Inside Cyber Security
April 11, 2019
By Rick Weber
The emerging Internet of Things offers the promise of reduced costs and improved treatment in health care, and yet the developers of these connected devices face a slew of regulatory and legal uncertainties while navigating a host of existing requirements not intended for the security and privacy of new uses of data, according to a new book from the American Bar Association on IoT risks.
“While health IoT shows great promise for transforming health and health care, it also raises new questions, challenges, and risks,” according to the second chapter of the ABA book, which addresses health IoT “trends and legal issues.”
“Existing regulations and policies may not have contemplated the use of health and medical data in connected devices—or the accompanying risks,” states the ABA book. “Moreover, the regulations and policies governing the health IoT landscape are changing rapidly, leaving many questions and significant uncertainty about how best to effectively implement IoT tools.”
The ABA book, “The Internet of Things: Legal Issues, Policy, and Practical Strategies,” addresses IoT risks in a range of areas, from connected cars to drones to next-generation 5G networks. And the chapter on health care is intended to provide the legal community with “strategies for navigating the health IoT landscape of the future.”
The chapter’s authors—Jodi Daniel, Ashley Southerland and Maya Uppaluru—note that longstanding requirements under the Health Insurance Portability and Accountability Act, which sets data privacy and security rules for healthcare providers, also offer baseline protections for IoT devices. And the authors recommend IoT developers adopt HIPAA requirements proactively to avoid certain legal uncertainties.
“The lines become even more blurred if the consumer-facing remote patient monitoring service allows the data to be shared with a doctor or nurse,” according to the ABA book in describing how data uses by IoT can straddle in and out of HIPAA regulatory coverage.
“In that case, whether HIPAA applies will depend on the arrangement and the relationship between the technology company and the health care provider,” states the ABA book, adding: “Given these complexities, consumers of health IoT cannot assume that HIPAA rights apply, or that developers of health IoT tools are required to protect information in accordance with HIPAA.”
To address these complexities and legal uncertainties, the ABA book recommends IoT developers adopt HIPAA requirements when providing services for the healthcare industry.
“As a best practice, health IoT developers may wish to preemptively comply with HIPAA due to requirements or expectations of providers who may wish to access data using these tools,” according to the authors of the health IoT chapter. “The HIPAA Security Rule also requires adoption of ‘reasonable’ practices for specific categories of confidentiality, integrity, and availability, but does not set specific requirements.”
The ABA book recommends IoT developers “should implement reasonable data security practices in order to prevent unauthorized access to and misuse of personal information; attacks on the entire network via unsecured connected devices; and (especially relevant in the connected health space) risks to personal safety.”
The book also notes the number of initiatives taken by the Food and Drug Administration, particularly under the Cures Act of 2016, to ensure patient safety and benefits from the increased use of connected devices as well as online data for services and treatments.
“These dramatic policy changes are designed to promote innovation by enabling new and modified products to come to market sooner. However, these changes can also lead to uncertainty for technology companies that are awaiting final FDA guidance, and the reduced regulatory oversight can raise new questions about liability risk,” the authors warn.
The lawyers note that health care is one of the most targeted sectors by cyber hackers because of the sensitive nature of the information handled by hospitals, physicians and researchers, among others, an assertion intended to underscore a sense of urgency in addressing the risks posed by new IT technologies.
“Today, as connected health care devices, applications, and cloud services proliferate in the marketplace, they have caused an explosion in the types of health-related information and decision support tools available to better understand and monitor patients outside the health care setting,” according to the ABA book.
The ABA review of IoT risks, released last month, was compiled by its Science and Technology Law Division, and was the focus of a March 27-28 event of the IoT National Institute hosted at the Washington, DC offices of the law firm Crowell & Moring.
The event included keynote remarks by former Homeland Security Secretary Michael Chertoff, who wrote the foreword to the ABA book. Sen. Mark Warner (D-VA), ranking member of the Senate Intelligence Committee, wrote an introduction that describes IoT security vulnerabilities as a “market failure.”
One of the book’s three co-editors, Lucy Thomson, wrote a chapter on assessing IoT risks, in which she discusses the use of security principles developed by the Open Web Application Security Project. And the opening chapter to the book on connected cars argues that lawyers will play a major role in the rollout of autonomous vehicles, given the cybersecurity and other uncertainties surrounding the new technology.
Overall, the ABA book addresses a host of emerging IoT concerns and products, from autonomous vehicles to medical devices to next-generation 5G connections to blockchain technologies to privacy and intellectual property protections.
Copyright 2019 Inside Washington Publishers All Rights Reserved.
Quality News Today is an ASQ member benefit offering quality related news
from around the world every business day.