by Stephen Wu
Healthtech devices are increasingly common. People are wearing sensor devices that monitor fitness metrics. They can count steps and distance walked or run, calories burned, elevation changes, and heart rate. In the future, people may swallow sensor devices that can monitor or transmit video of the digestive system, may have sensor devices in their bloodstream monitoring the level of a medication, or may ingest smart pills that detect diseases. An organization can also embed devices in a patient, such as a catheter for an insulin pump, a pacemaker, or microchips placed under the skin.
With all of these devices, various security vulnerabilities may be present. Hackers can exploit vulnerabilities to take control of them or otherwise tamper with them. Devices that communicate with systems outside the body entail the risk of interception or interruption. Moreover, once systems collect data from devices on or in the body, the systems are potential targets for attack.
To mitigate these risks, the device manufacturers should design their products with security features in mind. They should thoroughly test the device during the design phase to determine if vulnerabilities pose risks to users. They should have an independent third party test the device to check for vulnerabilities and seek any available security certifications for the device. Finally, the vendor hosting the applications and data needs to secure the data and the systems collecting the data. It should use transmission security procedures and technology to secure the communications with the device, encrypt the collected data, and manage access to the infrastructure supporting the devices.
Healthtech companies collecting and processing data on behalf of entities covered by the Health Insurance Portability and Accountability Act (HIPAA) may be “business associates” of those covered entities. HIPAA business associates have an obligation to maintain the confidentiality, integrity, and availability of protected health information collected on behalf of covered entities. Even if healthtech companies are not collecting data on behalf of HIPAA covered entities, they have an obligation to avoid unfair and deceptive practices towards consumers. Failing to protect consumer data may trigger liability for such conduct. Liability may result in civil money penalties or class action suits filed by consumers.
Stephen Wu wrote A Guide to HIPAA Security and the Law (Second Edition) published by the American Bar Association in August 2016. For more information on the book or this post, please contact Stephen Wu by completing the web form here.