Friday, November 1, 2013

Is Healthcare Ready for Wearables?

Wearables promise major benefits to healthcare workers in providing new powerful information sources at the point of care, promising hands free operation that enables improved patient care, efficiency and productivity. Research has shown that what users do with technology is a major source of privacy and security risk. While some risk comes from vulnerabilities in the device hardware or software, it is what users do with technology that drives much if not most of the risk. In many cases this is inadvertent, with users unaware of such privacy and security risk side effects. To date, the source of much of this risk is from mobile devices and apps. An example is a healthcare worker using a file transfer app to transfer sensitive personal information such as patient records to a co-worker. While this makes exchange of healthcare information easy and efficient, it subjects such information to risks of breach. It can also compromise the integrity of the master patient record since such transfers and updates often don't update the master patient record, leading to a record that is incomplete or out of date, which in turn can result in suboptimal healthcare, or in a worst case a patient safety issue. Such risks also often have a cloud component, where for example a file transfer involves moving and storing patient information in a cloud, outside the control of the healthcare organization. This side effect is often called BYOC (Bring Your Own Cloud), and aside from confidentiality and integrity risks can also introduce trans border data flow risks. This type of risk is set to increase as users are further empowered with increasingly powerful devices, apps, wearables. Breaches have had major negative impacts on healthcare. Realizing the amazing benefits of these new technologies while minimizing these risks requires a proactive approach in which need to understand the lifecycle and flow of personal information around these devices, anticipate risks, avoid such risks wherever possible, and otherwise make informed and reasonable benefit / risk tradeoffs.

Many wearables are not full stand-alone computing devices in and of themselves, but are closer to advanced IO devices connected wirelessly to a nearby device such as a smartphone. An imminent example of this is Google Glasses. These types of wearables are capable of recording vast quantities of photos, audio and video that exceed the storage and processing capabilities of the local smartphone and therefore will be uploaded to the cloud. Further, this upload to the cloud could be over a personal 4G wireless network that doesn't even touch the healthcare organizations network and so can't be detected or blocked. Envision a patient or caregiver walking into a waiting room, or around a hospital, wearing one of these, recording other patients. While we have precedents of BYOC with mobile devices and apps, wearables such as this are poised to increase this problem drastically. Mitigating this type of risk will be a challenge, and will require a holistic approach consisting of technical safeguards to automatically detect and alert to this type of use and risk, as well as administrative controls such as policy and training, as well as physical controls that prevent the presence and use of such devices in particularly sensitive settings. The initial period after appearance of such wearables is bound to be bumpy, with many unfortunate negative surprises. Ultimately, a new set of social norms must be established that minimize these and streamline the use and benefits of wearables while minimizing risks.

What types of risks are you seeing with wearables in healthcare?