protecting privacy, security and patient safety in mhealth
DESCRIPTION
Patricia D. King, J.D., M.B.A. Associate General Counsel Swedish Covenant Hospital Oklahoma Telemedicine Conference 2014: Telehealth Transition October 16, 2014TRANSCRIPT
Protecting Privacy, Security and Patient Safety in mHealth
Oklahoma Telemedicine ConferenceTelehealth Transition: Opportunity to Value
Creation
Patricia D. King, J.D., M.B.A.
Many reported breaches of unsecured PHI involve mobile devices Examples: Massachusetts Eye & Ear Infirmary
settled case for $1.5 million, agreed to adopt safeguards for mobile devices
OCR has developed compliance resources specifically for mobile devices*
Portability and ease of use of mobile devices create unique risks
HIPAA Privacy and Breach Notification
http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security
HIPAA Security Rule requires covered entities to periodically review their security procedures when technology changes and introduces new risks
Access to EPHI on mobile devices is a significant operational change requiring providers to revisit their security policies and procedures
BYOD introduces additional vulnerabilities ENCRYPTION, ENCRYPTION, ENCRYPTION!
HIPAA Security
NIST Guidelines for Mitigating Risk of Mobile Devices*
Risk: theft or loss Mitigation:
Encryption Permitting access to
EPHI but not storage Device-based
authentication Network-based
authentication
Risk: inherent vulnerabilities due to lack of root of trust features
Mitigation: Centralized mobile
device management technology
If BYOD is permitted, isolation of organization’s data and applications
Guidelines for Managing the Security of Mobile Devices in the Enterprise, NIST Special Publication 800-124, Rev. 1
NIST guidelines (cont’d)
Risk: “man in the middle” attacks on unsecure networks
Mitigation: Use of virtual private
network (VPN)
Risk: introduction of malware through apps
Mitigation: Prohibiting
installation of third-party apps unless “white-listed”
Prohibiting browser access or forcing through secure gateway
Advantages: user satisfaction, potential savings on device purchases
If BYOD is permitted, the user-owned device will have 2 information owners: the user for personal data, and the organization for EPHI and business processes.
If the organization’s data and apps are confined to a sandbox/secure container, then a remote wipe can be performed if the device is vulnerable without disrupting the owner’s data.
Special Considerations for BYOD*
Guidelines on Hardware-Rooted Security in Mobile Devices, NIST Special Publication 800-164 (draft)
FDA guidance on cybersecurity for medical devices and networked hospital systems*
2014 Work Plan of the HHS Office of Inspector General states that OIG intends to review security controls implemented by hospitals for portable devices containing PHI and networked medical devices
Other Security Considerations
FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks, June 13, 2013
2011 Institute of Medicine report focused on how health information technology can itself contribute to medical errors, through poor usability of electronic health records, alert fatigue, and other factors*
HHS Office of the National Coordinator for HIT has developed numerous resources to help providers assess safety features of health information technology**
Patient Safety
*Institute of Medicine, Health IT and Patient Safety: Building Safer Systems for Better Care, 2011**http://www.healthit.gov/sites/default/files/safety_plan_master.pdf
2012 Food and Drug Administration Safety and Innovation Act required the FDA, ONC and FCC to issue a report on development of an “appropriate risk-based regulatory framework pertaining to health information technology, that promotes innovation, protects patient safety, and avoids regulatory duplication”
FDASIA Health IT Report* recommends that assessment of risk and needed controls should focus on HIT functionality, not on the platform (mobile, cloud, etc.) on which the functionality resides
FDASIA
FDASIA Health IT Report: Proposed Strategy and Recommendations for a Risk-Based Framework, April 2014
FDA guidance states that the FDA intends to regulate only those mobile apps that meet the definition of a medical device under the Food, Drug and Cosmetic Act, or that is intended to be used as an accessory to a medical device or to transform a mobile platform into a medical device
Since apps that are not mobile medical apps will not have FDA review, providers considering us of the app should conduct their own review of the app’s effectiveness
FDA Guidance on Mobile Medical Apps
The Federal Communications Commission has expanded access to radio frequency spectrum for wireless medical communications Wireless Medical Telemetry Service MedRadio Service Medical Micro-Power Networks Medical Body Area Networks
Focus of FCC regulation is avoiding interference among users of wireless spectrum
Role of the FCC