The internet of things (IoT) consists of objects endowed with computing power through processors or imbedded sensors that are capable of transmitting information across networks. The IoT is any physical device that connects to the internet. Examples are home security systems, Fitbits that feed data to the patient’s physician, tagged surgery patients so loved ones can follow their progress on a screen in the waiting area or smart badges that track hospital personnel. As with any new technology there are concerns about data security and IoT device management. The number of connected devices and the tremendous amount of data they collect can be a challenge for hospital IT to manage.
The future of medicine will become more dependent on the IoT and providers will be interacting with, promoting and developing such devices. The risk industry was slow to respond to cyber security risk by not performing risk assessments and by not creating risk transfer programs. IoT medical devices should be examined and underwritten as possible for risk as soon as possible. The act of due diligence through a security risk assessment is a key risk management strategy. Due diligence may include technical, administrative and physical controls. The FDA published guidance on how to accomplish assessments to help ensure national security, economic stability and public health and safety (FDA, 2016). The FDA recognized many risks, including where a signal may identify vulnerability in one device and that same vulnerability may impact other devices including those in development or those not yet cleared, approved or marketed. Worse, it could affect a provider or patient’s electronic medical record, personal computer, server or other connected (by purpose or not) data systems. The majority of the IoTs are not regulated by the FDA, however. Here, a non-inclusive review of risks and opportunities is examined.
If a provider develops a device, e.g., a wearable device that tracks sugar levels, royalties may offset fewer visits. On the other hand, more data could result in more information that could increase visits. As the patient is more engaged by interacting with a wearable device, for instance, no-show visits may decline as the patient is likely to be more motivated to seek provider assistance. More data may indicate illness which would result in visits that otherwise may not have existed.
Loss of data
Debate on who owns the data has not begun in earnest, but one can clarify or become aware of ownership on a case by case basis. No matter who is determined to own the data, hackers and cybercriminals will be busy creating ways to steal or obstruct the data. Hackers could alter data from wearables or make it unavailable. It is unclear why anyone would want to do this, but it happens in other industries. Data being collected could include advanced genetic testing, which would make it more valuable to thieves (Liu, Musen, & Chou, 2015). Cyber blackmail over one’s diagnosis, even a preliminary diagnosis conceived by a hacker’s artificial intelligence generator, could create a public relations and financially risky scenario.
Marketing by provider
Any marketing effort has its share of risks. The marketing of a provider-created device that transmits wireless power to an IoT device or a third-party device would demand due diligence as noted above. However the risk professional would likely base a review on a lack of data since the FDA is unlikely to be involved.
It will not be long before providers and data server managers discover a tipping point for data overload. Many devices continually monitor patients and feed data. Wearable sensors have become very efficient and effective in collecting data.
Move to wellness from sick care model
If the health care delivery model embraces wellness through the IoT, risk opportunities overall may decrease. A portable laboratory on a phone that is now equal to traditional lab testing can improve access to rural, remote and developing areas or for those just annoyed with going to a lab (Wang, L.J. et al., 2018). Other wearables can detect Alzheimer’s early and monitor the disease.
All in all, it is too early to determine if the benefits of the IoT, and wearables in particular, outweigh the risk. Particularly given this uncertainly, risk professionals have the opportunity to identify, review and assess the environment of the IoT that interacts with their organization as IoT devices are likely on the critical path to become yet another factor in the disruption of health care.
FDA. (2016). Postmarket management of cybersecurity in medical devices.
Liu, V., Musen, M., & Chou, T. (2015). Data breaches of protected health information in the United States. JAMA, 313(14), 1471-1473.
Wang, L.J. et al. (2018). Analytical validation of an ultra low-cost mobile phone microplate reader for infection disease testing. Clinc Chim Acta, 482, 21-26.
Mark Dame, MHA, FACHE, CPRHM is an assistant professor, School of Health Professions, Texas Tech University Health Sciences Center.