Securing Healthcare Robots and AI Systems for HIPAA Compliance

The Health Insurance Portability and Accountability Act and its regulations are the main laws governing data privacy and security in the healthcare field. Nonetheless, HIPAA and its Privacy Rule and Security Rule protections predate the widescale adoption of artificial intelligence and robotics in healthcare. Is HIPAA compliance required for the operation of robots and AI systems in the clinical setting? Yes. HIPAA compliance is necessary for the use robots and AI systems because of the general way the law was written.

HIPAA and its regulations cover the protection of “protected health information” (PHI) generally regardless of the technologies used. It requires reasonable and appropriate administrative, physical, and technical safeguards to protect PHI. The law is flexible enough to cover new situations and new technologies, including robots and AI systems. This blog post covers some high-level principles of protecting PHI processed by robots and AI systems.

Robots

Health care organizations are beginning to deploy robots. The use of surgical robots is increasingly common for specific procedures. Service robots now perform tasks in a hospital setting that used to require manual labor, such as wheeling stacks of linens through the facility. Finally, doctors are now starting to use telepresence robots to conduct rounds. For instance, a doctor on call in the middle of the night could remotely control a robot in a medical facility and move it around hallways and into rooms, interacting with patients and other workers via the screen, speakers, and microphone on the robot in a similar fashion to video conferencing. Since the system is mobile, the doctor may feel a stronger sense of immersion in the environment and freedom and capability to perform tasks that would typically require physical presence. Using a telepresence robot to interact with patients may also be helpful for patients with highly infectious diseases such as Ebola virus disease.

Again, concerns about hacking are paramount. An attacker could tamper with a surgical robot to injure patients. Some telepresence robots can record images, audio, and video. Someone snooping on a patient could gain unauthorized access to its recordings. Finally, a hacker could intercept or interfere with communications with a robot for malicious or snooping purposes.

The “security by design” principles are essential when using robots in a clinical setting. Moreover, software and firmware updates will be important to close off any vulnerabilities that may appear. Finally, the vendor hosting associated applications and data needs to be secure. It should secure the data and the systems collecting the data. Transmission security procedures and technology can secure the communications with the device. The vendor should protect the collected data with encryption. Moreover, the organization should limit access to the infrastructure supporting the devices.

Artificial Intelligence Systems

Artificial intelligence (AI) is coming to health care. We have become familiar with AI systems in our daily lives when we use virtual personal assistant applications such as Apple’s Siri, Microsoft’s Cortana, Amazon’s Alexa, and Google Now. IBM’s Watson, combined with Big Data, is helping to support doctors by guiding their decisions when making diagnoses. Other applications making use of AI include systems guiding patients to comply with instructions to take medications and systems to guide caregivers to support patients. Some of these systems make use of data from existing electronic health record systems.

As with robots, the “security by design” principles apply for AI systems too. Designing systems to prevent unauthorized access to user information, maintaining the integrity and reliability of the system, and providing assurances of its availability are important. An organization may want to see results of testing or certifications to make sure the AI system works as advertised. Finally, a vendor may be providing the AI application remotely. Supervising the vendor and overseeing its security becomes important, as is maintaining the security of the communications link with the AI system. Finally, some AI systems may require a persistent Internet connection to communicate with the user. Preserving connectivity, with backup capabilities if needed, becomes important to maintain availability.