As app and IoT device use rises, so do security concerns
Across the healthcare industry, the use of apps and devices connected to the Internet of Things are viewed as the most promising ways to engage consumers in their care.
However, consumer participation could be derailed if there are fears that the use of these tools poses a risk to security and privacy.
A variety of developers and provider organizations have taken notice of these concerns and are ramping up security initiatives.
An app or IoT device program should not be put in place until appropriate intrusion detection tools, malware protection and auditing processes are established, warns John Halamka, MD, chief information officer at Beth Israel Deaconess Medical Center.
“We have a number of clinicians and engineers with MD and masters degrees who created these apps,” Halamka explains. “Having medical and engineering training makes creating healthcare IoT applications much easier. Our information security staff members were involved from the beginning to ensure that security is foundational.”
Ensuring the protection and proper handling of medical information will be crucial to the future growth in these technologies, many say. And developers of apps and IoT devices are working harder to harden defenses.
Data in motion
For example, a mobile app created at Beth Israel helps medically vulnerable patients in their homes collect medical device data and send the information securely to appropriate care teams.
Participating patients get software placed on their smartphones—it helps clinicians or care managers know if patients are following the care regimens, such taking certain medications at the prescribed times, or sending over data such as current weight, daily sodium intake, blood pressure and heart rate. A patient also may transmit information that rates the most difficult breathing that the patient has had that day, based on a 0-to-10 scale. In response, Beth Israel may send over one more messages reminding the patient to go the nearest emergency department if they experience severe shortness of breath.
Beth Israel is using the Apple HealthKit set of tools to accelerate its patient monitoring efforts, Halamka notes. “HealthKit enables easy download of electronic health record data, including problem lists, medications, labs and allergies using the Fast Healthcare Interoperability Resources (FHIR) Application Programming Interface,” he adds.
Other tools the hospital is using to gather additional IoT data incorporate Apple’s ResearchKit to enable patients to enroll in clinical trials, answer questionnaires and participate in research workflow, as well as the Apple CareKit that enables patients to collect data from healthcare devices in the home, store care plans and monitor progress.
Despite its aggressive adoption of IoT applications, the hospital still has much to learn. Early in the patient monitoring program, Beth Israel is confronting questions that must be resolved before the program accelerates.
“We’re in the early adopter phase of using patient-generated healthcare data for clinical care,” Halamka notes. “If your Fitbit tells us that your heart rate is 20, do we call an ambulance? If your weight suddenly changes, do we send a visiting home nurse? No one really knows. One challenge is that the accuracy of IoT devices varies widely.”
With the explosive growth of IoT technology, SNS Research, a market intelligence and advisory firm, estimated that by the end of 2017 mHealth devices would achieve as much as $370 billion in annual healthcare cost savings worldwide.
Adam Sobol, CEO at CareBand, a vendor of wearable devices for senior citizens with dementia or other chronic conditions, says there are many different ways that IoT can help providers understand which remote patients are fine and which ones need help.
With CareBand, software on the smartphone lets a patient press a button to call for help, and the location immediately pops up for responders. Analyzing the movement of a patient with sensors on the smartphone can give clues to how likely the patient may fall today, based on location, level of exercise they do, the presence of others in the home or assisted living center and overall compliance with a care regime. Providers can give the app to neighbors who check in on a patient, enabling them to communicate with providers if his or her condition deteriorates.
CareBand for two years has been working with Semtech, creator of LoRa Technology, a radio frequency integrated circuit that is integrated into sensors that are then embedded into devices across industries, including healthcare devices. What makes the CareBand and Semtech alliance important to healthcare organizations, Sobol explains, is the ability to use LoRa technology’s long range and lower power requirements so senior citizens with dementia or other serious conditions can be remotely monitored in a dense urban area.
The most recent version of the technology has tighter security governing the sensors on mobile apps that gather data from a phone or elsewhere in a patient’s home, and the data can be retrieved and sent to providers or care managers for analysis. To address security concerns, Semtech’s technology ensures that no one person has access to root keys, devices cannot be copied and device owners are the only entities that have access to sensor data. It also can run on a private network to give providers more control, visibility and security over data.
In the field
St. Croix Hospice relies heavily on mobile devices to support its 500 remote employees who deliver homecare services to families in Minnesota, Iowa, Wisconsin, Kansas and Nebraska. Its three-person IT department supports Samsung smartphones and tablets, as well as mobile apps for remote employees. Fixing devices and apps has been a major problem, with IT getting as many as 30 support calls a day, and remediating problems over the phone took time, says Brian Wisniewski, information technology director.
To get better organized, the hospice defined eight different roles among remote employees, with each role requiring 10 to 15 apps from a pool of more than 20 apps—these include specific functions for the electronic health record system, GPS navigation, secure email, scheduling and payroll. IT had to ensure it was getting the right apps to the right employees, and managing licenses and updates.
Next, St. Croix Hospice locked down their devices by using whitelisting on Google Play to control what apps could be installed by staff on the phones, Wisniewski adds. Whitelisting specifies which approved apps can be on a computer to prevent harmful applications from getting on the network. St. Croix then contracted with software vendor SOTI MobiControl for its Android device management system and its mobile help desk software to improve remote support.
With the SOTI applications, “remote control enabled IT staff to log into workers’ devices from anywhere and solve mobility issues in minutes,” Wisniewski says. Other benefits included faster device deployment and provisioning, and simplified app management as patches and security updates could be distributed and installed in the background without workers being aware.