Securing healthcare technologies is critical to human health and safety, not just in the medical setting but also with consumer HealthTech.
In an afternoon session on February 3 at the Engima 2022 conference, Joy Forsythe, director of security at Alto Pharmacy, explained that HealthTech is a growing area of healthcare products and services targeted at consumers that are available outside traditional medical establishments. HealthTech can include online medical services and both software and hardware-based human health monitoring technologies.
Forsythe pointed out that any information collected about a person's health by a healthcare provider or medical professional that has a direct relationship with a patient is often considered in the US to be protected health information. The US Government rules to protect such information is referred to HIPAA (Health Insurance Portability and Accountability Act).
She noted that it's not always clear what rules apply when it comes to HealthTech services and devices.
Forces Impacting Security in the Healthcare Ecosystem
Forsythe identified regulations as critical among the primary forces that impact security across the healthcare landscape.
While HIPAA outlines user privacy, other regulations include guidance on security practices issued by the US Department of Health and Human Services (HHS). For example, Forsythe noted that HSS has established that fax is considered a secure transmission method if the recipient's fax number can be confirmed.
"Generally speaking in healthcare, if you verify that the fax number is correct, that's considered secure," she said. "If there's a breach because of a fax that was sent to the correct phone number, the provider is not liable."
While fax is an outdated decades-old technology, the HSS guidance on email for secure data transmission is less specific. As a result, Forsythe stressed, many healthcare entities in the US had banned email for sending personal health information.
Industry certification is another strong force that security needs to deal with for healthcare security.
"Certification is an attempt to standardize third-party risk assessments and simplify vendor management," Forsythe said. "But certification often pushes outdated security controls, and they failed to reduce risk in modern environments."
How HealthTech Can Improve Security
Not all HealthTech devices are bound by the same regulations in the US as technologies and services directly provided by medical professionals.
"Consumer wellness startups are not acting as healthcare providers, and they may not be subject to HIPAA for a while," she commented. "They still have to abide by other privacy laws that are often less burdensome."
The opportunity for security people in HealthTech is to actually really do the risk identification for the privacy rules that are in place, such as CCPA in California or GDPR in Europe.
It's also important that HealthTech providers track which data is identifiable because that's the data that matters for privacy. Additionally, she recommends that HealthTech providers enable an auditable record of all access to user data by services, employees and partners.
Forsythe concluded by emphasing the role that security can bring HealthTech: "I think there's still a lot of opportunity for security to come into HealthTech organizations and make a difference in how they handle data."