The Medical Internet of Things (MIoT) market is expected to grow with a Compound Annual Growth Rate (CAGR) of 21% between 2020 and 2025. This growth implies that a vast number of healthcare devices will be connected to networks and the Internet within the next few years.
The rapid rise in MIoT devices has largely been driven by the improvements in medical device technology. In addition to the expansion of Internet-connected medical devices (e.g. scanners, patient comfort/care solutions, etc.) within hospitals, Internet-connected medical devices are also becoming common outside the hospital. These devices include both virtual tools, such as fitness apps, and physical devices, like pacemakers and insulin pumps.
HIPAA Requirements and IoT Challenges
There’s no question that IoT will radically shift the healthcare experience. There are examples available on the market today that are simplifying chronic care management and moving care outside the four walls of the traditional medical office. Collecting data in consumer’s homes or workplaces will help healthcare providers understand an individual’s health more holistically, select appropriate treatment plans, change plans as time progresses, and predict future health events. Healthcare can utilize technology to cut ever-rising costs while improving health outcomes in patients, which benefits consumers and the industry alike. In fact, about 60% of healthcare organizations have introduced IoT into their infrastructure by some means.
Despite their advantages, MIoT devices also have their downsides. One of the main challenges introduced by the growth of MIoT devices is compliance with the requirements of the Health Insurance Portability and Accessibility Act (HIPAA). These challenges include:
- IoT Insecurity: IoT devices are notoriously insecure. These devices commonly include weak, default, and hardcoded passwords, contain exploitable vulnerabilities, and violate cybersecurity best practices. When patient medical data is collected, processed, and stored on these insecure devices, it makes it difficult for healthcare providers to meet the data security and privacy requirements of HIPAA compliance and further increases the probability of data breach.
- Business Associates: HIPAA’s requirements are not restricted to medical providers. It also covers “business associates” or third-party organizations that provide services to healthcare providers that bring them into contact with patient health data. IoT devices commonly make use of cloud-based infrastructure for data processing and storing, meaning that the manufacturers, cloud service providers, etc. of MIoT devices must also maintain compliance with HIPAA. Otherwise, the data security and HIPAA compliance status of their customers may be compromised.
All healthcare technology, especially IoT, should be built from the ground-up with the highest HIPAA security regulations in mind.
How MorganFranklin Can Help
Protecting patient data and maintaining compliance with HIPAA requirements requires healthcare providers and their partners to have full visibility into where protected patient data is located and to ensure that the data is adequately protected at these locations. With the rise of MIoT devices, this becomes more complex as organizations’ attack surface expands to include the IoT devices themselves, their IoT devices’ cloud-based infrastructure, and potentially the network and systems of their IoT device providers.
MorganFranklin has extensive experience in performing supply chain discovery and security. This expertise aids healthcare providers’ HIPAA compliance efforts as MorganFranklin analysts can assist in identifying the systems where protected data is stored and ensure that the data is managed in compliance with HIPAA requirements and protected against data breach and other cybersecurity threats.