This post is the second of a two-part series. In part one, I discussed the severity and scope of current cybersecurity threats to digital health, then explored government standards set to prevent health companies from falling victim to data breaches, and how consumers can harness these guidelines to protect themselves. Here, I’ll continue by examining how users of digital health tools that fall outside HIPAA regulations can safeguard their information, as well as what digital health providers and manufacturers can do to ensure their products remain secure.
Not every digital health tool must adhere to HIPAA guidelines; apps and wearable devices such as the Nike Fuelband, which do not send user information to healthcare organizations are not bound by such standards, but may still gather and store sensitive personal data. Patients who use these devices are not defenseless, however. Beyond utilizing password protections, two-factor authentication, or installing an encryption tool on your device, there are a number of measures patients can take to shield their data from prying eyes.
Patients can download a number of security-related tools, including personal firewalls and security software, as well as programs that enable remotely wiping or disabling devices. Security software should always be kept up-to-date. When in public, patients should maintain physical control over their device, and refrain from accessing health-related applications or sharing health data through public wifi whenever possible. It is also imperative that before repurposing their device, digital health consumers use clearing tools to wipe all relevant data. Upon discarding a device, users should make sure it is properly destroyed, or purged through magnetic field exposure.
When it comes to maintaining the integrity of medical data, digital health consumers can only do so much. Amid the perils posed by ransomware and other malware, many patients may begin to wonder if utilizing digital health applications is worth the risk. It falls upon digital healthcare companies to assuage these concerns in a manner that ensures the prosperity and stability of all involved: by rigorously evaluating any past failures, and augmenting current security practices to guarantee robust systems that are capable of dispelling threats.
In a market marred by increasing security threats, simply toeing the government mandated line regarding FDA market clearance, or HIPAA compliance should constitute a bare minimum effort. Companies that truly consider patient well-being must educate their employees and optimize technological resources to establish a comprehensive approach to patient data protection.
Perimeter security measures such as firewalls and antivirus programs are useful for keeping out intrusions, however companies should also focus on methods that reduce any damage, should an attack occur; techniques such as segregating networks so invaders are confined to isolated areas achieve this. Employees must also be educated in security protocols, such as how to set a strong password and avoid phishing and social engineering scams. Under no circumstances should an employee store or transport sensitive data on an unencrypted device. A mobile device policy which dictates company wide guidelines on what types of apps can be installed on certain devices, or which devices should be used to store certain data, is beneficial as well, and mobile device management (MDM) software can be employed to uphold company rules.
Wireless networks can often serve as an entry point for uninvited guests to slip inside company databanks. Old, out-of-date routers, such as those that still employ the old Wired Equivalent Privacy (WEP) standard, are especially unprotected against the modern hacker’s toolkit. Healthcare services should always ensure their routers are up-to-date, passwords are frequently swapped, and unauthorized devices are prevented from accessing the network. Stored data should also be regularly cleansed of any information that is no longer necessary. In addition, organizations that utilize third-party cloud storage services should thoroughly vet vendors’ security protocols before agreeing to a partnership. Finally, any software running on pacemakers or other electronic monitoring tools should be routinely patched and updated, as such devices can be hacked.
Improper security practices cost careless digital health companies billions in lawsuits and future revenue. Poor security can also damage patients’ well-being, in some cases just as grievously as medical malpractice. Before engaging with a digital health manufacturer, online care provider, or company that utilizes digitized data storage, patients might conduct a bit preliminary research into their security strategies, as well as methods for self-protection. Placing such a significant amount of trust in digital health may seem daunting, however there are many patient-centric companies that prioritize investing the funds and resources necessary to ensure their products remain secure, just as there are numerous habits and strategies patients can utilize to safeguard their personal data.
Click here to read part one of this two-part series.