Watch out for Wearables if you Want to Avoid a HIPAA Violation

Wearable devices are rising in popularity and now Google Glass has been made available to all in the USA and UK, Apple is launching a Smartwatch and other big influential brands are heavily investing in wearables, the next few years could see the devices become the norm and used throughout the healthcare industry.

Currently more than 25% of adults in the United States own a fitness tracker or use a Smartphone fitness tracking application and a considerable amount of personal health data is being now recorded.

A recent survey conducted by Juniper Research has predicted that the wearables market will grow ten-fold over the next 4-5 years and over 180 million devices will have been sold by 2018. Google Glass is stealing the headlines; however Apps and fitness bands are the most popular method of tracking health and wellness at the present time. The data recorded could revolutionize healthcare allowing preventative steps to be taken to help patients avoid illness and injury.

Smart glasses such as Google Glass may not prove so popular for consumers, but the benefits to business are considerable. In healthcare they could greatly improve patient care, be invaluable to assist junior doctors and ensure vital PHI can be accessed quickly by physicians to help with diagnosis and treatment.

Ease of access of the data for healthcare professionals can also mean easy access for cyber criminals, and the risk of accidental disclosure of protected health information is now growing. A survey conducted by PricewaterhouseCoopers (PwC) suggests that while the convenience and benefits of wearable devices is understood by consumers, so are the threats to their privacy and security. 86% of respondents believed that wearable devices would make them more vulnerable to a security breach.

Three quarters of respondents believed that wearables would actually make them more efficient and productive at work while 70 percent believed that they would be allowed to wear them at work and that they should be provided by employers.

Smart glasses are now used by doctors to keep their hands free during operations and many industries have adopted them for the improvements they make to efficiency. The issuing of wearables by employers could become as familiar as handing out uniforms.

It is important to remember that while wearables are not specifically mentioned in HIPAA regulations they are covered under the Security and Privacy Rules. If a wearable device records or touches data protected under HIPAA it must be certified as HIPAA compliant, policies and procedures must be updated and IT departments must ensure the necessary technical and physical safeguards are in place to protect the data the devices record, store or come into contact with.

Furthermore, a recent ISACA Survey suggests that the majority of IT departments are not ready to deal with wearable devices at this present time and do not cover them in staff procedures and Bring Your Own Device policies. 83% of the respondents polled by PwC believed wearables to be riskier than all other devices.

One major issue is many wearables are just trackers that transmit data to a Smartphone or other device via Bluetooth technology or other protocols such as ANT/.ANT+. These wireless networks are not encrypted and while they have security controls they are not robust enough to protect HIPAA covered data.

HIPAA regulations do not specifically cover wearable devices yet they still have considerable potential to cause a violation. There are a number of steps that can be taken to help keep computer networks and databases secure, and being proactive and conducting a full risk assessment will ensure all potential issues can be identified and secured. The risk assessment must cover all mobile devices and wearables and this should be detailed in the procedures.

Methods to make wearable technology more secure

  • Bluetooth receptors should be set up to ensure they cannot make random connections
  • Create a separate network for all devices that cannot be controlled by your IT department and prevent PHI access
  • Implement a system of alerts and notifications to rapidly identify foreign access to the network
  • Put systems in place to restrict or block the transmission of certain types of data
  • Educate employees on the security rules surrounding PHI and wearable devices
  • Understand what each wearable device can do, how it works and create security rules for each device

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.