HealthBlawg

David Harlow's Health Care Law Blog

    • Twitter
    • Facebook
    • LinkedIn
    • RSS
    • Email
  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

Privacy and Security and the Internet of Things

January 30, 2015

“Only Connect”

In the future, everything will be connected.

That future is almost here.

Over a year ago, the Federal Trade Commission held an Internet of Things workshop and it has finally issued a report summarizing comments and recommendations that came out of that conclave.

As in the case of the HITECH Act’s attempt to increase public confidence in electronic health records by ramping up privacy and security protections for health data, the IoT report — and an accompanying publication with recommendations to industry regarding taking a risk-based approach to development, adhering to industry best practices (encryption, authentication, etc.) — seeks to increase the public’s confidence, but is doing it the FTC way: no actual rules, just guidance that can be used later by the FTC in enforcement cases. The FTC can take action against an entity that engages in unfair or deceptive business practices, but such practices are defined by case law (administrative and judicial), not regulations, thus creating the U.S. Supreme Court and pornography conundrum — I can’t define it, but I know it when I see it (see Justice Stewart’s timeless concurring opinion in Jacobellis v. Ohio).

To anyone actively involved in data privacy and security, the recommendations seem frighteningly basic:

  • build security into devices at the outset, rather than as an afterthought in the design process;
  • train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
  • ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
  • when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
  • consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
  • monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
  • consider data minimization – that is, limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely;
  • notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations.

Stakeholders and FTC staff agreed that it is too soon for IoT-specific privacy and security legislation, and reiterated the agency’s the 2012 call for broad-based, flexible, technology-neutral data security and breach notification legislation. (See Health Populi for more on the IoT report.) The President seems to be in favor of strong, uniform, data privacy and security rules as well.

Uniformity would be a good thing. As things stand now, the FTC and OCR have overlapping jurisdiction when it comes to enforcing privacy and security rules with respect to health data. (Oh, and let’s not forget about state attorneys general and, while we’re at it, private lawsuits, as vehicles for enforcement). While overlapping jurisdiction should not matter to those of us who are in compliance with the rules, the problem is that the rules (at least on the FTC side) are not necessarily clear. That issue is magnified because FTC enforcement can include long-term monitoring and reporting on remediation and compliance, and can drive a company out of business. (Consider the LabMD case, just for instance.)

In addition, the IoT report covers some of the same ground as the FDA’s recently-issued draft guidance entitled General Wellness: Policy for Low Risk Devices, which complements last year’s mHealth guidance.

When the federales put a stake in ground — as they have with all of these issuances — innovation can proceed because we all have a better sense of the contours of the regulatory landscape. The problem is that these are guideposts that can shift in unpredictable ways in the future, or that can easily disappear — like the landmarks disappearing under a blanket of heavy snow falling outside my window as I type this post.

Nevertheless, it is possible to plan for that inscrutable future by building products and services, and communicating with partners, consumers and regulators, in a way that honors public expectations and the policies underpinning the government’s various declarations about data privacy and security.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Filed Under: Digital Health, Ehealth, FDA, FTC, Health 2.0, Health care policy, Health Law, HIPAA, HIT, Medical Devices, Mobile health, OCR, Privacy, Security, Wellness

you might also like:

  1. HIPAA Privacy and Security Compliance: Should You Care?

  2. David Harlow In the Press: HIPAA Privacy and Security Hot Points for 2016

  3. HIPAA Final Rule on Privacy, Security, Breach Notification and Enforcement Issued, Finally

« Better, Smarter, Healthier: Medicare and Value Based Purchasing
ONC, Interoperability, and the 2/6/2015 #HITsm Tweetchat »

Follow me on Twitter

David Harlow 💉😷 Follow 43,510 17,460

Mastodon @healthblawg@c.im #HealthCare #MedDevice #Compliance #Privacy @MyOmnipod #HIPAA #digitalhealth #HarlowOnHC #pinksocks Tweets are tweets No more no less

healthblawg
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
15h 1665219373223616513

ICYMI> Stephen Williams, CMO of SomaLogic, on the Promise of Proteomics — Harlow on Healthcare https://healthblawg.com/2023/01/stephen-williams-somalogic-proteomics.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #HITsm

Image for the Tweet beginning: ICYMI>  Stephen Williams, CMO Twitter feed image.
Reply on Twitter 1665219373223616513 Retweet on Twitter 1665219373223616513 0 Like on Twitter 1665219373223616513 0 Twitter 1665219373223616513
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
22h 1665113709855776769

ICYMI> From EEGs to actionable clinical endpoints with Jacob Donoghue, MD PhD, CEO of Beacon Biosignals — Harlow on Healthcare https://healthblawg.com/2022/07/jacob-donoghue-beacon-biosignals.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #HITsm

Image for the Tweet beginning: ICYMI>  From EEGs to Twitter feed image.
Reply on Twitter 1665113709855776769 Retweet on Twitter 1665113709855776769 0 Like on Twitter 1665113709855776769 0 Twitter 1665113709855776769
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
3 Jun 1665007971783376898

ICYMI> Lissy Hu, President of Connected Networks at WellSky — Harlow on Healthcare https://healthblawg.com/2023/01/lissy-hu-wellsky.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #HITsm

Image for the Tweet beginning: ICYMI>  Lissy Hu, President Twitter feed image.
Reply on Twitter 1665007971783376898 Retweet on Twitter 1665007971783376898 0 Like on Twitter 1665007971783376898 0 Twitter 1665007971783376898
Load More
Follow me on Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

Connect with David

  • Twitter
  • Facebook
  • LinkedIn
  • RSS
  • Email
  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2023
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]