By Clay Dubberly, Intern
Amazon’s Alexa is being criticized by the healthcare industry, not because of a design error, but because of its passive listening ability. This function led Jennifer Searfoss, CEO of SCG Health to ban Alexa from its premises.
Alexa is an “intelligent personal assistant” capable of voice interaction, music playback, making to-do lists, setting alarms, streaming podcasts, playing audiobooks, and offering other real-time information.
The way Alexa works is by listening for its wake word (its name) which prepares it to analyze a command. It then listens and responds to everything that it hears afterward. You can ask it questions about the weather, converting measurements, or even for help shopping. It can even be used as an intercom.
In a medical environment, it can be used to help physicians take notes, remotely monitor patients, or allow them to ask health-related questions.
Passive listening and hacking: The Downsides to Alexa
The problem is that Alexa is listening to its surroundings at all times. This means that 24/7, she can be picking up personal information, which is sent back to Amazon or a potential hacker.
“There’s too much risk to be hacked,” Jen Searfoss says. “SCG Health used to have the device in its building,” but “We kicked Alexa out of our office after considering the vulnerabilities of the passive listening technology.”
There isn’t just a “possibility” of being hacked; it’s a reality. There are already several documented instances of Alexa being compromised. One way is through a “Dolphin Attack,” which is when it picks up frequencies which humans are unable to hear.
In this type of attack, hackers increase the frequency of a voice command to over 20,000hz and can play it through another phone’s speaker. While humans can’t hear this, smartphones will pick it up. Another concern for users is that a device that’s been compromised looks no different from one that hasn’t been compromised.
After picking up the frequencies, Alexa can carry out the command without the user’s permission. All that’s needed to do this is a battery, a smartphone, an ultrasonic transducer and an amplifier. All of this is readily sold online for a low price.
After a successful attempt, invaders can open your garage door (granted the right technology is installed) or make calls.
Another way Alexa can be hacked involves pre-installing software onto the device which transforms it into a wiretap that records any sound picked up onto a computer at another location.
Forbes successfully tested this out. One of the disadvantages (to the hacker) is that it takes several hours of installation on the hacker’s part, but this still poses a threat to anyone that buys Alexa from a secondhand source.
In one of those less-concerning instances when hacking is used for something good (or at least something funny), Alexa was hacked into a Big Mouth Billy Bass -- one of those wall-mounted fish that sings songs like “Don’t Worry Be Happy” or “Take Me To The River.”
Alexa isn’t HIPAA compliant. Here is how Amazon plans to fix it.
Another big concern for Amazon’s Alexa (as if being hacked wasn’t big enough) is that it’s not HIPAA compliant. As such, its use in healthcare is extremely limited.
The idea of having a device which could be recording patient data presents a clear threat: “It’s collecting info that has PII,” Ms. Searfoss says.
To help Alexa reach HIPAA compliance guidelines, Amazon recently hired a HIPAA Compliance Agent to help them reach legal requirements, including Business Associate Agreements (BAA), federal and state laws, and standards and regulations. The Compliance Agent is expected to help ensure that “technology and business processes meet [Amazon’s] HIPAA BAA requirements, as well as all applicable federal and state laws, regulations and standards.”
Some healthcare organizations have begun testing the device’s capabilities despite the risk. WebMD allowed Alexa to deliver its web content to users at their own homes for example. The Beth Israel Deaconness Medical Center (BIDMC) ran a successful pilot study in an inpatient setting (without actual patient data). It eventually plans to use it in a clinical setting, but not until Amazon signs a BAA.
The Boston’s Children’s Hospital (BCH) also experimented with using Alexa to give info to its clinical staff, but because it didn’t have a BAA only non-identifiable health information was used. The BCH also created an Alexa skill called KidsMD, which allows users to ask advice for when their kids have a fever.
SCG Health will continue to stand strong and enforce its ban on Alexa -- at least until Amazon approves a business associate agreement.