Security In Healthcare Innovation

shutterstock_234039175 smallerThe media has been awash with stories of companies that have suffered because of preventable security breaches, so it is easy to see why so many CIOs and senior leaders rate security as their primary concern. One of the most consequential examples of security comes from the healthcare industry.

Much of the revolution happening today in healthcare stems from wearables.  Wearable technologies include fitness trackers or implanted devices that communicate directly to mobile device apps and/or websites.  With the wearables market experiencing sizeable growth, these devices have significant potential to save lives and improve the quality of healthcare, but they also open up serious risks as it relates to the sharing of sensitive information.

In fact, the U.S. Department of Health and Human Services (HHS) recently issued a 32-page report to Congress that states:  “The wearable fitness trackers, social media sites where individuals share health information through specific social networks, and other technologies that are common today did not exist when Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) of 1996.”

The report concludes: “large gaps in policies around access, security, and privacy continue, and confusion persists among both consumers and innovators. Wearable fitness trackers, health social media, and mobile health apps are premised on the idea of consumer engagement. However, our laws and regulations have not kept pace with these new technologies.

You Can’t Ignore Compliance

Just because “large gaps around access, security and privacy” exist when it comes to the Health Insurance Portability and Accountability Act (HIPAA) and mobile health, businesses should not assume that they can ignore compliance. That’s a mistake that could cost companies thousands of dollars in fines, lost business, ruined reputations and possibly even criminal penalties.

Since HIPAA is one of the laws that governs the privacy of medical information, being able to eliminate compliance objections clears the way for more device sales to a broader market that includes wellness programs.  This is also important because it illustrates some hard principles of HIPAA.

HIPAA compliance is like a chain that can be broken by one weak link.  Estimates of the number of HIPAA-violating companies aren’t available. I’m often amazed at how many companies don’t even realize they need to comply with this regulation. Furthermore, HIPAA isn’t just a regulation that hospitals and wearable manufacturers have to worry about– it is a real law, with real penalties, and applies to everyone that stores protected information.

Best Practices for HIPAA Compliance & Security

Fortunately for businesses engaged in mobile health initiatives, there are some established best practices to follow when developing and utilizing wearables. These practices will help alleviate a company’s risk from both a HIPAA compliance and security standpoint. Below is a list of things to consider:

  1. Focus on compliance and security from the very beginning.
  2. Leverage static code analysis tools that help developers scan, analyze and identify security vulnerabilities before they become a much larger problem.
  3. Utilize secure mobile developments tools. These tools enable developers to instantiate secure and compliant communications between devices, applications and the cloud where data is encrypted on the wearable, in motion and at rest in the data repository.  
  4. Don’t assume the data repository is secure and/or HIPAA compliant.  
  5. Be sure to follow the HIPAA Privacy Rule in terms of records permissions, access, opt-outs and changes.
  6. For overall security and compliance, a good place to start is to follow the guidance provided by The Center for Internet Security (CIS) . CIS has a specific section just for mobile security: CIS Controls Mobile Security Companion. This document offers guidance for applying the CIS Controls to mobile devices.

Many businesses that are too small for a full-time compliance officer or department are understandably intimidated by HIPAA compliance issues. By following the above list of best practices, businesses can bridge the HIPAA compliance gap for mobile health and wearable initiatives and deliver enhanced security.

Security in Enterprise Communications

The same is also true for enterprise communications when you consider how much sensitive information is stored in a company’s systems — desk and softphones, voicemail recordings, customer call centers and collaboration tools etc.

Businesses that are unable to tackle healthcare security and compliance on their own should look for the right cloud communications provider that can help shoulder this burden. To learn more check out this 8x8 whitepaper on HIPAA security, reliability and general compliance.

Mike McAlpen


Mike McAlpen is the Executive Director of Security and Compliance at 8x8, one of the largest US VoIP providers for business. Prior to this, Mike was a business leader with Visa, Inc. Global Information Security and Compliance. Before this Mike was a leader in HP Professional Services Information Security, CIO/CISO Advisory and other services for nearly 12 years. Mike is a frequent Information Security speaker, a three-term IT Services Management Foundation President, on the Board of Directors of the Silicon Valley ISSA, and active in ISACA, FBI/DHS InfraGard, U.S. Secret Service’s Cyber Crime Task Force and the American Bar Association Science and Technology Section’s Information Security Committee. [...] Read More >

  • icon-gray-linkedin.png