Smart speakers are voice-activated, internet-connected devices with an integrated virtual assistant that can answer questions, follow instructions and control other smart devices. Nearly one in five U.S. adults has access to a smart speaker, and it has been estimated that in 2018, the number of smart speakers installed reached 100 million worldwide. Using voice recognition, a smart speaker’s virtual assistant can understand what is being said and act upon it. Once the system is activated, it records what is being said and sends it over the internet to the main processing service, which deciphers the speech and sends a response back to the smart speaker. Smart speakers can control other smart devices upon verbal command and perform tasks such as controlling music, lights, television and home security systems, as well as playing audible books.
Because of the unlimited capabilities of a smart speaker, healthcare providers are beginning to use these virtual assistants in pilot programs with patients in the hospital and home care settings and with other healthcare providers. Smart speakers can be used to remind a homebound patient to take scheduled medications or to check blood sugar at certain times during the day, or about other activities of daily living. Smart speakers have the potential to relieve some of the documentation burdens physicians and other healthcare providers complain of with the use of electronic health record (EHR) systems. With a smart speaker, a physician can request the retrieval of specific information from the EHR or enter data into the EHR while conversing with a patient, thereby reducing the amount of time spent documenting and retrieving data. However, smart speakers were developed for commercial use, and lack the security necessary to protect the confidentiality, integrity and availability of patients’ health information. Healthcare providers should be wary of using smart speakers to access, use and disclose protected health information (PHI) from these devices until the privacy and security concerns are resolved.
Under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, a covered entity healthcare provider (covered entity) is required to implement administrative, physical and technical safeguards to ensure the confidentiality, integrity and availability of electronic PHI (ePHI) that it creates, receives, maintains or transmits. Smart speakers are always listening, and may record conversations even when that is not intended. There have been reports of people hacking into smart speakers and controlling audio commands, installing malware and targeting devices connected on a network. An amusing story of an African grey parrot able to mimic its owner’s voice activating a smart speaker and conducting internet shopping illustrates some of the technical limitations of smart speakers.
The HIPAA Security Rule requires a covered entity to conduct an accurate and thorough assessment of the potential risks to and vulnerabilities of the confidentiality, integrity and availability of ePHI, and to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
Questions remain about how ePHI will be secured, whether ePHI will be stored locally or by the smart speaker vendors, and what associated security is required, as well as how to determine business associates’ obligations.
Smart speakers can still assist patients in important ways without the exchange of PHI. The patient can use a smart speaker to obtain wait times for emergency room services based on ZIP code, to get treatment and medication reminders, and to obtain healthcare information readily available from public websites. The use of smart speakers has great promise for healthcare in the future. However, before the healthcare industry sees widespread use of smart speakers, it needs time to fully develop and implement mechanisms to protect the privacy and security of the ePHI that passes through them.