#Enigma2022: Security’s Role in Helping HealthTech Find Its Way
Securing healthcare technologies is critical to human health and safety, not just in the medical setting but also with consumer HealthTech.
In an afternoon session on February 3 at the Engima 2022 conference, Joy Forsythe, director of security at Alto Pharmacy, explained that HealthTech is a growing area of healthcare products and services targeted at consumers that are available outside traditional medical establishments. HealthTech can include online medical services and both software and hardware-based human health monitoring technologies.
Forsythe pointed out that any information collected about a person’s health by a healthcare provider or medical professional that has a direct relationship with a patient is often considered in the US to be protected health information. The US Government rules to protect such information is referred to HIPAA (Health Insurance Portability and Accountability Act).
She noted that it’s not always clear what rules apply when it comes to HealthTech services and devices.
Forces Impacting Security in the Healthcare Ecosystem
Forsythe identified regulations as critical among the primary forces that impact security across the healthcare landscape.
While HIPAA outlines user privacy, other regulations include guidance on security practices issued by the US Department of Health and Human Services (HHS). For example, Forsythe noted that HSS has established that fax is considered a secure transmission method if the recipient’s fax number can be confirmed.
“Generally speaking in healthcare, if you verify that the fax number is correct, that’s considered secure,” she said. “If there’s a breach because of a fax that was sent to the correct phone number, the provider is not liable.”
While fax is an outdated decades-old technology, the HSS guidance on email for secure data transmission is less specific. As a result, Forsythe stressed, many healthcare entities in the US had banned email for sending personal health information.
Industry certification is another strong force that security needs to deal with for healthcare security.
“Certification is an attempt to standardize third-party risk assessments and simplify vendor management,” Forsythe said. “But certification often pushes outdated security controls, and they failed to reduce risk in modern environments.”
How HealthTech Can Improve Security
Not all HealthTech devices are bound by the same regulations in the US as technologies and services directly provided by medical professionals.
“Consumer wellness startups are not acting as healthcare providers, and they may not be subject to HIPAA for a while,” she commented. “They still have to abide by other privacy laws that are often less burdensome.”
The opportunity for security people in HealthTech is to actually really do the risk identification for the privacy rules that are in place, such as CCPA in California or GDPR in Europe.
It’s also important that HealthTech providers track which data is identifiable because that’s the data that matters for privacy. Additionally, she recommends that HealthTech providers enable an auditable record of all access to user data by services, employees and partners.
Forsythe concluded by emphasing the role that security can bring HealthTech: “I think there’s still a lot of opportunity for security to come into HealthTech organizations and make a difference in how they handle data.”
More Stories
How To Talk To Your Kids About Identity Theft
Let’s be honest, talking to your kids about identity theft isn’t probably top of your list. There’s a long list...
Snatch ransomware – what you need to know
The FBI and US Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory warning organisations about a ransomware-as-a-service...
UK-US Confirm Agreement for Personal Data Transfers
The agreement, which represents an extension to the EU-US Data Privacy Framework, will enable the free flow of personal data...
Donald Trump Jr’s hacked Twitter account announces his father has died
Donald Trump Jr may not have just inherited his famous father's name. He may also have inherited his bad password...
Smashing Security podcast #340: Heated seats, car privacy, and Graham’s porn video
Do you know what data your car is collecting about you? Do you think it’s right for a car manufacturer...
New Ransomware Victims Surge by 47% with Gangs Targeting Small Businesses
The Trend Micro report observed that small organizations are being increasingly targeted by ransomware gangs, including LockBit and BlackCat Read...