Beyond HIPAA: Securing Voice Assistants for Healthcare Applications

An important announcement made by Amazon on April 4th bears repeating: “The Alexa Skills Kit now enables select Covered Entities and their Business Associates, subject to the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA), to build Alexa skills that transmit and receive protected health information as part of an invite-only program.” 

In a recent Orbita blog post titled Amazon Alexa Is Now HIPAA-Eligible. What's Next?we explored the importance and impact of this announcement to healthcare providers, payers, and other businesses and organizations that are subject to HIPAA.

In this post, we’ll discuss how HIPAA compliant voice assistants fit into the spectrum of healthcare applications and look at what else is needed for a voice assistant to meet the HIPAA security guidelines.

 

HIPAA eligible versus HIPAA compliant
Before we continue, it’s important to note that Amazon announcement refers to the availability of a HIPAA “eligible” version of the Alexa Skills Kit (ASK) - not HIPAA compliant. That’s more of an issue of semantics than security. The distinction is that organizations can be HIPAA compliant, but enabling technologies and services, like Amazon’s ASK, are just HIPAA eligible. It’s a subtle distinction, but important because just using a HIPAA eligible service does not necessarily make your organization HIPAA compliant.

Moving along the spectrum of voice healthcare assistants
Healthcare-related voice assistants can be organized into five categories along a spectrum; those used to Inform, Assist, Assess, Dispense, and Prescribe.

Applications in the Inform and Assist categories don’t require personal information. Instead, they are meant to do things like answer questions or provide instructions. None of the information passed through the voice assistant can identify a patient or compromise their privacy. There are no HIPAA concerns with these types of voice assistants.

Applications further along the spectrum (Assess, Dispense, and Prescribe) need the personal health information (PHI) of the person using the conversational application to be not only useful but also provide relevant medical information.

 

Making virtual assistants HIPAA compliant
The announcement from Amazon is only half the story. For a voice assistant to be truly HIPAA compliant, the PHI of the person using it must be stored in a secure backend system.

For example, weight management voice assistant needs to know the identity of the person using it and needs to transmit the person’s current weight as well as other relevant PHI. This may include any medication schedules, blood pressure readings, or blood sugar levels if the user has diabetes. The voice assistant must also store these measurements as well as data transmitted from past interactions.

Account linking allows an Alexa skill to be connected with a backend system. Account linking, in turn, uses OAUTH, which is an industry standard protocol allowing or authorizing a skill to connect with a backend system without having to share the credentials.

Developing a voice assistant that requires account linking is not a trivial endeavor. Orbita dramatically simplifies this process by offering an out-of-the-box OAuth provider that is easy to configure – just select the appropriate item from the OAuth Provider menu. Additionally, because of Orbita's extensibility, organizations that have standardized on 3rd party OAuth providers (such as OKTA, Auth0, or One Login) can integrate with those as well. 

Selecting an OAuth Provider via the Orbita platform

Of course, like any secure system, the HIPAA compliant skill needs to authenticate the person using it. Methods that exist now include assigning a PIN or phrase that users can speak to the voice assistant to confirm their identity. This is not a new concept; you use it every time you access your bank account through an ATM. Other methods include the use of a one-time password that changes with every use and is retrieved from a different device, like through a text message to a smartphone.

Orbita removes the complexities associated with enabling one-time passwords, magic phrases, and PINs by offering pre-configured templates that can be used to ensure the person engaging with your Alexa Voice Skill or chat bot is who they say they are; an imperative when dealing with sensitive health information.


Boston Children’s Hospital’s HIPAA-eligible assistant
The same day that Amazon announced that their Alexa Skills Kit was HIPAA eligible, six personalized health skills were also launched. These skills were produced by Livongo, Connect Atrium Health, Swedish Health, Cigna, Express Scripts, and Boston Children's Hospital (BCH).

BCH’s Alexa skill is called “MyChildren’s Enhanced Recovery after Surgery (ERAS)”.  The MyChildren’s skill allows for families for parents and caregivers to update their child’s care team on how the child is doing since leaving the hospital.

MyChildren’s uses a survey to track things like pain level, recovery, and compliance with medication. These assessments are delivered to the family on a pre-determined timeline coinciding with the child’s expected progress. With this information, the care team can monitor the child's recovery on a more frequent and timelier basis. 

Apart from relying on the HIPAA eligible Alexa Skill set, MyChildren’s also uses the Authorization method mentioned above to link to its backend system. In addition, it requires users to authenticate themselves using a PIN.

In short, Amazon's move to make Alexa Skills Kit HIPAA eligible opens the door to the true potential of voice assistants in healthcare. As with the development of any voice assistant, understanding the complexities and benefits of this new aspect of this ever-evolving technology is an important first step to utilizing it to its full capacity.

Where to go from here?
Amazon’s announcement is very promising for the U.S. healthcare industry. If you work for a provider organization, payer, pharmaceutical firm, or a healthcare solution vendor and you carry any responsibility for patient experience, this news from Amazon impacts you. Clinicians and patients alike have been using hands-free, voice interfaces in their homes and have been demanding the same usability for clinical care applications, so it has seemed inevitable that voice assistants like Alexa and smart speaker-equipped devices like the Amazon Echo would find their way into clinical applications. 

If you’re considering a secure, voice-powered virtual assistant for a clinical application, contact Orbita. We are the healthcare leader in conversational AI for enterprise voice- and chatbot-powered virtual assistants and can help you navigate these new waters.

Watch Orbita’s latest webinar on demand - Secure Voice in Healthcare: The What, Why, and How of HIPAA-Eligible Voice Assistants

Secure Voice in Healthcare: The What, Why,   and How of HIPAA-Eligible Voice  Assistants       READ WHITE PAPER