BlueOrange offers 8 tips for smart strategies with smart devices


September 11, 2019

The amazing ability to integrate the many current technologies and devices, as well as new ones that will continue to be developed, is called the Internet of Things, or IoT, which creates a distinct combination of opportunities and risks.

Voice-controlled devices (such as Alexa) and other similar devices are likely to become part of every environment. They present a host of opportunities in senior living and care, but also pose serious privacy and security concerns. The wise provider will develop solid policies and procedures early and remain proactive in keeping up with issues as they arise.

Here are eight important considerations when incorporating these quickly growing technologies:

  1. Whose device is it? A community must be well-prepared regardless of who owns a VcD, as there is always a level of risk. In the situation where residents bring their own devices, providing a secured, protected, and perhaps dedicated WIFI network is advisable. Secure a signed agreement with the resident (and possibly device manufacturer) that covers expected management of malware and ePHI. While the compliance bar may be higher, it is actually easier to control security measures and procedures by providing and managing the devices for each interested resident. This ensures that all devices and networks are configured consistently and to the community’s identified best practices – particularly as these policies and procedures change over time, as technology and related challenges evolve. 
  2. Caregiver use. Although not yet commonplace, direct caregivers, nurses, and physicians are beginning to use VcDs and other IoT devices to monitor care, retrieve medical records and other data, or document care. In these cases, senior living providers should be thoughtful about how those devices connect to the community’s network. The risk of HIPAA violations centers around how well the connection is secured and the ePHI is protected. The provider’s responsibility is significant when ePHI or financial data is involved.
  3. Internet access. Whether the technology is supplied or simply accommodated, careful thought should be given to how that device will access the internet. If the resident gets internet access through a guest or IoT network, the community is taking on responsibility of providing a reliable and secure connection to the devices. If devices are connected to an internet connection owned by the resident, the community may only be expected to provide basic guidance and assistance. Regardless which type of setup is selected, both have inherent security concerns and it is imperative to use best practices to secure the connection.
  4. Fog computing. Voice-enabled devices frequently rely on fog computing, a decentralized computing infrastructure in which all the processing happens on devices physically closer to where the data is collected, instead of sending data to the cloud. While allowing for faster processing, fog computing adds another layer of complexity to personal assistant technologies.
  5. Subnet. A reasonable interim modification that communities might consider is putting in place a subnet and rules that will isolate IoT use from other data generated by the community. The community can then require all listening devices to use the subnet for a more focused point of control. Having residents sign indemnification agreements or authorizations is also a good idea.
  6. Policies, procedures, education. To ensure compliance, it would be wise for any healthcare or senior living provider to modify and enforce all policies, procedures, and training programs to mitigate the accepted risks associated with the deployment and use of VcDs that are appropriate to the care setting, application, and usage circumstances. Related to this, and important to remember, is to perform an annual information-security risk assessment, and document effective workforce training around the regulatory protections and the providers’ own policies and procedures. Having not only the technical experts, but every team member onboard – and compliant – is essential and no small task.
  7. Technical expertise. To enhance capabilities and reduce liability, every new technology comes with its own unique need for technical expertise. For all of these care and living environments, it will be prudent to have workforce members or vendors that know how to not only keep the VcD functioning, but also protect the individuals and the provider from unnecessary concern while understanding and managing the organizational privacy, security, and compliance risk introduced by the use of these devices. Focusing on uses that don’t involve sensitive information is always a good place to begin. Some providers will want to experiment with apps and tools provided by the VcD manufacturer and others will wait for bugs to be worked out before trying them. There are even VcD platform tools currently available specifically for healthcare.
  8. Legal considerations. Because VcDs are always listening – and possibly recording – they open up a new concern as possible digital evidence in law suits. While companies may be resistant to releasing information stored in the cloud, a subpoena can demand this evidence of resident-care encounters. As a precaution, providers should consult with their legal counsel regarding the inclusion or amending of resident contracts to account for privacy and/or liability issues related to VcDs.