HIPAA and the Internet of Things: Addressing GapsAttorney Stephen Wu on Why Security Due Diligence is Critical
Healthcare entities must perform security due diligence when they consider introducing emerging technologies - including "internet of things" devices - into their environments, says attorney Stephen Wu, author of a new book on HIPAA compliance.
"Covered entities and business associates should not be buying technologies just because it's the latest 'gee-whiz' item without thinking about the privacy and security implications," Wu says in an interview with Information Security Media Group.
"We have an ever-increasing power of computers that are creating a world of disruptive technologies. And one of the challenges is trying to navigate the world of these disruptive technologies - and at the same time, try to comply with regulations that were written in 2003," he says, referring to the HIPAA Security Rule.
While the HIPAA Security Rule might be considered by some to be outdated, its principle of "the duty of 'reasonable care' to protect certain kinds of information is a general standard that is infinitely flexible," Wu stresses. "It is extensible to different kinds of new technologies. You can apply the principle of reasonable care to many of these new technologies. However, the problem with that kind of flexible standard is that it doesn't provide any specific guidance for specific types of situations."
Because of the evolving risks and vulnerabilities that are presented with the internet of things, healthcare sector organizations need to perform very careful information security reviews of any emerging technologies under consideration for procurement, Wu urges.
In the interview, Wu also discusses:
- Whether the HIPAA Security Rule is too outdated and needs replacing;
- Devices and sensors falling under the banner of the internet of things - and the vulnerabilities and risks associated with these products;
- The security and privacy risks related to telemedicine;
- Healthcare sector cybersecurity predictions for 2017.
In his role as an attorney at Silicon Valley Law Group in San Jose, Calif., Wu focuses on compliance, liability and information governance in emerging areas of technology law. Wu has written or co-written six books on information security and the law, including the recently released, A Guide to HIPAA Security and the Law, Second Edition, from ABA Book Publishing. He served as the 2010-2011 chair of the American Bar Association Section of Science & Technology Law.