I love the possibilities that Internet of Things (IoT) products bring to our lives. But I'm also very concerned about the associated security and privacy risks that IoT products inherently bring to those using them when controls do not exist or are not used to mitigate the risks. Add to this the common situation of organizations that don't know if or where IoT products are used within their network ecosystems. When risks are not considered and are not known, security incidents and privacy breaches will occur.
Business leaders need to understand that IoT products create cybersecurity and privacy risks; ideally, before they are incorporated within the business environment. Of course, the digital IoT horses have already long left the business barns. But, don't just shrug your shoulders and look the other way. If you want to be a responsible business, that protects your customers, employees, and business, in addition to meeting a growing number of legal requirements, you need to take action sooner rather than later.
IoT product vulnerabilities are increasingly exploited by a wide range of threats. This is particularly true within healthcare environments where IoT is also increasingly used, and where HIPAA compliance must also be addressed when IoT products are used by covered entities (CEs) and their business associates (BAs). When CEs prescribe the use of IoT products, they also bring risks to the patients using them, including consumer IoT products used to support the provision of patient care. CEs and BAs must always consider and mitigate IoT risks appropriately to protect patients and insureds, meet HIPAA compliance, and also to comply with a wide range of additional legal data protection requirements. When considering IoT products within healthcare organizations, this includes Internet of Medical Things (IoMT or MIoT products), which are created specifically for medical use by healthcare organizations to support patient care.
Consider just a few recent statistics.
- Medical data was taken in 22% of breaches caused by insiders, mostly within healthcare providers.
- The global IoMT market is projected to grow from $72.5B in 2020 to $188.2B by 2025.
- 53% of connected medical devices and other healthcare IoT devices have at least one unaddressed critical vulnerability.
- 59% of information workers at U.S. healthcare organizations reported that they had not received data security training.
- 82% of healthcare organizations experienced an IoT cyberattack between the beginning of 2020 and mid-2021.
- 90% of healthcare institutions had a data breach in the past two years, and the average cost of the breaches was over $9 million.
Many security risk insights and HIPAA compliance lessons can be learned from these and similar types of studies and associated statistics covering IoT use within healthcare organizations. Here are some of the common ones that I've seen in hundreds of real-life situations.
1. IoT devices connect to many different networks
Many components and entities support and connect with IoT devices; cloud systems, apps, gateways, hubs, routers, business associates, supply chain entities, and more. The exponentially growing use of IoT products worldwide includes similar exponential growth of newly created pathways to health data regulated by HIPAA, as well as to applications that could potentially be exploited to gain access to networks and sensitive data or affect the availability of the devices.
How many of the 82% of reported IoT cyberattacks were enabled through such pathways? Consider just two specific examples: 1) 33% of bedside healthcare IoT devices have at least one unpatched critical vulnerability that could affect service availability, data confidentiality, or place patient safety in jeopardy; 2) 73% of IV pumps have a vulnerability that could jeopardize patient privacy, safety, and health if exploited.
All the pathways created by the full range of IoT product components must be protected within HIPAA-regulated situations to be in compliance with associated requirements. However, most CEs and their BAs are not even aware of all the components, and typically do not include the complete IoT product components within risk assessments.
2. IoT devices are always collecting data
Most IoT device users realize IoT devices collect and derive massive amounts of data. But the amount, and types, of data collected are much greater than what most realize; how can they know without training? Growing numbers of IoT devices are constantly listening, and recording, the sounds (e.g., conversations) in the environments within which they are being used—even without the so-called "wake words." Not only are they recording sounds, but often also video, and collecting other data about the environment, including locations and other environmental data that could possibly be associated with specific individuals. This IoT data could be considered a type of PHI (personal health information) when the associated IoT product is being used by CEs in the provision of patient care. Too many CEs and BAs use IoT devices that are always listening, watching, and collecting data within the vicinity where they are used, without realizing that these devices are collecting HIPAA-regulated PHI.
3. IoT products need to have frequent updates
Over half of the medical and other IoT devices used within healthcare are vulnerable because software, firmware, and/or hardware patches are not applied. This is made worse when most CEs allow for a wide range of personally owned IoT devices to be used within their digital environments and don't have requirements for the IoT product owners to make updates as soon as they are available. And of the IoT devices owned and/or managed by the CEs, those responsible for making such updates don't include IoT in their IT inventories, and so they get overlooked. Or, the IT department simply doesn't view IoT technology as being part of its IT management responsibilities. This leaves the CE wide open to attackers exploiting the vulnerabilities to gain access to PHI, and associated applications, systems, and networks. It also leaves CEs not considering IoT devices within their risk management activities, violating a wide variety of HIPAA security requirements.
4. Healthcare entities need to identify the IoT products used in the provision of patient care
CEs and BAs can't protect what they don't know about. And lack of knowledge of such products that involve PHI results in a wide range of HIPAA security and privacy requirements violations. Proper discovery and classification of all IoT devices on a healthcare provider's network helps guard against this risk. IoT products must be properly identified, classified, and secured to effectively reduce risks and comply with HIPAA security requirements.
5. Healthcare entities need to identify specific PHI in the IoT products
CEs must be able to provide an accounting of PHI disclosures under HIPAA. To do this, CEs must know where PHI is located. This becomes a significant challenge when IoT products are incorporated within CE digital ecosystems. For example, IoMT is increasingly being used in telehealth activities, for remote patient monitoring, medical asset tracking, tracking worker locations, and many other uses, to enable ongoing real-time monitoring, support automated care delivery, and to help support secure patient stays. Additional challenges are created when a large portion of IoT products enter and exit the digital ecosystems based upon the movements of those using the devices. Despite the challenges, these issues must be addressed to effectively mitigate risks and comply with HIPAA requirements.
6. Many third parties access, use, and share IoT data
IoT products often create business associate (BA) relationships that the associated CEs don't realize. Most IoT/IoMT product component manufacturers and support entities that support and/or have access to all the IoT data, which often includes PHI, also do not realize their compliance obligations. This sets the stage for some significant HIPAA non-compliance situations through unauthorized access to PHI, inappropriate use of PHI for which the associated individuals did not give consent where required by HIPAA, and all the way through the full spectrum of HIPAA non-compliance risks to PHI breaches.
Start addressing IoT/IoMT security, privacy, and HIPAA noncompliance risks now!
Make sure IoT/IoMT product security and privacy risks are being appropriately addressed by establishing:
- Responsibilities for IoT and IoMT device management, clearly assigned within the HIPAA security and privacy compliance program, including within IoT product contracts
- Security and privacy policies, procedures, and practices that include consideration of IoT
- Risk management activities, including risk assessments, that include IoT devices
- Training content, and awareness messages and activities, that cover IoT products
- Business associate risk management and oversight activities, to identify and document how IoT is being utilized by BAs wherever PHI is involved
The U.S. Department of Health and Human Services (HHS) has published many guidance documents that have described in a wide range of ways the ways in which CEs and BAs must include controls for IoT within their HIPAA compliance activities. Here is just one example:
"An IT asset inventory that includes IoT devices can strengthen an organization's risk analysis by raising awareness of the potential risks such devices may pose to ePHI. The lack of an inventory, or an inventory lacking sufficient information, can lead to gaps in an organization's recognition and mitigation of risks to the organization's ePHI. Having a complete understanding of one's environment is key to minimizing these gaps and may help ensure that a risk analysis is accurate and thorough, as required by the Security Rule."
An additional parting thought: CEs and BAs also usually assume IoT products and associated components are secure by default, especially when considering they should be in compliance with HIPAA along with the growing number of data protection regulations. But this is rarely true.