The Brave New World of Health-Care IoT Is Enticing—But Proceed With Caution

Defining limits enables companies to get the most out of the Internet of Things.
Published: April 21, 2019

The Internet of Things (IoT) may be the biggest buzzword in digital since the mainstream introduction of the Web browser in 1993. Throughout the past several years, businesses have added intelligent controls to traditional products, such as refrigerators, soda machines, washers and dryers. We live in an era in which more connectivity is the norm, and it is not hard to find examples of IoT connectivity. Just consider:

Agriculture: In the agricultural industry, farmers are increasing productivity and decreasing costs with IoT tractors that not only drive themselves, but use algorithms to calculate the best routing based on things like the number of vehicles, vehicle turn radius and so forth.

Education: In education, IoT devices enable task-based learning. Instead of listening to one-size-fits-all lectures, students work at their own pace via connected devices (for example, performing a virtual dissection), and the devices notify teachers when students need extra guidance. And wearable devices take over the more tedious tasks, like taking attendance and recording absences.

Industrial production: In industrial environments, IoT devices can aid in scheduling and reduce downtime by combining historical records with real-time data to predict breakdowns and schedule preventive maintenance.

While connected things are commonplace, the final frontier seems to be connecting the IoT as part of humans to provide streamlined health care. What will happen when the first business decides to use injectables to connect a human body directly to a health insurance provider as a means of delivering discounted insurance rates? Or perhaps live-streaming data to a doctor’s office about how long it takes a patient to digest a particular medicine, given RFID tracking and the connected device capability?

It might sound far-fetched, but it is not. Just take a look at one small slice of the health-care IoT pie: ingestibles. Doctors at the University of Minnesota Health and Fairview Health recently announced that they’re treating a small group of cancer patients with “digital medicine.” It is a chemotherapy pill that includes a sensor to let patients and their doctors monitor their dosage, to make sure they’re taking their medicine when they’re supposed to.

The question we should be asking is “Just because we can, does that mean we should?” Should we face this brand-new frontier, embrace it and ride the IoT wave? Or should we tap the breaks and consider how such products could cause harm? Let’s look at a few of the harms that could stem from ingestibles.

Use and Misuse
Long before DIYers began using it to loosen stubborn bolts and hinges, WD-40 was designed to keep standing water from causing corrosion on nuclear missiles. It is just a matter of time before injestibles are used for unintended consequences. When it comes to ingestibles, the concerns about unintended use are more about the potential abuse of power.

Once upon a time, for example, police departments installed breathalyzers in the cars of people convicted of drunk driving. They had to breathe into it and get a passing reading before the vehicle would start. Ingestible IoT devices could be used the same way. Police departments could give offenders the choice of losing their license or ingesting a device that would monitor their blood alcohol level.

Or what if a pharmaceutical company and a maker of a life-saving injestible insisted that the device be able to automatically post to social media as an advertisement for patient longevity? Should your company be allowed to use the devices for branding, beaming its messages from within a person’s body? Would consenting to the branding be a prerequisite for obtaining treatment?

There are many innovative ways that injestibles could be used. But they also have the potential for misuse. The time to consider these is well before any product is pitched into the organization and before any potential device is discussed as a business opportunity. It is best to involve various aspects of the business, from legal and compliance to HR, marketing and even the board of directors, in a serious discussion about the intended and unintended consequence of introducing an injestible into the marketplace.

Most of us understand that any connected health-care device would be subject to HIPAA standards. But very few of us have figured out exactly what that means when it comes to things like ingestibles. If you are planning to deliver an injestible into the marketplace, have you decided who owns the device? Do you, as the manufacturer? Is it the doctor, the health-care system, the insurance company or the person whose body it’s in? And if your company or doctor retain ownership, can you retrieve it at will, even if that means forcing a person to undergo an unwanted medical procedure? How would that be enforced?

What about the data on the device? Regulations like the HIPAA and GDPR standards suggest that the data would belong to the individual. So how would that work when it comes to gaining consent? Will your Terms of Service state that you can use all of the information for any purpose? Or will you need to get separate consent for each possible use of the data? Will you need to obtain renewed permission on a regular schedule?

Then there’s the device itself. Will personal data be stored on the device? If so, can it be erased or deleted remotely, or will it require a medical procedure? Early in the development process, brainstorm as many privacy scenarios as you can come up with, and develop a policy for each of them.

The list of things that could go wrong seems endless. Perhaps the biggest one, though, is security. A large part of the problem stems from the millions of connected household devices, since 15% of all IoT device owners never bother to change the default password. That means that even somewhat competent hackers can use a mere five username and password combinations to access a surprising number of DVRs, security cameras and even washing machines.

Now extend that line of thought to connected devices people carry around inside their bodies. Health information is considered to be some of the most personal data there is. If those ingestible devices aren’t properly secured, could people unknowingly be broadcasting their health status (not to mention all of the other personal data related to it) everywhere they go?

If your business is going to develop ingestible IoT devices, don’t skimp on security, from collection and transmission to storage and accessibility. Together with your IT and legal teams, define a robust digital policy for security and ensure any IoT initiative is undertaken with safety as a core tenet.

Here again, is a significant concern for any IoT injestible. Once it is injested, will the device need regular maintenance? If so, will it require the patient’s participation? What if the device malfunctions? Can it stay inside the patient forever, or can it cause harm? If it does cause harm, who is liable? And who is responsible for retrieving the device and treating any damage it may have caused?

Consider the extent of maintenance and the potential deterioration of the connected device over many years. Meet with your legal team to discuss liability and risk before you invest too much money in a device that may be too risky to use.

Ethical Considerations
Beyond the tactical aspects of security and data ownership, you need to understand what you want your moral obligation to be for any data collected via the device. For example, what happens if the ingested device reports that the patient is not taking medication as prescribed? Does it trigger a phone call from the doctor or pharmacy, possibly counseling the patient on how important it is to make the medication on the right schedule? What if the patient wants to avail themselves of end-of-life choices?

There is a slew of ethical questions that you need to bring up with business leadership. For example, who decides whether to force a patient to undergo unwanted treatment? And who decides whether to report this information to insurance companies? At the very least, lawyers will need to be involved in the discussion. Preferably, you will have these conversations before any product is fully funded.

It is not my intention to discourage innovation in health-care IoT, nor the pursuit of injestibles. I can’t wait to see what all of the ingenious entrepreneurs out there come up with, and how your inventions will improve health care for us all. But before any technology is used and any new capabilities are offered in devices, I encourage businesses to take the time now to ask themselves what could go wrong. It isn’t fun, and few get excited about this aspect of work, but defining the limits now will allow your organization to innovate and entirely throw itself into all that the IoT in health care has to bring. And that is a calculated leap worth making.

Kristina Podnar is a digital policy innovator. For more than two decades, she has worked with some of the most high-profile companies in the world and has helped them see policies as opportunities to free the organization from uncertainty, risk and internal chaos. Podnar’s approach brings in marketing, human resources, IT, legal, compliance, security and procurement to create digital policies and practices that comply with regulations. More important, they unlock opportunity, strengthen the brand and liberate employees’ goals. She speaks regularly at industry conferences, contributes articles to publications and delivers master classes on digital policy. Podnar is the principal of NativeTrust Consulting, LLC. She has a BA in international studies and an MBA in international business from the Dominican University of California, and is certified as both a Change Management Practitioner (APMG International) and a Project Management Professional (Project Management Institute). She is also the author of The Power of Digital Policy: A practical guide to minimizing risk and maximizing opportunity for your organization. For more information, visit or view her profiles on LinkedIn and Twitter.