Security is the number one criterion for buyers of cloud communications, according to IHS Senior Research Director, Diane Myers. The media has been awash with stories of companies that have suffered because of preventable security breaches: It is thus easy to see why so many CIOs and senior leaders say that security is their primary concern.
Security is also top of mind for consumers. According to a recent report by FireEye, 76 percent of respondents stated they would take their business elsewhere due to negligent data handling practices.
Guest article by Mike McAlpen, Head of Security and Compliance at 8×8
Security concerns in a changing healthcare industry
One of the most consequential examples of security comes from the healthcare industry. Much of the revolution happening here stems from wearables, technologies such as fitness trackers or implanted devices that communicate directly to mobile device apps and/or websites.
According to ABI Research, “activity tracker shipments continued to grow in 2015, up almost 80% over 2014 as new players entered the market and sales outside the U.S. took off.” ABI anticipates activity tracker shipment totals to “top 87 million in 2021 as these devices, from players including Fitbit, Xiaomi, Jawbone, Misfit (Fossil), and many others, will continue to lead consumers into the emerging wearable wireless connected health and wellbeing market.”
With this sizeable growth, these devices have significant potential in saving lives and improving the quality of healthcare, but they also open up serious risks in the sharing of sensitive information.
In fact, the The U.S. Department of Health and Human Services (HHS) recently issued a 32-page report to Congress that stated, “wearable fitness trackers, social media sites where individuals share health information through specific social networks, and other technologies that are common today did not exist when Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) of 1996.”
The report concluded that “large gaps in policies around access, security, and privacy continue, and confusion persists among both consumers and innovators. Wearable fitness trackers, health social media, and mobile health apps are premised on the idea of consumer engagement. However, our laws and regulations have not kept pace with these new technologies.”
Overcoming security and compliance issues with wearables
So how can organizations develop and use secure and compliant wearable health devices from the beginning — from product development to communicating information in the cloud?
Just because “large gaps around access, security, and privacy” exist when it comes to HIPAA and mobile health, businesses should not assume that they can ignore compliance. That’s a mistake that could cost thousands of dollars for companies in fines, lost business, ruined reputations, and possibly even criminal penalties.
The opposite is also true: Companies that achieve HIPAA compliance—even companies that are in industries far afield such as wearables and fitness trackers—can use HIPAA compliance as a competitive edge to win new business.
One example is consumer device manufacturer Fitbit, verified to be a HIPAA-compliant business. It can issue and sign documentation called Business Associate Agreements (BAAs) for enterprises wanting to purchase Fitbits for its employees. These agreements are designed to protect companies that use Fitbits from any HIPAA compliance actions that might stem from their use of such devices. Because Fitbit has been verified to be compliant, any company that uses these devices doesn’t have to worry about Fitbit affecting its own compliance.
Since HIPAA is one of the laws that governs the privacy of medical information, being able to eliminate compliance objections was a major win for Fitbit and cleared the way for more device sales to a broader market that includes wellness programs.
Bridging the HIPAA compliance gap
This is also important because it illustrates some hard principles of HIPAA.
First, HIPAA compliance is like a chain that can be broken by one weak link; BAAs help to ensure that every link is sound, and that the compliance chain won’t be broken by the BAA issuer if that signer has been verified to be HIPAA-compliant.
Estimates of the number of HIPAA violating companies aren’t available. However, in my experience as a CISO at a company that provides business communications systems that do comply with HIPAA, I’m often amazed at how many companies don’t even realize they need to comply with this regulation.
And HIPAA isn’t just a regulation that hospitals have to worry about: It is a real law, with real penalties, and applies to everyone who stores protected information.
Fortunately for businesses engaged in mobile health initiatives, there are best practices to follow when developing and utilizing wearables that help alleviate a company’s risk from both a HIPAA compliance and security standpoint. Consider these:
- Compliance and security is not difficult if you focus efforts on it from the beginning.
- Static code analysis tools help developers scan, analyze, and identify security vulnerabilities before they become a much larger problem.
- Utilize secure mobile development tools. These tools enable developers to instantiate secure and compliant communications between devices, applications, and the cloud where data is encrypted on the wearable, in motion, and at rest in the data repository.
- Don’t assume the data repository is secure and/or HIPAA-compliant. Most are not.
- Be sure to follow the HIPAA Privacy Rule in terms of records permissions, access, opt outs, and changes.
- For overall security and compliance, a good place to start is to follow the guidance provided by the SANS Top 20 CIS Critical Security Controls for better security.
Many businesses too small for a full-time compliance officer or department are understandably intimidated by HIPAA compliance issues. By following the above list of best practices, though, businesses can bridge the HIPAA compliance gap for mobile health and wearable initiatives and deliver enhanced security.
This advice also holds true for enterprise communications when you consider how much sensitive information is stored in a company’s systems — desk and softphones, voicemail recordings, customer call centers and collaboration tools like meeting software, etc.
Tackle security and compliance now
According to a recent study by Ponemon Institute, “nearly 90 percent of healthcare organizations represented in this study had a data breach in the past two years, and nearly half, or 45 percent, had more than five data breaches in the same time period.” Businesses unable or unwilling to tackle healthcare security and compliance on their own should look for the right cloud communications provider that can shoulder this burden.
Mike McAlpen, is the CISO and Head of Security and Compliance at 8×8, the largest internationally hosted enterprise UC VoIP service. Prior to this, Mike was a Global Information Security and Compliance Executive at Visa, and an executive in HP’s Professional Services Information Security. McAlpen has met the FBI’s security clearance criteria, and is a board member of the FBI’s InfraGard Cyber Defense initiative. Mike has also spoken at numerous major InfoSec and compliance conferences over the past 20 years.