Introduction
The Internet of Things (IoT) is a term that defines the way objects (things) can be connected to the Internet, which provides them with the capability to transmit information (data) (Federal Trade Commission [FTC], 2015). FTC (2015) reports that by 2020, around 50 billion things are expected to become connected. Given the rates of IoT development, it is not surprising that it has entered healthcare. The opportunities offered by IoT are multiple and include greater patient safety, improved quality of care, increased patient autonomy, and other positive outcomes (Pew Research Center, 2014; Time, 2015). However, IoT also introduces challenges, in particular, data security ones.
The data that healthcare IoT can transmit may not be limited to but is bound to include protected health information (PHI) that can be termed as electronically protected health information (ePHI) due to being handled (saved, stored, and transmitted) electronically (Filkins et al., 2016). ePHI is protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Filkins et al., 2016, p. 1573). As a result, the privacy and security rules of HIPAA, as well as its general requirements, need to be considered when IoT elements are introduced into the practice of a healthcare organization or practitioner (Rhodes-Ousley, 2013).
HIPAA
FTC (2015) points out the fact that the development of IoT is capable of amplifying the threats to data security (pp. 11-12), which is why it recommends strengthening the existing legislation in the area and, in the meantime, enforcing the existing one. The legislative Act that states the requirements and guidelines for ePHI management in the US is HIPAA. It includes the general administrative requirements (that define the terms and the entities that are supposed to adhere to HIPAA; those include healthcare plans, clearinghouses, and providers), the privacy rule, which defines the right of a patient to PHI and defines confidentiality requirements, and the security rule, which defines security requirements with basic information on the standards and safeguards. The latter include administrative (planning, training, risk management), physical (equipment- and facilities-related), and technical (technology-related) safeguards, which can be regarded as practices that are approved by HIPAA.
The resulting framework is flexible, and the enforcement-related fines may be insufficient (Murray, Calhoun, & Philipsen, 2011). However, HIPAA’s guidelines are in line with best practices as viewed by the government and resemble FTC (2015) recommendations. When describing security requirements for IoT, FTC (2015) mentions major steps of a security design, which include risk assessment, minimization of the data that is going to be retained by a thing, and reasonable testing of the security measures that are meant for the thing. Apart from that, training for the employees and the maintenance of security measures are required along with monitoring, detection, and elimination of flaws in approaches and measures. Finally, FTC (2015) mentions safeguards employed to ensure the security of the system (pp. 28-32). All these elements are discussed by HIPAA. As a result, it can be suggested that FTC (2015) generally approves HIPAA-described activities, but it does call for its strengthening (pp. 48-50).
The HITECH Act
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) is defined by Rhodes-Ousley (2013) as a companion Act to HIPAA (p. 63), which is justified since the former serves as an expansion to the latter with a particular emphasis on ePHI. It specifies and changes the enforcement, breach notification, EHR management, and business associate aspects of HIPAA (Rhodes-Ousley, 2013). A major challenge to the application of HITECH and HIPAA is their flaws, in particular, the inefficient enforcement mechanisms, the existence of loopholes, and the vagueness and complicated structure of their texts (Murray et al., 2011; Ziegeldorf, Morchon, & Wehrle, 2013). Thus, FTC’s (2015) call for improvement appears justified.
Threats, Constraints, and Challenges
ePHI is threatened by multiple external and internal factors, and IoT creates new threats and risks and can aggravate old ones (FTC, 2015; Maras, 2015). Nowadays, cyberterrorism is among the most significant threats (Harries & Yellowlees, 2013), and hacking is held accountable for the majority of breaches in healthcare (Filkins et al., 2016). This old threat is aggravated by the way IoT multiplies the number of access points that should be protected and monitored (Maras, 2015). Ziegeldorf et al. (2013) also mention the fact that due to the number of these access points, learning about a security breach in IoT is also more difficult. Moreover, as pointed out by Maras (2015), many of these points were not created to ensure security: it is relatively atypical for medical devices to be appropriately prepared for secure connection to IoT (p. 102). This issue is introduced by IoT, but it also serves to aggravate existing issues, and it needs to be taken into account.
Apart from the data management threats, other considerations are mentioned with respect to IoT. For example, the question of control is worrisome from an ethical point of view. Also, the threats of de-skilling are considered by some practitioners: when part of a job is performed by a device, the employee does not need to be skilled and capable (Pew Research Center, 2014). The development and especially implementation of IoT are also a challenge; after all, the constraint of funding is always acute (Harries & Yellowlees, 2013). To sum up, the challenges that are connected to IoT are multiple, and they need to be anticipated, monitored, and taken into account.
Change in Healthcare
Duffy (2016) describes the future with IoT in a most optimistic way, and since technology is indeed mostly associated with improvements in healthcare, this view appears to be justified. According to Time (2015), the future of healthcare and IoT includes customization, automatization, and connectivity, which will result in improved safety and efficiency. Apart from that, the attention to the customer and the intent to empower them for greater engagement in their healthcare is also expected to result from IoT. All these outcomes are most positive.
The majority of sources discuss the future of IoT (Pew Research Center, 2014; Time, 2015), but Duffy (2016) emphasizes the fact that IoT is already a part of our lives. Indeed, devices that enable remote controlling, communication, and monitoring of particular events and parameters (for example, blood pressure), which can be defined as IoT features (Pew Research Center, 2014), are already available to the public, and some of them are employed in healthcare. As a result, IoT is already changing healthcare, and if the threats and challenges are managed appropriately, we will be able to enjoy the multiple benefits of IoT implementation.
Conclusion
IoT promises significant changes in healthcare, the majority of which are positive; however, some negative outcomes can also be expected, predominantly in the field of data security. Currently, HIPAA and HITECH are used in the US to ensure the security of ePHI; however, they may be insufficient. As a result, a key issue of IoT implementation in healthcare is the legal challenge of the flaws of the current legislation. Other issues include ethical and financial challenges, the majority of which are related to data security. As a result, the threats and challenges of IoT need to be researched and managed, which makes this topic particularly important for healthcare practitioners.
References
Duffy, J. (2016). The internet of things | Jordan Duffy | TEDxSouthBank.
Federal Trade Commission. (2015). Internet of Things: Privacy & security in a connected world. FTC staff report.
Filkins, B. L., Kim, J. Y., Roberts, B., Armstrong, W., Miller, M. A., Hultner, M. L.,… & Steinhubl, S. R. (2016). Privacy and security in the era of digital health: what should translational researchers know and do about it? American Journal of Translational Research, 8(3), 1560-1580.
Harries, D. & Yellowlees, P. (2013). Cyberterrorism: Is the U.S. healthcare system safe?. Telemedicine And E-Health, 19(1), 61-66.
Maras, M. (2015). Internet of Things: security and privacy implications. International Data Privacy Law, 5(2), 99-104.
Murray, T., Calhoun, M., & Philipsen, N. (2011). Privacy, confidentiality, HIPAA, and HITECH: Implications for the health care practitioner. The Journal For Nurse Practitioners, 7(9), 747-752. Web.
Pew Research Center. (2014). The Internet of Things will thrive by 2025.
Rhodes-Ousley, M. (2013). Information security: The complete reference, second edition (2nd ed.). New York, NY: McGraw-Hill.
Time. (2015). Inside the hospital room of the future.
Ziegeldorf, J., Morchon, O., & Wehrle, K. (2013). Privacy in the Internet of Things: threats and challenges. Security and Communication Networks, 7(12), 2728-2742.