IoT Due Diligence

Connected devices are everywhere: our phones, computers, and our beloved mobile virtual assistants. The healthcare industry is no stranger to the increasing number of connected devices. With that increase comes great efficiencies but also requires coordination and stakeholder due diligence.

You can’t talk cloud-connected medical devices without talking about cyber security and data privacy. Ten years ago, most healthcare organizations were paper-based, but over the past decade the industry has been shifting to electronic health records, or EHR for short, and may other IT driven solutions. While these electronic advancements have allowed for more efficient workflows, ease of data location, and made it easier for physicians to locate patient records in a more timely matter, they also open the door for vulnerability if not carefully thought through.

Stacie Hoffmann, who is a digital policy and cybersecurity consultant at Oxford Information Labs explained, “Bringing together all parties in a device’s acquisition and use is critical. A procurement officer needs to know how important it is that a connected device’s communications be encrypted, and a product vendor needs to be clear about how they will handle and protect data that is in many cases considered to be the property of the patient, not the company.”

She also explained that coffee systems and HVAC systems, can have IoT capabilities.


IoT- Internet of things. Is a system of interrelated computing devices, mechanical and digital machines, objects, animals, or people that are provide with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.


The connectivity of these devices make them more vulnerable to attacks and malware.

So when it comes to a healthcare organization’s information security risks, can they be managed? Yes!

Here are some strategies your organization and stakeholders should consider:

  • Create a list of cybersecurity procedures and guidelines.

  • Train your workforce on good cybersecurity practices.

  • Identify, prioritize and track cybersecurity risks as part of product development.

  • Ensure good engineering practices by prioritizing secure design and secure coding throughout the product development and maintenance cycle.

  • Periodically review known vulnerabilities against third-party libraries or with products focused on design or operation of the medical device.

  • Ensure verification includes cybersecurity verification and frequent reviews of security controls.

  • Limit the data stored and transmitted to what’s essential to the operation of the device or service

  • Choose the right type and level of encryption.

  • Use appropriate security controls for access to data. Enforce password management practices such as length and complexity restrictions, password expiry, the prohibition on reuse of passwords.

  • Establish a post-market surveillance program that monitors for newly discovered cybersecurity vulnerabilities and threats. Always conduct assessments, identify mitigating actions and deploy the mitigation after verification of software patches.


So what are the key takeaways? As data sharing continues to evolve throughout the healthcare industry, many of the devices that are used and connected to IoT need to be evaluated with caution, assessing the new risks these technologies pose on an organization. While keeping in mind that these new technologies have risks, they are also very beneficial for improving the patient care model and bringing the safest treatment possible to patients. It’s imperative that various stakeholders coordinate with not only implementation processes of a new IT integration or cloud connected device, but determine who has access to it and how these enhancements will impact the organization’s network.


Here at Extract, we realize that what is most valuable is time spent with a patient. That’s why we have developed our HealthyData platform to integrate directly with your EMR to deliver data from unstructured documents and test results to help you provide the best care with the most accurate data. All of this is done behind your firewall, providing workflow efficiency, error reduction, and information security.


To learn more, reach out today, or check out the successes our current clients are seeing.

About the Author: Taylor Genter

Taylor is the Marketing Specialist at Extract with experience in data analytics, graphic design, and both digital and social media marketing.  She earned her Bachelor of Business Administration degree in Marketing at the University of Wisconsin- Whitewater. Taylor enjoys analyzing people’s behaviors and attitudes to find out what motivates them, and then curating better ways to communicate with them.