Protecting Privacy, Security and Patient Safety in mHealth

Oklahoma Telemedicine ConferenceTelehealth Transition: Opportunity to Value

Creation

Patricia D. King, J.D., M.B.A.

Many reported breaches of unsecured PHI involve mobile devices Examples: Massachusetts Eye & Ear Infirmary

settled case for $1.5 million, agreed to adopt safeguards for mobile devices

OCR has developed compliance resources specifically for mobile devices*

Portability and ease of use of mobile devices create unique risks

HIPAA Privacy and Breach Notification

http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security

HIPAA Security Rule requires covered entities to periodically review their security procedures when technology changes and introduces new risks

Access to EPHI on mobile devices is a significant operational change requiring providers to revisit their security policies and procedures

BYOD introduces additional vulnerabilities ENCRYPTION, ENCRYPTION, ENCRYPTION!

HIPAA Security

NIST Guidelines for Mitigating Risk of Mobile Devices*

Risk: theft or loss Mitigation:

Encryption Permitting access to

EPHI but not storage Device-based

authentication Network-based

authentication

Risk: inherent vulnerabilities due to lack of root of trust features

Mitigation: Centralized mobile

device management technology

If BYOD is permitted, isolation of organization’s data and applications

Guidelines for Managing the Security of Mobile Devices in the Enterprise, NIST Special Publication 800-124, Rev. 1

NIST guidelines (cont’d)

Risk: “man in the middle” attacks on unsecure networks

Mitigation: Use of virtual private

network (VPN)

Risk: introduction of malware through apps

Mitigation: Prohibiting

installation of third-party apps unless “white-listed”

Prohibiting browser access or forcing through secure gateway

Advantages: user satisfaction, potential savings on device purchases

If BYOD is permitted, the user-owned device will have 2 information owners: the user for personal data, and the organization for EPHI and business processes.

If the organization’s data and apps are confined to a sandbox/secure container, then a remote wipe can be performed if the device is vulnerable without disrupting the owner’s data.

Special Considerations for BYOD*

Guidelines on Hardware-Rooted Security in Mobile Devices, NIST Special Publication 800-164 (draft)

FDA guidance on cybersecurity for medical devices and networked hospital systems*

2014 Work Plan of the HHS Office of Inspector General states that OIG intends to review security controls implemented by hospitals for portable devices containing PHI and networked medical devices

Other Security Considerations

FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks, June 13, 2013

2011 Institute of Medicine report focused on how health information technology can itself contribute to medical errors, through poor usability of electronic health records, alert fatigue, and other factors*

HHS Office of the National Coordinator for HIT has developed numerous resources to help providers assess safety features of health information technology**

Patient Safety

*Institute of Medicine, Health IT and Patient Safety: Building Safer Systems for Better Care, 2011**http://www.healthit.gov/sites/default/files/safety_plan_master.pdf

2012 Food and Drug Administration Safety and Innovation Act required the FDA, ONC and FCC to issue a report on development of an “appropriate risk-based regulatory framework pertaining to health information technology, that promotes innovation, protects patient safety, and avoids regulatory duplication”

FDASIA Health IT Report* recommends that assessment of risk and needed controls should focus on HIT functionality, not on the platform (mobile, cloud, etc.) on which the functionality resides

FDASIA

FDASIA Health IT Report: Proposed Strategy and Recommendations for a Risk-Based Framework, April 2014

FDA guidance states that the FDA intends to regulate only those mobile apps that meet the definition of a medical device under the Food, Drug and Cosmetic Act, or that is intended to be used as an accessory to a medical device or to transform a mobile platform into a medical device

Since apps that are not mobile medical apps will not have FDA review, providers considering us of the app should conduct their own review of the app’s effectiveness

FDA Guidance on Mobile Medical Apps

The Federal Communications Commission has expanded access to radio frequency spectrum for wireless medical communications Wireless Medical Telemetry Service MedRadio Service Medical Micro-Power Networks Medical Body Area Networks

Focus of FCC regulation is avoiding interference among users of wireless spectrum

Role of the FCC