The Internet of Things plays a critical role in collecting valuable data. This applies to many spheres, and healthcare is no exception. The ability of IoT devices to collect and process vital health data opens new horizons. Simultaneous monitoring and reporting, more opportunities for data analysis, real-time tracking, and remote medical assistance are only a few benefits IoT can offer healthcare. Besides, healthcare providers can use the received insights to understand user health conditions better and prevent critical cases.
And as a healthtech provider, you can become a changemaker, too. But you will have to establish a proper IoT data integration strategy first.
This article will guide you through the common challenges associated with the Internet of Medical Things (IoMT) data integration and ways to overcome them.
What Are the IoT Data Integration Challenges in Healthcare?
The potential value of the Internet of Medical Things is enormous. Yet, there are two sides to this coin, and problems arise in the early stages of the product life cycle.
Before a healthtech company launches a new medical IoT device, they spend a lot of time on clinical research, testing, and licensing the product. As soon as the company can demonstrate the product really works, the next step is to create a digital ecosystem where data from an IoT device can be integrated with patients' mobile app, a health facility IT infrastructure, or even create an omnichannel experience by integrating with other services a patient uses daily, from caregiving to insurance.
The problem is, IoT sensor data integration in healthcare has a number of challenges.
As a provider of IoT-powered healthcare solutions, you are sure to be dealing with loads of sensitive and personal information. Since this type of data is protected by regulations outlined in the General Data Protection Regulation (for Europe) and the Health Insurance Portability & Accountability Act (for the US), compliance is one of the key challenges associated with integrating IoT devices into healthcare facilities. But what are the differences between GDPR and HIPAA in this context? Let’s consider each document in more detail.
There are three types of personal data particularly relevant to the healthcare industry, according to GDPR:
Data concerning health. Refers to any data related to a person's physical or mental health, including the type of care they've received (as the patient's health status may be inferred). Read more about it here.
Genetic data. Refers to information on the genetic makeup of an individual, including biological sample analysis. Read more about it here.
Biometric data. Refers to information related to someone's physical or behavioral characteristics, including facial images, fingerprints, gait traits, and more. Since biometrics can be used to identify a specific person, this information is considered personal. Read more about it here.
Being subject to GDPR, data concerning health, genetic data, and biometric data are considered sensitive data, which requires a higher level of protection than any other category of personal information.
While GDPR protects all types of personal data from being disclosed without the individual’s consent, Health Insurance Portability & Accountability Act (HIPAA) deals exclusively with patient health information, which, under HIPAA, is called protected health information (PHI).
According to HIPAA, protected health information is individually identifiable health data. Simply put, PHI is health information plus personally identifiable data. Diagnoses, treatment information, medical test results, and prescription information are considered protected health information under HIPAA combined with “identifiers” (name, birth date, gender, ethnicity, location, etc.) are all considered to be PHI. This law also protects genetic data and biometrics.
Neither PHI nor healthcare data protected by GDPR can’t be shared without the patients’ consent. This means you have to consider what data you are transmitting out of a facility. Besides, staying compliant also means storing collected data properly. To this end, storing all patients’ data on your servers is not a good idea.
"We have to ask ourselves if the patient is identifiable by their illness'” states Paul Kressnik, a Co-Founder and Head of Quality and Regulatory Affairs of reha buddy — an Austrian startup that facilitates physical rehabilitation at home. “We don't store the name of the patient. Instead, we generate a random ID in order to use non-identifiable sensor data.”
Different Data Exchange Standards
Most healthcare providers utilize different standards for data exchange. Certainly, there are exceptions: some clinics do support a unified standard, such as HL7, but, unfortunately, it’s rarely the case. “For now, I know only two clinics that use HL7,” says Paul Kressnik regarding the situation in Austria. “And one of them uses Version 2, which is totally outdated.”
Given that, if you are looking to introduce your solution to different healthcare providers, be ready to spend time negotiating on the data sharing format with each organization you integrate with. If this is the case, keep in mind it’s better to engage people who would actually use and benefit from the solution. That’s why we recommend speaking with the healthcare department first and only then approach the tech staff. When the former sees value in your solution, convincing the latter will be much easier.
Negotiating is vital for deciding on a single data sharing format. But it’s not the only thing you can do to ensure your solution is compatible with the digital ecosystem of a healthcare facility you are going to work with. For example, to make things easier from the development and integrational viewpoints, the reha buddy solution comes with a smartphone it integrates with.
Both GDPR and HIPAA are effective when it comes to protecting personal health information, but neither regulation can prevent a cyber-attack. Given that, security has been remaining one of the key problems in IoT data integration in healthcare since the inception of the IoT.
Diversity of communication protocols and the lack of clarity in data ownership regulations alone make personal health data extremely susceptible to cyber-attacks and hacks, including its abduction, public exposure, or even the creation of fake IDs for one of the most popular issues — identity theft.
However, you are not helpless in the face of potential hacks. At Demigos, we recommend adopting the following actions to protect sensitive information:
Build security into the design of IoMT and healthcare devices
Provide proper authentication
Implement an in-depth defensive strategy with several layers of security protecting against specific risks
Ensure proper access control
Provide penetration testing of the whole system using third-party companies specializing in data security before launching the pilot project
All these measures will minimize the cyber-attack risk. Yet, as security measures evolve, fraudsters are constantly finding new ways of bypassing them. So, you need to be cautious, alert, and ready for hacks.
Data Usage Challenges
Data is a valuable asset. Insurance or drug companies, for instance, might be interested in data about the health state or possible health issues of their current or potential clients.
Certainly, as an IoMT company, you collect vital health information about your patients, regardless of the IoT integration strategy in the healthcare facility you are working with. But here’s the rub: under HIPAA and GDPR, you are prohibited from sharing personal health data with third parties, at least without the explicit consent of patients. Does it mean you have no choice but to erase all this valuable data?
Fortunately, no. Both HIPAA and GDPR allow “de-identifying” (“anonymizing”) personal information so that it’s no longer protected by either regulation and can be shared freely. Yet, the procedure of both “de-identification” and “anonymization” is so complex that it’s easy to overlook something important.
If you don’t want to take risks, you can make value out of the collected data without going through the anonymization procedure. For example, Paul Kressnik recommends categorizing it into samples that represent specific patient groups. You can then share these data samples with third parties and even use them for training the ML algorithms of your IoT.
Possible Technical Failures
While website crashes are quite common, such instances are inadmissible in healthcare settings. Even a trifle like Internet interruptions might hinder the vital processes of patient treatment, such as health monitoring or medicine dispensers tracking. But what should you do if you can’t prevent poor Internet connection?
Always have “a plan B.” When you realize you can’t protect the product from certain technical failures completely, it’s critical to prepare it for such situations. Your QA specialists should make sure that switching the device to offline mode will not become a life threat, and data transmissions will not be violated during the “blackout”.
Integration of the IoT, cloud, and big data analytics into the healthcare settings is full of roadblocks, such as personal data regulations, the diversity of data exchange standards, challenges concerning the processing of healthcare sensor data, security threats, and possible technical failures. Fortunately, with a viable data integration strategy in place, you’ll be able to overcome all these challenges.
However, if you are new to software infrastructure or unsure how you can handle data integration in healthcare properly, drop us a line. Along with the fact that we know what challenges a startup may face, Demigos has extensive experience in developing healthcare solutions — this wearable health monitoring solution for seniors is our latest brainchild. Contact us today.