The “Internet of Health Things:” Privacy and Security Issues in an Interconnected World
The Internet of Things (IoT) – a network of interconnected devices that collect, store, and transmit data and communicate with people or other objects – is quickly becoming ubiquitous across industries. The Federal Trade Commission (FTC) estimates there are currently more connected devices than people, and by 2020, there may be as many as 50 billion "smart" devices in use worldwide – nearly one for every two persons who have ever lived (108 billion, according to the Washington Post
Not so long ago, the specter of so much data, in so many places and about so many people, might have been unwelcome, if not unreal. At the current rate of expansion, it may not be long before interacting with the IoT is as commonplace as tying your shoes. The United States Supreme Court recently noted that digital devices and media, "[w]ith all they contain and all they reveal … hold for many Americans 'the privacies of life.’" Riley v. California
, -- U.S. --, 134 S.Ct. 2473, 2494-95, 189 L.Ed.2d 430 (2014). Just one year later, the Minnesota Supreme Court predicted, "[t]his trend will only accelerate as we enter the 'internet of things' in which hundreds of billions of objects will become digital devices." State v. McMurray,
860 N.E.2d 686, 698 (Minn. 2015).
The IoT is expanding in health care at an accelerated pace, and includes a growing variety of consumer-facing devices. Health and fitness trackers, connected medical devices, mobile medical device applications, and smart clothing amount to what Forbes
and MarketResearch.com estimate will be a $117B market by 2020. It is easy to see the benefits of the “Internet of Health Things” (IoHT): individuals can participate more actively in their health and health care, providers have additional sources of patient data, and everyone enjoys the ease and immediacy of information. But with these boons come burdens, in the form of unique privacy and security concerns that traditional health information channels do not fully address.
Across sectors, the devices that comprise the IoT are as diverse as the industries that use them. These devices, however, share two important attributes: they can collect, store, and transmit personally-identifiable information (PII), and they can be compromised. Some devices collect PII easily recognizable as damaging in the wrong hands, such as names and addresses, social security numbers, dates of birth, and government and financial identification numbers. Due to the recent spate of large-scale data breaches, most consumers are aware of the potential for financial identity theft if this information is breached. Other, “softer” PII – information about purchasing and other habits, hobbies and activities, reading material, and location and movement – can, if compromised, jeopardize physical safety and subject an individual to adverse insurance, credit, or employment decisions. Whether a breach results from device malfunction, negligence, loss, theft, or intentional intrusion, the user and the device manufacturer face significant financial and reputational injury.
For IoHT devices, the risks include these and more:
Enhanced privacy risks: Health data is among the most sensitive information about us. Most people would prefer to keep their health-related details private, and control the conditions under which it is used and disclosed. Individuals may suffer embarrassment, social exclusion, or adverse employment, insurance, or credit decisions if certain health conditions were widely known.
Further, health data is a hot black market commodity. Wrongdoers may intentionally seek it to commit or enable “medical identity theft” – misappropriating a medical identity to obtain or bill for health-related goods and services. As FTC Commissioner Terrell McSweeney remarked in March 2015:
One of the most lucrative avenues for identity thieves has become the stealing and exploitation of medical records. Unlike other forms of identification, our medical records offer nearly complete portraits of our lives and data. These factors have made medical records, and more specifically children’s medical records, the most valuable consumer information in the black market. Scammers can use the medical records of children to steal identities and commit frauds that have a good chance of remaining undetected until a child turns 18. (Remarks to the Identity Theft Resource Center, Washington D.C., March 18, 2015).
Picture the result if one person uses another’s health identity to obtain even a routine blood test and antibiotics. If the wrongdoer’s health information combines with the true patient’s, the result is a mixed medical record – a single, corrupted record that does not reflect either person’s true condition. If the wrongdoer and the true patient have different blood types, or different medication allergies, either could be injured or die the next time the medical record is consulted for care.
Enhanced security risks: No machine, device, or data repository is 100% impervious to intrusion. In the IoT, an attack on one device can facilitate attacks on connected devices or even other systems. This can be particularly disastrous in the IoHT environment, where the devices at issue monitor, or even treat, serious health conditions. Any intrusion into an IoHT device – where directly, or through “spread” – can cause physical injury. For example, the FTC reports an instance in which an individual hacked remotely into two insulin pumps and changed their settings. Intrusion into a fitness tracker could give away an individual’s location and movement patterns, making physical attack easier.
It is vitally important that all health information, including IoHT Data, regain confidentiality, integrity, and availability. What standards are in place for identifying risks and vulnerabilities to IoHT Data, and managing them to an appropriate level?
Thoughts around health information privacy and security automatically turn to HIPAA – the Health Information Privacy and Security Act, together with the Health Information Technology for Economic and Clinical Health (HITECH) Act amendments. Administered by the Department of Health & Human Services, Office for Civil Rights (OCR), the HIPAA Rules regulate privacy, security, individual rights, and breach notification for some (but not all) health information. Moreover, they require certain (but not all) persons who process that health information to put physical, administrative, and technical safeguards in place to protect it in all forms, and to institute a security management process (including risk analysis and risk management) to protect it in electronic form. That sounds exactly what IoHT device users want.
The HIPAA Rules, however, do not apply broadly enough to encompass all IoHT Data. Rather, they apply only to certain entities (covered entities
and their business associates
), with respect to a certain category of health data (protected health information
Protected health information is individually-identifiable information, created or received by or for a covered entity, relating to the provision of or payment for health care.
Covered entities are health plans, most health care providers, and health care clearinghouses.
Business associates perform services for a covered entity that involve creating, receiving, maintaining, or transmitting PHI.
Therefore, the HIPAA Rules do not apply to IoHT Data unless they (1) are individually-identifiable; (2) relate to the provision of or payment for health care; and
(3) are created or received by or for a covered entity.
Numbers 1 and 2 are often true for IoHT data – number 3 typically is not unless the device manufacturer/developer is a covered entity or business associate, or the data are in the hands of a covered entity or business associate. Note that an IoHT device manufacturer or developer is not a business associate subject to HIPAA simply because it sells devices or applications to health care providers or plans. An entity is a business associate only when it performs services “[o]n behalf of” a covered entity (45 CFR 160.103) – in a sales transaction, the seller typically acts on its own behalf.
Covered entities and business associates who create, receive, user, or disclose IoHT Data that are PII should, of course, follow the HIPAA Rules and applicable state law to guide privacy, security, individual rights, and breach notification policies and procedures. Entities to subject to HIPAA, who develop IoHT devices sold to or used by consumers, should be aware of another set of standards, and source of enforcement.
The FTC enforces the prohibition on unfair and deceptive trade practices, including unfair and deceptive representations about privacy and security. In January 2015, the agency released a report entitled Internet of Things: Privacy & Security in a Connected World
("FTC Report"). Unlike the HIPAA Rules, the FTC Report contains recommendations that do not carry the force of law. However, the recommendations mirror the HIPAA Rules in many respects, and the FTC Report could easily be touted as a standard-bearer, or even a "gold standard," for FTC enforcement, or against which negligence is measured in a breach-related lawsuit.
The FTC Report offers the following “recommendations and best practices” for companies that develop consumer-facing IoHT devices:
Data Security. IoHT device developers must institute reasonable security. What is “reasonable” may vary considerably with the type of device, amount and sensitivity of data, and cost of remedying vulnerabilities. Generally, however, reasonable data security includes:
“Security by Design.” IoHT companies should “build security into their devices at the outset, rather than as an afterthought.” This includes performing a HIPAA-like security risk assessment, considering how to minimize the data devices collect, store, and transmit, and testing security measures before launch.
Personnel Policies that Promote Good Security. IoHT companies should address product security “at the appropriate level of responsibility.” As the FTC Report notes, “if someone at an executive level has responsibility for security, it tends to drive hiring and processes and mechanisms throughout the entire organization that will improve security.” Companies should also provide thorough security training, and not assume that the technologically-proficient do not need it. Vendors, too, should be “capable of maintaining reasonable security” – and companies should audit their ability to do so. For systems with significant risk, the FTC recommends implementing a “defense-in-depth approach, where security measures are considered at several levels.” This includes taking “additional steps to secure information passed over consumers’ home networks.” Companies should also consider implementing “reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network” - without unduly impeding device usability. Finally, companies should implement lifecycle product monitoring, and patch known vulnerabilities to the extent feasible – or carefully consider the time during which they are willing and able to do so. In every case, companies must be transparent about ongoing security updates and software patches.
Data Minimization. In the health IoT world, more is not always better. Larger data repositories are more attractive to thieves, and heighten the effects of any intrusion. Further, the more data you have, the more likely you are to use it in a way consumers do not reasonably expect. Companies should “examine their data practices and business needs and develop policies and practices that impose reasonable limits on collection and retention of consumer data.” They should also consider whether to maintain data in de-identified form, minimizing the potential for re-identification. This approach is integral to privacy-by-design.
Notice and Choice. Providing consumers with the ability to make informed choices about how their data will be used and disclosed is especially important for sensitive health information. However, “providing choices for every instance of data collection is not necessary to protect privacy,” particularly when collection and use is for practices “consistent with the context of a transaction or the company’s relationship with the consumer” (a “use-based model”). Companies should be aware, however, of the potential pitfalls of a solely use-based model. First, it is “unclear who would decide which additional uses are beneficial or harmful.” Second, use-based limitations to not resolve all privacy and security concerns. Finally, this model may not be appropriate for sensitive information.
Reasonableness, and reasonable expectations, is the key. When there is no consumer interface, options include: choices at the point of sale; tutorials; device codes; choices during setup; management portals and dashboards; icons; ‘out of band’ communications; and general privacy menus. Privacy choices should be “clear and prominent, and not buried within lengthy documents.”
The “Internet of Health Things” offers many benefits to patients, consumers, and health care providers. While IoHT devices share many privacy and security concerns with their smart kin, other issues are heightened by – or unique to – the health care environment and the sensitive nature of health data. The HIPAA Rules provide privacy and security guidelines for a subset of IoHT Data, but much (if not most) such data is outside HIPAA’s purview. The FTC’s guidelines on IoT devices provide a framework for IoHT developers to consider how security-by-design, data minimization, and notice and choice can enhance the consumer experience, and limit liability.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.