Healthcare is the Wild West of Technological Innovation
For healthcare companies looking to make the most of the Internet of Things (IoT), there is one simple truth that will and should rule above the rest: for healthcare, IoT is really the security of things.
It’s a basic question that all healthcare companies, providers, HCPs/PCPs, and patients must confront: Is ease of access to information and data more important than keeping private medical and financial data private? While many technology and pharma companies might side with the former part of the question, the truth of the matter proves to be a bit more confounding when you fully understand what it takes to secure data — especially when that data is governed by both:
- The limitations of software, hardware, and data transit technologies
- The legislative and continually out-of-date data governance and security law passed in 1996, HIPAA (The Health Insurance Portability and Accountability Act)
As noted by William A. Tanenbaum:
“Mobile devices in healthcare institutions are giving rise to new data security and liability risks. Connected devices — another way of describing “The Internet of Things” — present many of the same security and privacy breach rises aspects, and even greater risks because the devices are designed to act automatically without active human direction.
Six fundamental questions therefore need to be asked about connected devices.
1. Do the devices store and transmit data securely?
2. Do they accept software security updates to address new risks?
3. Do they provide a new avenue to unauthorized access of data?
4. Do they provide a new way to steal data?
5. Do they connect to the institution’s existing IT infrastructure in a way that puts data stored there are greater risk?
6. Are the APIs — through which software and devices connect — secure?”
With these questions in mind, let’s raise three more:
- Gordon Moore clarified the coming problem in 1965 by showing the relationship of power, size, and the rate at which technology progresses. Transferring that understanding to the 21st century, we begin to comprehend that the rate at which technology progresses will far surpass the human intellectual ability to clarify and understand its implications. The quicker the acceleration, the less we compute equating to greater responsibility being placed on the technology itself. In terms of healthcare, this acceleration means machines acting on our behalf with little — or wholly without — human interaction. When it comes to sensitive medical data being transferred between devices without the need of human interaction, are we comfortable with the moral implications?
- On the same level is the question of raw security. The Internet is made up of packets of data. Without getting too technical, the web works by packets of data being sent from one server to the next through a series of connecting points called hops. The longer the distance a packet of data has to travel, the more hops it makes. As such, the basic underlying rule of Internet security is this: the longer a packet of data has to travel — more hops and more time — the harder it is to secure due to the increased number of touch points within transit. Before devices came into popular use, the argument could be made that because the main touch points of data switched between servers, data centers, carriers, and physically bound location CPUs, the amount of touch points to secure, while still vast, proved to be infinitely less complex than our current situation of personal computing (desktops, smartphones, tablets, laptops) and IoT devices (home thermostats, parking meters, video doorbells, Alexa/Google Home, coffee machines, highway speed markers, etc). As our web of connected devices grows deeper, more complex, and increasingly more mobile, how does any one company, healthcare or not, fully secure a growing network of IP addresses that they do not have secure control over? As our network of technologies grows more robust, without proper governance and personal responsibility/education on securing those IoT devices, how can any one person, PCP, or healthcare provider fully state they are 100% HIPAA-compliant?
- Lastly, legislation is a key aspect of our triangle. The act of legislation is purposely tedious and slow. Our framers intended it to be glacial in movement to protect against the infringement on citizens’ rights and liberties. Moreover, with three branches of the government compelled to check one another, once a law is passed it becomes damn near impossible to fully delete or amend it. For all the good intentions and ramifications of The Health Insurance Portability and Accountability Act of 1996, the law is bound by the speed of our most human of institutions, not by Moore’s Law. In jest, the two concepts — legislation and technological progress — do not meet in the middle to form a well-working machine. Our legislation process and the rate at which technology progresses sit on the opposite ends of the spectrum. This being the case, when technology continually accelerates while legislation stays stagnant or lethargic at best, how can an outdated law meet the demands of a new world governed by algorithms and coders rather than legislators and the judiciary?
The answers to these questions are anyone’s guess.
Healthcare, right now, is the wild west of technological innovation and truth be told, that might not be a good thing. Only time will tell.
Brad Yale can be reached for comment at byale@thebloc.com. He worries about someone hacking his Nest to set the temperature at a permanently chilly 52 degrees Fahrenheit.
