Topics:
Tiffany Wilson, the founder of Wilson Inclusive Solutions (WINS), a disability accessibility consulting firm, joins the Nexus Podcast to discuss the proliferation of consumer technology into healthcare infrastructure. This technology—smart speakers that help manage medications or cameras that monitor vulnerable individuals—often handles patient data and safety, and operates in a regulatory void.
Wilson advocates for frameworks that manufacturers and distributors can use to protect patient information and safety, given that most of this assistive technology functions as healthcare infrastructure without existing oversight and protection given healthcare technology.
Below is a transcript of this episode:
Mimoso:
All right, welcome back to the Nexus podcast. Tiffany Wilson is my guest. Tiffany is the founder of Wilson Inclusive Solutions, a disability accessibility consulting firm. And she has a background in healthcare compliance and assistive technology distribution program management. We're going to talk about the growing inclusion of consumer technology within healthcare and the security story around that. So nice to meet you.
Wilson:
Yes, Mike. Thank you for having me here. Of course. It's nice to meet you as well. Yeah, thanks for making the time. I went through a little bit of a background, but tell me a little bit about yourself. We haven't met before today, so. Sure. I have a unique background, right? You know, I didn't come to security and this topic in a traditional manner. Right. And I started out in healthcare compliance and program management and that gave me a unique insight once I got into disability accessibility work and program distribution and that's what I'm here talking about today is how security also impacts disability accessibility and how can we get all of us working together on the same issues. So what do you see that's driving that growing inclusion of consumer tech into healthcare? It's affordable and it's accessible. And you don't have to wait for a doctor to tell you to use this device for your needs. And, you know, humans have been modifying tools forever to meet unmet needs. And so with the advance of consumer technology, we're seeing a lot more accessible uses for this technology that might not have been made for that.
Mimoso:
So maybe it makes sense to start with a definition. How do you define assistive technologies, for example.
Wilson:
Sure. The United States has a legal definition. And put simply, assistive technology is any tool or device that helps you overcome a challenge. That's broad, right? My Apple Watch, my smart watch, is my assistive technology. It reminded me to get here on time. It reminds me to take my medicine. And I don't need formal accommodation for that unless I'm in a certain environment where I can't use it. Right. Or I need to have an alternative accommodation that meets that secure environment.
Mimoso:
So it's pretty different from accessibility, for example, or are they close?
Wilson:
That's an excellent question. Terms in our industry get interchanged all the time. Accessibility, assistive technology, accommodation. And, you know, us in the disability accessibility industry, we're the ones who do it the most. Like I told you, I work in disability accessibility, but if we get more granular into it, I actually work more in the assistive technology program management side. And so I'll tell you the differences between these three terms. So accessibility is the foundation. It's the design. I'm building a new tool. Is it accessible? I'm building a website. Is it accessible to those who are blind or visually impaired? It's that foundation in the design. Assistive technology is a specific tool that helps a person overcome a challenge. And then an accommodation is a modification to a policy or a process in your workplace to accommodate your need and help you in that instance. So assistive technology can be an accommodation, but it's the tool. But a human service, like a sign language interpreter, can also be an accommodation.
Mimoso:
So are these assistive technologies, are they largely brought in by the patient or is this something that a facility or a physician might introduce?
Wilson:
Well, because the definition is so broad, that's the challenge that we're having that it's everywhere, right? You can walk into anywhere and buy a device and use it the way you want, device or software, any tool. And historically, assistive technology used to be a little bit more specialized. And in the United States, there's federal funding for assistive technology centers in every state to provide awareness, information, loans, demonstrations. Now, they're not distributing under that federal funding, but in those centers are experts who understand assistive technology and they may have frameworks and delivery. And so a lot of times, a lot of our assistive technology programs were under those federal centers. But as we see growth and as we see it not being as specialized, we're seeing areas everyone is giving assistive technology. So with that comes variance in training, just like anybody can call themselves a cybersecurity specialist. And so we're seeing in our industry some providers that have ethics or frameworks set up and some that don't. And it's an unintended harm that I'm talking about. It's not that I think that we should regulate all the programs or we should control it. It's more that we should all talk about frameworks and how do we distribute these safely, but then also how do we secure devices so people can use them as accommodations and secure networks.
Mimoso:
Definitely want to get into the actual risks and security and even the compliance end of it, the regulatory end of it, but paint the picture. What are some of these examples of some assistive technologies that aren't maybe so straightforward?
Wilson:
Straightforward as in?
Mimoso:
Well, I've seen, like, you shared some material that included, like, smart speakers, things like that. Sure. That wouldn't necessarily strike me as healthcare assistive technology, but.
Wilson:
So one example is a subcontractor of mine who works for me. She has quadriplegia and she is non-vocal. Okay. And so her quadriplegia means that she only has facial gestures and movements. And so she has an app on her Android device that she's able to control, but then she also has a communication app. And so she uses her eyes and her facial gestures to control that app and then to communicate and be her voice. But when we're seeing now from the medical devices, now we're seeing assistive technology programs distribute phones and tablets with these accessible apps. It's a lot more affordable. Sure. maybe under $1,000 versus over $20,000 and going through a Medicaid process. Those apps are everything in those use cases. Right. So because of that, that might mean somebody comes to an assistive technology program or a disability program to get that device. And we're seeing that some providers aren't telling end users about accounts. They'll just set up an account in their name, accept terms and conditions on their behalf, and give them the device. And there should be safety in creating an account, especially if you have to tie money to it. Download an app. And those are the things that I'm talking about, about getting frameworks for the assistive technology distribution side.
Mimoso:
I assume, are these discussions happening with these distributors and how cybersecurity aware, savvy are they?
Wilson:
Well, I'm here to start talking about it. So I started talking about this topic in the assistive technology and disability industry side and raising digital literacy on the part of our service providers and also encouraging self-advocacy on the part of end users. But I also see that it needs everyone looking at this. And cybersecurity, and this is why I'm here to talk about it, to talk to the manufacturers and talk about how we safely set up these devices for end users.
Mimoso:
It's clearly at an advocacy stage right now. I mean, what are those discussions like? What is the message you bring? What do you hope they kind of take away from it?
Wilson:
That's a great question. You know, a lot of times when I start this conversation, people think that I want to regulate everything and put laws into place for everything. And it's not that. It's more that I want a secure way to assist people and I want a secure way for people to set up accounts, remote account setup. And if these manufacturers are going to our assistive technology distribution conferences and talking to the providers who are distributing devices, if they're going to advertise for their device to be in a program for end users with disabilities, then they should also provide ways to distribute it and set it up safely. You know, we're seeing some disability service providers even looking at disability intake forms and taking the information, somebody's private information, to set up an account for a tablet or that smart speaker and that smart speaker might be tied to a commerce account. And if it's tied to a commerce account and then that person's never bought anything online, the user checkbook. And I'm saying, hey, here's this cool smart speaker to help you with your low vision management, whatever you need it for. But, yeah, you also have to set up this commerce account and put a credit card on it. Now, my program can set up ways to try and do it ethically. But until there's assisted account setup, how do we do that? And also, I have a framework, but anybody can go into a big box store and buy these devices and distribute them.
Mimoso:
But it also seems like there's a space there to make it a competitive advantage that, hey, we're doing this securely. And, you know, what would that look like, I guess?
Wilson:
That's an excellent point. I mean, we have all 50 states that have distribution programs and we're advising them. And some of my advice to them is check the encryption, check the remote account setup, how do they have these protocols set up, do they have them set up, do you really want that liability in your program? And for some of these devices, I'm not sure if those devices are ready for mass distribution. In terms of like a secure lockdown device versus what's out there now? Yes.
Mimoso:
Are there commonalities among some of the risks across these devices? I mean, we are talking about access controls or encrypted data. I mean, what are some of the things you're seeing?
Wilson:
As far as consumers in homes, we're seeing lockdown access to data. We're seeing the need for that. Multi-factor authentication is one of them. So if my example is of the subcontractor that works for me and uses her phone to control communication, there are others who don't have phones. Their family members do all their communication for them. And we're working on the independence of that, but that may mean that they don't have a phone number for MFA. And so what we're seeing in some assisted living homes and other environments, staff members are wanting to help. And so what they're doing is they're tying the devices to their own phone numbers. So here you have a person who may only work there for a year and their phone number is tied to that vulnerable person's account. We're also seeing smart cameras used to monitor vulnerable individuals. And people aren't considering that they're not asking for permission, one. Sure. And then we're also seeing the intersection of digital literacy on the provider's part is that they don't understand how it's on a cloud. It's on a commercial server. It's not HIPAA protected, the U.S. health care law. And so we're seeing a variety of challenges and there's no direct answer. And so when we started doing these distribution programs in mass, we're starting to see these issues that we didn't predict.
Mimoso:
Sounds like you've really identified a gap here. Like what, what led you to this?
Wilson:
The COVID-19 pandemic was rough. I know it was rough for a lot of folks. Um, but for people with disabilities, even more, it was very difficult. And we were the service providers trying to get equipment out to folks. And I used to work for the Assistive Technology Center in Alaska, distributing devices under various funding. And right before the pandemic started, assistive technology programs started pilot programs on distributing IoT devices and different consumer products for independents. And because they're consumer products, they're not funded by benefit programs. And so, and that makes sense, right? Because a tablet can be anything. It's not a specific medical device. But when the pandemic happened, we went from developing pilots and best practices to different programs throwing us money to get devices out to people for communication. So if somebody is isolated in the middle of a small village in Alaska, security matters, right? But I still need to get them that device so then they can have communication. And so how do we help them set that up? And so because it's scaled quickly and fast, we were met with ethical questions of how do we do this? And we were building frameworks daily trying to promote autonomy and choice and protect that person's privacy and their digital autonomy. But at the same time, we were also seeing others not taking those same precautions. And so then I published a paper on that experience and the harms involved. The unintended harms that I was witnessing and the challenges that I remediated because some of the challenges happened. You know, a service provider puts their phone number on a smart doorbell for a person with a disability who uses it in a wheelchair who sees somebody at the front door. Sure. That's a great use for it. But if the service provider is tied to their phone number and they can check the app at any time, that's scary. And so I wrote that paper to talk about it. So us as an industry and assistive technology could talk about it and start addressing it. But then I wanted to bring the security issues to the cybersecurity side to say, look, this is what I'm dealing with. And talk to manufacturers and say, how can we secure access from the beginning? And how can we not only on the assistive technology side make the frameworks secure and private, but also on the security side, how do we make the devices secure? How do we do remote setup? And we don't know what we need, but I'm hoping to start that conversation.
Mimoso:
So you've referenced frameworks a couple of times, and I assume you're involved in the development. What's being emphasized? What are the directions of some of the frameworks?
Wilson:
I have three avenues that I'm looking at. And it's whether you're the end user and the device is in your home or going to be suggested to you for your workplace. And we have a framework of questions that you ask. Does this need an account? Who sets it up? Is it encrypted? And some of your basic digital literacy questions, but getting them in the hands of folks so they are empowered to control their own digital portfolio. Sure. And then I'm also talking about teaching service providers about digital choice and digital self-advocacy. In the human services world, we have what's called person-centered planning and person-centered directives and choice. So no matter what the individual's functioning is, they're still driving their own choice and controlling their own portfolios. And so I'm raising the literacy on both sides of the end user and the service provider. And then the third, I'm also talking to employers about these devices. They're on your network and it's their unvetted endpoints. People are using them there and they're asking for accommodations. Like, can I use my smartwatch in this secure environment? And somebody told them that that's their accommodation or their assistive technology. And then they want to use it as an accommodation. And then they're getting it denied at work because it's not secure.
Mimoso:
In terms of either the risks or the security decision-making around, is it different between assistive technology and accessibility, for example? Is there a different conversation that needs to happen for each of those people?
Wilson:
That's a good question. So if we look at accessibility being the foundation in the design, that's where I'm having the conversations with anyone who's making anything that would possibly be distributed in these programs or if they're advertising it to the equipment programs to distribute them, then they should consider these things. And so from the beginning and secure access from the beginning and a lot of it is what cybersecurity professionals are saying, you know, how IoT is not secure and other elements of it. So if we build in controls from the beginning, then that's one way to deal with it. But then we also have the assistive technology piece of it, which is the actual tool. So that tool's made, that software, that device, it's here, it's being used. And then how can we ethically get it into somebody's hands to use it without locking it down, I don't need to regulate everything. I just want the person to have it safely without their credit card information being asked for for a commerce account, for just a smart speaker.
Mimoso:
Healthcare is so regulated. How has this slipped through Health and Human Services or the FDA, whoever? I mean, this, again, it's a gap.
Wilson:
You're right. And that's why I talk about what assistive technology is, which is very broad versus what defines a medical device or a clinical device. And so the FDA does regulate medical devices and clinical devices. And there were, and some assistive technology tools were regulated when they were more specialized, right? But if you take a phone, that's using an app that's assistive, how do you regulate that? Going back to humans, we use tools all the time for not their intended purpose, especially to help us to overcome a challenge. How do you regulate that? It's a hard topic.
Mimoso:
I mean, at the end of the day, it's all IoT, though. I mean, I'm almost at it.
Wilson:
A lot of it is. You're right. And so how do we do that? And so that's why I'm also here talking to the cybersecurity folks who understand IoT, who understand the security aspects of it. And how can we all look at that together? Because I'm not a developer. I'm the one with the end user and with the programs that are building these frameworks and putting these tools in people's homes. And, you know, at the end of the day, if somebody needs communication, they need communication. If they're like, you know, I don't care, just get it set up and get it to me. That's their choice and that's access.
Mimoso:
Just give me my app.
Wilson:
Give me my app. And most people will tell you that. But as a provider, ethically, I have a hard time encouraging someone to give out a smart speaker that's tied to a commerce account and say, yeah, go ahead and distribute those in your programs. Just look away if they need help setting up that account.
Mimoso:
Related to the IoT subject, do you know, are these devices that you're talking about, are they capable of supporting security? Encryption or access controls and so forth or is this kind of like a back to the drawing board question for manufacturers?
Wilson:
I think it's a back to the drawing board question for manufacturers and it depends on the device um you know if we're getting into like smart cameras or you know there's the consumer devices but then there's we're seeing different companies pop up with AI for this this disability function, AI for this assistance, AI for that. And we're seeing some providers, not providers, I guess builders, do their homework and have encryption and maybe other protocols, whereas others don't. And, you know, we go on their website and they're like, don't worry, guys, we're secure. And that's kind of where that layer that cybersecurity kind of overlaps.
Mimoso:
It sounds like someday it's going to be a regulatory issue, whether you have to follow this X, Y, Z framework and that's it. Some kind of standard.
Wilson:
It might be. And I don't know what that would look like, but I'm hoping it would reduce the unintended harm because harm is happening. Yeah. As you meet with some of the providers or the manufacturers, are you hearing any pushback? Do you or do you expect any if you haven't? Like what are they telling you? Intensive or too long to do it? All of that. Yeah. And, you know, and on some level, I don't know if a consumer smart speaker needs to be regulated. You know, or how do you do that? What does it look like? And because you and I are different, we might use a tool differently. And so that's why I'm getting back to more frameworks and secure frameworks. Just started the conversation with manufacturers and some of the concerns are valid with how do we know what to regulate, what do we regulate and I think it's more about instead of regulation and saying requirements of this type of protocol and that type of protocol I think it's more about the secure pathway for assisted setup and the secure pathway for providing supports for that device from their company and providing the materials that explain this is your device, this is what it does, this is where your information is held. And so I don't have any issues with someone using, you know, a consumer tool however they want. And I don't want to regulate that because that's accessible. They can use it. And locking things down means that people can't use it or it makes it harder for them to get it. Right. And then there's more rules for programs to follow. And so manufacturers can even just explain what's happening or where it's going or what it does and assist with that literacy part of it as well.
Mimoso:
Sounds like you need a little transparency in terms of what's happening. I love that. Yes, transparency on both sides. So if we talked again in a year, what would you ideally love to have seen happen in the meantime?
Wilson:
If we talk again in a year, I would have ideally loved to see the adoption in disability service programs that are choosing to distribute assistive technology, that they have ethical frameworks set up that promote the digital autonomy and choice of the end user, and that protects their digital security and privacy. And I would love to see manufacturers come on board and we start talking about these challenges that all of the disability service programs are seeing and talking about. And I would love to see us even just come together with a summit or a discussion. If manufacturers are advertising for their devices to be included in these distribution programs, then they should support us in distributing them ethically, securely for our end users.
Mimoso: Let's hope it happens. All right, great to meet you, Tiffany. Thank you so much for your time.
Wilson:
Very nice to meet you, too. Thank you, my pleasure.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
