CES Really Scared Me. Will HIMSS Make Me Feel Any Better?

Posted on February 22, 2018 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Are Consumer Health Care Products Accurate & Safe Enough for Your Healthcare?

At CES, the monstrous electronics show, I saw lots of consumer devices advertised for personal fitness and healthcare. There was even a Digital Health Summit, with a wide range of industry experts.

Some companies were promoting their ability to send data to healthcare providers. That’s scary, since there are no standards governing many of these devices.

A clear message from CES is that the divisions between ‘technology’ and ‘devices’ are diminishing. Alexa, Google Home, and Siri, won’t be tied to stand-alone devices for long. They will be integrated into a wide range of consumer products across a home network, your car, portable devices, and the Internet. It’s not a big leap of the imagination to think that you will be telling Alexa, in your refrigerator, to reset the alarm clock in your bedroom, for an early meeting. And that Alexa will be telling you that you gained a pound, and send that data to your doctor.

Considering the recent news about Amazon getting into healthcare, with Warren Buffet and JP Morgan, it’s logical to think that Amazon will be delivering our healthcare along with our packages. Will you get a colonoscopy notification from Amazon because someone orders a 50th birthday card for you? (Will they only use lubricant if you have Prime? Ok, that might have been a little harsh.)

Loud and clear from CES is the consumerization of healthcare, and it’s scary.

Will data from your consumer products be accurate enough for a health care provider to form a professional opinion?

Will your devices be safe from hacking and interference?

Who will be liable if something bad happens to you because your data wasn’t accurate, or was delayed in transmission?

Should there be a government or industry-based organization setting standards and certifying devices?

ACCURACY

Valencell makes biometric sensor chips for companies to use in their consumer products. They displayed stylish brand-name smart watches that imbed their biometric-sensor chips.

Valencell’s President, Steven LeBoeuf, said that there are no standards for consumer heart monitors. His chips are voluntarily lab-tested and certified for accuracy. He said that some of their competitors’ products can confuse a person’s steps, as they are walking or running, as a heartbeat.

While that might not matter too much to a person casually checking their own vitals, what will happen if incorrect data is sent upstream to your healthcare provider?

This diagram, produced by iHealth, a company that makes ‘consumer-friendly, mobile personal healthcare products that connect to the cloud’, clearly shows their expectation that your data will be communicated to hospitals.

iHealth aptly describes this as a Systematic Framework. Think about how many vendors will be involved in the system. Device manufacturers, chip manufacturers, software designers, programmers, computer companies, communication networks, Internet service providers, cloud services, and more, all before data gets to the hospital.

What if there is a failure? What happens to you if your healthcare is depending on a consumer device? Who is responsible for the security and accuracy of the data through the system? Wanna bet that everyone will be pointing their finger at someone else?

SAFETY

What will protect you from your devices? There are an increasing numbers of stories of consumer products and autonomous cars – the Internet of Things (IoT) – being hacked.

In August, 2017, the FDA issued a warning that a pacemaker was vulnerable to hackers who could remotely kill the battery or modify the performance of the pacemaker. Killing the battery could kill the patient. Remember that this recall occurred because a pacemaker is a medical device governed by the FDA, which doesn’t govern consumer healthcare products.

The Equifax breach, the Spectre and Meltdown flaws in computer microchips, and hackers hijacking baby monitors and surveillance cameras, all show the importance of being able to apply software and firmware patches and updates.

It took a long time for the government to require car companies to recall vehicles for safety problems. How many people will be hurt, or die, before consumer health care products get regulated?

LIABILITY

At CES, AIG Insurance presented this graphic of survey results showing who is liable for a driverless vehicle crash.

Imagine personal injury attorneys salivating over consumer health care product failures. Imagine new types of insurance coverage – or new types of policy exceptions – related to managing healthcare based on consumer product data.

STANDARDS & REGULATIONS

What’s the difference between a medical device and a consumer health care product? What defines a heart monitor? How accurate is a scale? How will a consumer health care product receive security patches? How will consumers be notified their health care products aren’t safe?

Do we want the federal government involved? In 1966, the National Traffic and Motor Vehicle Safety Act required auto manufacturers to notify the government and consumers of safety defects, and recall vehicles. Could our dysfunctional Congress ever agree on a plan to regulate consumer health care products?

What about the industry policing itself? At his annual briefing at CES, electronics industry veteran Shelly Palmer made his case for a Self-Regulatory Organization (SRO) to create and enforce standards to protect consumers from risks associated with the Internet of Things.

The model for this could be PCI-DSS, the Payment Card Industry Data Security Standards, that govern organizations that accept and process credit cards. This standard is self-regulated by a council founded by the credit card companies, and is not overseen by federal or state agencies. It covers credit card processing from end-to-end, from certifying the swipe device on the store’s counter all the way through the merchant processors and banks.

According to its website, the council “provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programs.

If you are a healthcare professional, isn’t this the level of integrity and security you want for consumer products sending patient data to you?

Who would take on the responsibility, not to mention the liability, of policing consumer products sending data to healthcare organizations? The Consumer Technology Association (CTA), or the Health Information Management Systems Society (HIMSS)?

Will it take a disaster for us to find out?

Maybe I will find some answers at the HIMSS health IT conference. I sure hope so.