights, and breach notification policies and procedures. Entities not subject to HIPAA, who develop IoHT devices sold to or used by consumers, should be aware of another set of standards, and source of enforcement.
The FTC enforces the prohibition on unfair and deceptive trade practices, including unfair and deceptive representations about privacy and security. In January 2015, the agency released a staff report entitled Internet of Things: Privacy & Security in a Connected World ("FTC Report"). Unlike the HIPAA Rules, the FTC Report contains recommendations that do not carry the force of law. However, the recommendations mirror the HIPAA Rules in many respects, and the FTC Report could easily be touted as a standard-bearer, or even a "gold standard," for FTC enforcement, or against which negligence is measured in a breach-related lawsuit.
The FTC Report offers the following "recommendations and best practices" for companies that develop consumer-facing IoHT devices:
Data Security. IoHT device developers must institute reasonable security. What is "reasonable" may vary considerably with the type of device, amount and sensitivity of data, and cost of remedying vulnerabilities. Generally, however, reasonable data security includes:
"Security by Design." IoHT companies should "build security into their devices at the outset, rather than as an afterthought." This includes performing a HIPAA-like security risk assessment, considering how to minimize the data devices collect, store, and transmit, and testing security measures before launch.
Personnel Policies that Promote Good Security. IoHT companies should address product security "at the appropriate level of responsibility." As the FTC Report notes, "if someone at an executive level has responsibility for security, it tends to drive hiring and processes and mechanisms throughout the entire organization that will improve security." Companies should also provide thorough security training, and not assume that the technologically-proficient do not need it. Vendors, too, should be "capable of maintaining reasonable security" – and companies should audit their ability to do so. For systems with significant risk, the FTC recommends implementing a "defense-in-depth approach, where security measures are considered at several levels." This includes taking "additional steps to secure information passed over consumers’ home networks." Companies should also consider implementing "reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network" - without unduly impeding device usability. Finally, companies should implement lifecycle product monitoring, and patch known vulnerabilities to the extent feasible – or reasonably limit the time period during which they are willing and able to do so. In every case, companies must be transparent about ongoing security updates and software patches.
Data Minimization. In the health IoT world, more is not always better. Larger data repositories are more attractive to thieves, and heighten the effects of any intrusion. Further, the more data you have, the more likely you are to use it in a way consumers do not reasonably expect. Companies should "examine their data practices and business needs and develop policies and practices that impose reasonable limits on collection and retention of consumer data." They should also consider whether to maintain data in de-identified form, minimizing the potential for re-identification. This approach is integral to privacy-by-design.
Notice and Choice. Providing consumers with the ability to make informed choices about how their data will be used and disclosed is especially important for sensitive health information. However, "providing choices for every instance of data collection is not necessary to protect privacy," particularly when collection and use is for practices "consistent with the context of a transaction or the company’s relationship with the consumer" (a "use-based model"). Companies should be aware, however, of the potential pitfalls of a solely use-based model. First, it is "unclear who would decide which additional uses are beneficial or harmful." Second, use-based limitations do not resolve all privacy and security concerns. Finally, this model may not be appropriate for sensitive information.
Reasonableness, and reasonable expectations, is the key. When there is no consumer interface, options include: choices at the point of sale; tutorials; device codes; choices during setup; management portals and dashboards; icons; ‘out of band’ communications; and general privacy menus. Privacy choices should be "clear and prominent, and not buried within lengthy documents."
Where Have We Come Since Then?
In his October 2016 keynote address to the 4th
Annual Internet of Things Global Summit in Washington D.C., FTC Commissioner Terrell McSweeney looked back on the FTC Report nearly two years since it was issued and noted that "possibilities of the IoT have probably exceeded our expectations – in ways both good and bad." While consumers enjoy myriad increased conveniences and functionalities, they are beginning to experience and react to privacy and security risks associated with insecure IoT products. As a result, consumer faith is "relatively low" at a time when the IoT has so much to offer.
Lack of transparency is the greatest challenge McSweeney notes in protecting consumers in the "era of connected everything." Lack of transparency ("notice") deprives consumers of the ability to make an education decision ("choice") about whether the benefits of the device are worth the risk. While the benefits can be significant – McSweeney cites the example of an employer that offers discounted health insurance premiums to employees who wear fitness trackers – the Commissioner also notes that industry must "acknowledge as a baseline matter" that the IoT subjects consumers to additional risk.
Consumer education is another area industry must address to bolster consumer confidence and maximize IoT adoption. Device users may know how they can take an active role in security hygiene for familiar products such as smartphones and computers: enable current anti-virus software, avoid clicking on unknown links, and not open suspicious attachments. More education, however, is almost certainly needed to address how consumers can be proactive with less conventional connected devices – or even why they need
to be proactive. As McSweeney notes:
Perhaps a consumer thinks to herself, ‘what do I care if someone hacks into my connected toaster and finds out that I use the bagel setting on Sundays – what difference does it make?’ The problem is that these billions of devices that are coming on line and into our homes are connected to wi-fi and home networks. This means that they can serve as a conduit to a bad actor to commit serious damage, even though the risk might not be obvious or visible to the device owner. And the fact that many IoT devices do not have screens or obvious ways to receive security updates only exacerbates the problem.
Here, McSweeney reemphasizes the importance of security-by-design: manufacturers must be closely assessing security risks, vulnerabilities, and management beginning "the moment in the design cycle someone makes the decision to connect a device to the Internet," and continuing past the point of sale. Reasonable security, McSweeney emphasizes, entails "keeping up with emerging threats and new vulnerabilities and providing consumers with notice of such risks and software updates to address them."
But what of the "Internet of Trivial Things" – everyday Internet-connected objects from toasters to pet feeders? When the cost of lifetime security updates and patches far exceeds the cost of the item, McSweeney does not suggest that manufactures simply jettison the idea of lifetime security. After all, even "trivial" IoT devices can endanger all other devices connected to the same network. Likewise, "bricking" (a manufacturer rendering a device useless upon discovering a security problem it does not want to patch) is not a solution to lifetime security – this is contrary to consumer expectations, and can be harmful to users. Rather, McSweeney cautions manufacturers to perhaps "not be so cavalier about connecting everyday items to the Internet just because we can and for the novelty value. Security risks and costs need to be taken into account during product development."
Absent clear and conspicuous notice and express consumer choice to the contrary, "manufacturers need to conform to reasonable consumer expectations regarding functionality, data collection and security practices, and product lifetime" in order to earn consumer trust and promote continued IoT growth.
The "Internet of Health Things" offers many benefits to patients, consumers, and health care providers. While IoHT devices share many privacy and security concerns with their smart kin, other issues are heightened by – or unique to – the health care environment and the sensitive nature of health data. The HIPAA Rules provide privacy and security guidelines for a subset of IoHT Data, but much (if not most) of such data is outside HIPAA’s purview. The FTC’s guidelines on IoT devices provide a framework for IoHT developers to consider how security-by-design, data minimization, and notice and choice can enhance the consumer experience, and limit liability.
For more information on "Internet of Health Things", contact Kimberly Metzger
, or a member of Ice Miller’s Internet of Things