Connected Medical Devices How to Reduce Risks Inherent in an Internet of Things that Can Help or Harm Laura Clark Fey, Esq., Principal, Fey LLC Agenda Overview of the Internet of Things for Healthcare lh How the Internet of Things Can Help or Harm Current Regulatory Environment for Connected Medical Devices Tips to Reduce Internet of Things Risks 2 1
OVERVIEW OF THE INTERNET OF THINGS FOR HEALTHCARE 3 What is the IoT? The Internet of Things (IoT) refers to any object or device that connects to the Internet to automatically send and receive data Definitions What is an IoT Device? A device that is: Aware (gathers information using sensors) Autonomous (automatically transmits information to other machines when certain conditions met) Actionable (interfaces with cloud applications to use the collected data) 4 2
IoT Examples Medical Device Examples Include: Heart Monitors Blood Sugar Monitors Pacemakers Gartner predicts Insulin Pumps that by 2020, there will be over 26 billion connected devices in the IoT Asthma Inhalers Thermometers Wheelchairs Other Types of Connected Devices Include: Cell Phones Coffee Makers Washing Machines Headphones Lamps Baby Monitors Thermostats Cars 5 Categories of IoT Medical Devices Consumer-Based (e.g., fitness tracking devices) Wearable, External Devices (e.g., insulin pumps) Internally Embedded d Devices (e.g., pacemakers) Stationary Devices (e.g., IV pumps, homemonitoring devices) 6 3
Areas of Healthcare into which IoT is Integrated Patient monitoring i and diagnostics i Information and data transfer, storage, and collaboration Intelligent healthcare devices and tools Connected emergency units, response vehicles, and hospitals 7 HOW THE INTERNET OF THINGS CAN HELP OR HARM 8 4
Healthcare Benefits of IoT Improved patient monitoring, patient engagement, and patient care Improved understanding of diseases, disease risk factors, and treatment options Improved operational efficiency Reduced healthcare costs 9 Potential Harm: Security Concerns with Healthcare IoT Significant ifi Patient Safety Sf Risks: ik Hackers could potentially disrupt devices (e.g., pacemakers), and cause serious injury or death Insecure, Outdated Devices: Devices become more vulnerable over time with no easy update process Increased Surface Areas for Attack: Remote services and functions that are part of IoT can be used to breach other systems 10 5
Potential Harm: Privacy Concerns with Healthcare IoT Notice/Consent: IoT devices, often small and operating in the background, create new challenges for notice and consent Ability to Use Data for Variety of Purposes: Data collected for medical purposes can be easily repurposed for marketing or other purposes Perceived Privacy Loss: Consumers may be creeped out by surveillance capabilities of IoT 11 CURRENT REGULATORY ENVIRONMENT FOR CONNECTED MEDICAL DEVICES 12 6
Overview of Regulations Governing Connected Medical Devices FDA Safety Regulations Protected Health Information Privacy and Security Regulations Children s Online Privacy Protection Act Federal and State Data Privacy and Security Regulations 13 TIPS TO REDUCE INTERNET OF THINGS RISKS 14 7
Top 5 Tips for Healthcare Organizations to Implement IoT Governance Collaborate with IT, information security, legal, compliance, and business units Leverage existing privacy and security governance, management, and operations for IoT use cases Designate IoT experts to aid business units in technology selection, risk assessment, and planning Develop business case, and obtain additional i funding for information security Incorporate IoT considerations into security incident response plan 15 Top 5 Tips for Healthcare Organizations to Select Secure IoT Technology Evaluate security requirements for incoming i technologies in context of IoT ecosystem Perform due diligence, including review of vendor privacy and security practices Build privacy and security requirements into vendor contracts Require annual audit reports All else being equal, prefer newer technology from wellestablished vendors 16 8
Additional Tips for Healthcare Organizations to Implement IoT Security and Privacy Address network security Use strong passwords Require encryption in transit and at rest Keep devices updated dtd Provide notice to patients/users regarding use and disclosure of PHI 17 FTC IoT Security Recommendations Security by Design Culture of Security Third Party Service Providers Defense in Depth Strategy AccessControl Measures Monitor Products Data Minimization 18 9
Top 10 Security Tips for Manufacturers and Developers Implement security by default df Take security by design approach Analyze risks and mitigation strategies Develop and implement secure update process Mandate secure authentication practices 19 Top 10 Security Tips for Manufacturers and Developers Develop secure web, cloud, and mobile interfaces Implement encryption for data in transit and at rest Design and manufacture physically secure devices Ensure sufficient security configurability Implement strong organizational and service provider security practices 20 10
Top 5 Privacy Tips for Manufacturers and Developers Dt Determine legal lrequirements for privacy and security that apply to your target market Develop compliant privacy policy, and enforce it Provide choice to users before collecting and using personal data Anonymize and de identify data Consider data minimization, where practical 21 Any questions? 22 11
Thank you for attending! Laura Clark Fey, Esq., CIPP/US, CIPP/E, CIPM Principal, Fey LLC E Mail: lfey@feyllc.com Direct: 913.948.6301 Mobile: 816.518.6554 23 12