Mobile devices in healthcare institutions are giving rise to new data security and liability risks. Connected devices – another way of describing "The Internet of Things" – present many of the same security and privacy breach rises aspects, and even greater risks because the devices are designed to act automatically without active human direction.
Six fundamental questions therefore need to be asked about connected devices.
- Do the devices store and transmit data securely?
- Do they accept software security updates to address new risks?
- Do they provide a new avenue to unauthorized access of data?
- Do they provide a new way to steal data?
- Do they connect to the institution's existing IT infrastructure in a way that puts data stored there are greater risk?
- Are the APIs – through which software and devices connect – secure?
Healthcare technology officers, including Chief Information Officers (CIO), Chief Technology Officers (CTO), Chief Information Security Officers (CISO), healthcare data administrators such as the Chief Data Officer (CDO) and Chief Medical Officers (CMO) managing a medical world of connected devices should be focusing on these questions before they enter into agreements with vendors, outsourcing providers and related institutions. These executives and need to recognize that connected devices and the "Internet of Things" should be the "Security of Things."
Accordingly, existing contracts need to be reviewed and modified to provide the requisite vendor security obligations. RFPs for new contracts should require potential vendors to identify how security will be provided for the Internet of Things. New contracts should be structured to provide the security provisions that the Internet of Things requires.
In setting up connected device systems, healthcare institutions' agreements with vendors (including cloud services providers) should ensure that data traffic of the device and its software application is encrypted when communicating the institution's private network and those of its outsourcing providers and any cloud systems. The contracts should allow the institution to audit, and require the vendors to periodically verify, that the data is transmitted in the appropriately strong encrypted form and the encryption works on the network.
For example, an audit revealing that data is transmitted in "clear text" indicates that contractual encryption requirements are not being followed. Moreover, given the complexity of healthcare institutions, it is important that industry standard encryption protocols are used so that all connected devices connect securely. Encryption protocols that are proprietary to a single vendor should be avoided. The collection and transmission of personal healthcare information, even in aggregate form, without such protections can lead to compromise of the privacy of the data and potential legal liability for the institution – especially if the information is stolen or used for unauthorized purposes by unauthorized parties.
Authorized, secure devices
How can privacy protection be increased? In addition to the use of proper encryption, the healthcare institution should require in the contract that only a particular connected device collect only the data that is required for its intended operation, and that it enables access to data generated by the device only by authorized and authenticated individuals with a need to handle the information; the same should be true of computer systems that handle the data from the device.
The physical security of the device itself also should not be overlooked. The device should be configured to prevent data storage media from being accessed or removed, and the device itself should not be easily disassembled. In short, building a strong security to protect data during transmission is undercut if the data can be removed from the device itself.
Credentials and password protection
As a matter of setting up a system, connected devices are initially deployed in a form where insured or well-known default passwords and usernames are used. After setup is complete and before critical information is collected and transmitted, the vendor should change the default passwords and usernames to meet the requirements of the CIO, CISO and CDO. Most importantly, the steady-state passwords and usernames can withstand attacks by hackers and the criminal syndicates that employ them. Further, the connected device network should not be configured in a way that allows authentication credentials to be exposed in data traffic over the healthcare institution's network. This is important now that computers communicate directly with other computers and send and receive information without human intervention.
Computer security consists of hardware, software and people. Disgruntled and former employees, both of the institution and the vendor and its subcontractors, can be a source of unauthorized disclosure. Good personnel practices are important, and repeated audits are necessary to enable early discovery. This factor is especially important at the computer network administrator level, as that manager provides an enhanced risk to the institution.
Finally, healthcare institutions should enter into agreements with vendors that require the connected devices to be updated with improved security over time and that the updates are tested and verified before being put into use. Given the nature of healthcare data and potential legal liability for resulting data breaches, the "Internet of Things" at healthcare institutions and the contracts that cover them need to constitute a "Security of Things."