Академический Документы
Профессиональный Документы
Культура Документы
teChNology
roI payMeNt
Policy Challenges 6-10 Breach Reporting 6-11 Legal Policies and Regulations 6-11 Best Practices/Resources 6-12 mHIMSS Privacy and Security Best Practices 6-12 Other Resources for Best Practices 6-13 Policy, Mandates, and Regulations 6-13 Proposed Future State 6-14 Strategies, Priorities, and Recommendations for Action 6-14 Future Considerations 6-15 Risks and Mitigation Strategies 6-15 Measuring & Benchmarking 6-15 Authors 6-16 References 6-16
6
staNdards aNd INteroperabIlIty Privacy and Security
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
Riggan St Elizabeth St
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-01
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
teChNology
roI payMeNt
P
an Jacinto
ark
g Ct
rivacy and security are the backbone of trust in healthcare. The mHIMSS Road-
map goal is to provide resources to help healthcare organizations and vendors protect patients privacy and enable a secure environment. Mobile health (mHealth) data presents a greater challenge to maintain security; however, it must still comply with HIPAA mandates, Food and Drug Administration (FDA) regulations, Office of Civil Rights (OCR) enforcements, and requirements from other governing agencies, as does the non-mobile health
sector. Privacy and security in a mobile environment are, by nature, more of a challenge than data stored behind firewalls and concrete. However, many of the same rules apply to mHealth as in the enterprise environment. We need to remember that the only difference for a personal computer (PC), enterprise server, and a smartphone is size. For the majority of the breaches that are reported today, the thief just carried the equipment out the door or nabbed the device from a car seat. Size plays a very little role in protecting the data. Privacy and security in healthcare involve a process that must be navigated to reach our destination of protecting the patient, providers, organizations, and vendors. The navigation process is complex and ever changing because of outside influences, such as legislation, politics, crime, and technology. The mHIMSS Roadmap is our navigation tool of goals and the pathway of our organization.
Impact of Medical Device Regulations Bring Your Own Device Concerns Benchmarking and Potential Goals Patient Reported Data Breach Notifications
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
Riggan St Elizabeth St
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-02
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
teChNology
roI payMeNt
Act (HITECH) provide the governance over healthcare privacy and security These laws and guidelines cross the boundaries of healthcare and impact compliance responsibility As mobile technology emerges in healthcare, it brings significant changes in healthcare delivery, increased engagement of patients, and the financial efficiencies of healthcare2 Mobile technology can give providers a closer to real-time view of patients and their conditions mHealth provides the opportunity to improve medical system efficiencies and clinical outcomes by engaging patients in chronic disease management and medication compliance, and by extending healthcare access to the underserved (ie, closing the Digital Divide) Handheld devices (pads, tablets, smartphones, tablet PCs, and handheld scanners) use an array of messaging techniques, including short messaging service (SMS/ TXT), general packet radio service (GPRS), the global positioning system (GPS), short-range Bluetooth, ANT+, and wider-range third and fourth generation mobile telecommunications known as 3G and 4G According to a recent industry study,3 38% of physicians use health-related mobile apps daily on smartphones or tablets, and that number is expected to increase above 50% within the next year A study from Manhattan Research found that 71% of physicians surveyed already consider a smartphone essential to their practice The remaining 70% of apps are directly engaging the consumer; this is also referred to as consumer facing, according to GlobalData, a New York-based market research firm The growing senior population in the US is driving advances in remote patient monitoring The senior segment represented 13% of the US population in 2010 and is expected to reach 207% by 20504 Chronic disease is more prevalent in our senior population
The point of care is shifting and wireless remote patient monitoring provides the ability to monitor a patient in his or her own environment, thus giving healthcare providers an extended, more inclusive view of the patient Implementing remote patient monitoring can provide cost-cutting intervention and many benefits, especially when incorporating remote patient-reported device data with electronic health records (EHRs) Advances in remote patient monitoring include new peripherals, real-time audio and video for face-to-face interaction between clinicians and patients, wireless communication, systems that sort the vast amount of data collected in order to put it into the context of a patients condition, portable and ambulatory monitors, web-based access to the patient record, systems that transfer data to an electronic medical record (EMR), and full-service outsourcing that includes a clinician to evaluate data and send a report to the attending physician, according to a summary of remote patient monitoring by a market research firm5
recommended that companies developing these types of products contact a medical device advisor and/or the FDA to determine if their product needs Premarket Notification 510(k) and Premarket Approval Many of the FDA requirements concern labeling and this labeling can be the difference between a needing a 510k or not For example, a company develops an app to monitor consumers hearts If the app is marketed as a device that could assist a doctor in diagnosing a heart problem, the app will most likely have to have a 510k classification If the same app is marketed as a device for personal use for monitoring ones heart and warnings are provided that this app is not a medical device or should not replace a doctor, then the app will most likely not be classified as a medical device by the FDA Note: The FDA has tools and guidance on their website to assist developers with these issues
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
Riggan St Elizabeth St
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-03
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
teChNology
roI payMeNt
medications via secure email or secure (not telecom carrier) SMS/TXT sent directly to patients cell phones One workflow example: patients receive an email or SMS indicating that a new message or a lab result is available to view within the providers secure patient portal A system that utilizes SMS/TXT must not use standard telecom delivery systems because they are not secure A HIPAA-compliant system must be sending these messages SMS/TXT messages are asynchronous and do not provide a guaranteed delivery Another issue that needs to be considered is ambient or vicinity privacy Many times cellphones are not secure and often are shared between friends, acquaintances, and family members We must consider the content that is being delivered to the phone and the environment in which the phone is used to determine if the content is appropriate for this type of retrieval
health, well-being, and right to privacy mandate these stringent regulations Development of mobile medical applications is opening new and innovative ways for technology to improve health and healthcare Apps that allow medical professionals and patients to access already publicly available material, or perform administrative tasks are not regulated However, regulators are indicating that other types of mobile medical apps should be regulated FDAclassified apps should be developed, manufactured, and supported in compliance with regulations On July 19, 2011, the FDA announced its proposed official action, including defining mobile medical applications (MMA) that are subject to FDA action The FDA defines MMA as a software application that can be executed (run) on a mobile platform or a web-based software application that is tailored to a mobile platform but is executed on a server, where that software already meets the general definition of a medical device as found in 210(h) of the Federal Food, Drug, and Cosmetic (FD&C) Act There are three categories of apps identified: Apps for the purpose of displaying, storing, analyzing, or transmitting patient specific medical device data, ie, data that originated from a classified medical device, a Medical Device Data System (MDDS), class 1 Apps that transform or make a mobile platform into a regulated medical device [] or [performs] similar medical device functions Apps that allow the user to input patient-specific information andusing formulae or a processing algorithmoutput a patient-specific result, diagnosis, or treatment recommendation that is used in clinical practice or to assist in making clinical decisions For more information the legal definitions of MDDS, see the policy section of the mHIMSS Roadmap
Telehealth
Telehealth, as defined by the Department of Health and Human Services (HHS), is: The use of electronic information and telecommunications technologies to support remote clinical health care, patient and professional health-related education, public health and health administration Telehealth enables collaboration of healthcare professionals to provide healthcare services across a variety of settings and distances Telemedicine usage ranges from synchronous video chat between a patient and a doctor, to conferencing between doctors, to conferencing between doctors and allied health professionals (eg, nutritionists, physical therapists), to providing live or recorded presentations to groups of patientsall who are geographically separated But telehealth, currently being used worldwide, still faces challenges The primary obstacle to widespread adoption of telemedicine is provider reimbursement Currently, each episode of care is monetized; the more visits the higher the cost The accountable care organization (ACO) model as illustrated in the American Care Act incentivizes providers to see patients in a number of convenient ways (eg, in person or via email, SMS, TXT, video chat, or data transfer) Alternative communication methods can be helpful for both parties in terms of time, convenience, and care access Telehealth privacy and security are governed by HIPAA and HITECH Just as patients are protected in encounters within the walls of a health facility, so they are in remote telehealth sessions
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
Riggan St Elizabeth St
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-04
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
teChNology
roI payMeNt
Though this statement is valid, organizations have the opportunity to preempt security issues with the proactive approach of enacting policies and procedures to control access Organizations BYOD strategy for privacy and security should include the following: Device choices: Do you support all devices, and do you understand the privacy and security implication of each? Trust model or risk assessment Liability Sustainability User experience and privacy (eg, agreements, signature, opt-in) App design and governance Economics Internal marketing Employee (user) training Cost and budget Traffic and bandwidth considerations Guest policies Up-to-date terms and conditions in electronic form Priority and preemption BYOD holds tremendous advantage for organizations as a way of reducing costs For example, if employees purchase their own devices and use them at work, there is saving of capital equipment, support, and maintenance However, the true value of a well-designed BYOD program is increasing provider and employee satisfaction, productivity, and rapid adoption of technology across the enterprise
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
Riggan St Elizabeth St
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-05
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
teChNology
roI payMeNt
Control access; provide access when appropriate; Provide terms and conditions of usage; Mobile device management (MDM); Secure control access to patients personal health information (PHI) Multiple guest devices to support
IT objective:
Control access via technology; Provide caregivers access to do their job; Protect network and PHI; Monitor who and what is on the network Determine locum physicians network needs as it relates to her job
Recommendations
Develop guidelines for protection of PHI; Develop guidelines and examples of test plans for testing PHI This should include software and hardware systems and devices; and Develop Acceptance and regression testing guidelines
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
Riggan St Elizabeth St
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-06
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
teChNology
roI payMeNt
Additionally, a wide variety of other professionals, including executives and support staff, were using mobile devices to perform daily activities Key results of the survey include: Respondents believed that the mobile technology environment was very immature Tools were needed to secure devices Policies were very wide in coverage, though many were planning to update policies Majority of use of mobile in a clinical environment was to access non-PHI information Two thirds of the respondents noted that they could access clinical data off-site with approved security Inadequate privacy and security was the most frequently identified by survey respondents as a barrier to the use of mobile technology at their organization About half of respondents noted that their organization supported BYOD for daily work activities Passwords provided the dominate element of system security
Encryption
Encryption is essential in protecting patients PHI along the entire chain of responsibility For example, a physician accepts patient-reported health data via email and responds to the patient via email The patient-reported data is now the responsibility of the provider to secure as protected (covered) PHI The communication of the provider to the client is also protected and must be secure If the physician decides to store the PHI online, the covered organization should consider using encryption as a means to protect the data in the event of a breach Encryption is one of the best tools to secure PHI; in the event that the media that houses the PHI is compromised, the encrypted PHI is still safe We must remember that the need to protect PHI is the same for mobile or other systems Many obstacles such as on-board storage or processing power, present only a few months ago, are no longer issues The latest mobile devices have 4G transmitters that can receive over 20Mbs and house Quad-core 14Ghz processors with up to 1 GB RAM and 64GB of storage By the time this document is posted, this may seem obsolete
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
Riggan St Elizabeth St
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-07
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
teChNology
roI payMeNt
To summarize, the power needed in a mobile device is no longer an issue that needs to be discussed Recommendations
Develop a recommendation on the type of encryption that should be utilized (Advanced Encryption Standard or AES) Develop recommendations for transmission of PHI (secure socket layer, or SSL; virtual private network or VPN) Define PHI to clarify what protection is needed and when Develop best practices for encryption use Develop an international approach to security Develop export recommendation for US companies It is a violation of the Department of Commerce to export products with symmetric algorithms with more than 64 bits keys Develop guidelines for documenting procedures and policies for securing PHI data Note: the majority of encryption guidelines are the same for both mobile and non-mobile with one exception: export laws It is illegal to export software from the US that is stronger than 64bit, per the Department of Commerce
son, under her name We should not be concerned with the age of the developer; instead, the concern should be directed at what is produced and the transparency of the developer Currently, there are no requirements for skill, age, knowledge, credentials, and cited documents that support app development Recommendations
Develop guidelines for developers, including standards for acceptance specific to healthcare Develop peer review standards for apps and software Develop standards for proving efficacy
Security
The majority of apps on the market today provide little or no security and many of the users are unaware of this shortcoming Some of the leading apps, which display users PHI, do not even have a password to secure access Recommendations
Develop guidelines on securing PHI for software and hardware Develop guidelines for transmitting and storing PHI Develop testing requirement guidelines Develop policies and procedures (most important)
Code (Software) and Architecture: Who Writes Software and What about Security?
Currently, almost anyone from anywhere, at almost any age can write and publish an app onto the Web Apples developer age limit is 13 years old; however, there have been younger children submitting apps under their parents accounts A mother of a 12 year old told me that she set up a developers account with Apple for her
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
Riggan St Elizabeth St
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-08
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
teChNology
roI payMeNt
Consumer Sites
Medical apps are available from many sources including smartphone manufacturer sites such as Apples iTunes, Google Play, and Windows Phone Android apps, unlike the other phones, are available on multiple locations including Google Play, Amazon, and developers websites Rules and regulations of distribution, which are provided by these sites, are produced for all apps and are not clinical in nature Security and efficacy are the responsibility of the developer, providing little oversight except unskilled consumer reviews/opinions There is no oversight of the reviewer, leaving the consumer very exposed to biased, unqualified opinions
Medical Devices
The FDA defines a medical device as an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is: Recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them; Intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals; or Intended to affect the structure or any function of the body of man or other animals, and which does not achieve any of its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes State laws and regulations must also be considered when developing medical apps State laws can and do differ from FDA rulings, as well as from other states It is prudent for developers to understand the laws for states to which they are marketing Software apps as medical devices are new, untested ground for medical regulations agencies Several federal agencies were vying for the responsibility to monitor and regulate apps until July 9, 2012, when Congress gave the FDA jurisdiction over apps in the Food and Drug Administration Safety and Innovation Act (FDASIA) Medical Device Data Systems (MDDS) is a newly identified FDA Class 1 Medical Device, which affects many of the apps on the market today The classification covers systems that transport medical data from a classified medical device (eg, downloading glucose monitoring data from a monitoring device) It also covers
Develop efficacy plan/guidelines for consumer apps An efficacy plan is a means to assist developers in building apps on cited studies A number of organizations are looking to establish guidelines to inform consumers of 1 The review of apps by an independent body and 2 The guidelines are readily understandable by the consumer
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
Riggan St Elizabeth St
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-09
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
teChNology
roI payMeNt
apps that display medical data that is collected from a classified medical device (eg, Microsoft HealthVault is a classified medical device [Class 1] and by default, apps that connect to HealthVault and display data collected by HealthVault also fall under the classification of a Medical Device Data System, Class 1 medical device) There are many apps on the market today that are disregarding this requirement for classification It is only a matter of time until the FDA begins to enforce this requirement and issue fines Note: The reference to HealthVault was made to illustrate that the relationship between Classified FDA medical devices and consumer apps Recommendations
patients, visitors, and guests are now vying for network resources As more devices are added to the network, the more exposure an organization has to intrusion The challenge is to provide a balanced solution for all stakeholders BYOD policies need to be crafted explicitly for the facility and its users Smartphone apps usage can also increase liability, compromise privacy, and add load to the network In the soon-to-be-published (March 2013) HIMSS book on security and protecting organizations, Jeff Brandt illustrates the following guidelines for BYOD policies: Access and authorization: WhoWho are you allowing on the network? WhatWhich devices are you allowing on the network (this will be a moving target as new devices are introduced)? What apps will have access to the network? WhereWhat are the boundaries and far-reaching arms of remote networks (eg, can providers reach the network from remote sites on their own devices)? How powerful is the WIFI signal and how far away from the building can it be accessed? Is there video capability in the operating room or emergency department? WhenConsider time-of-day usage per user profile (eg, the human resources department has access from 9:00am-6:00pm only) Are visitors allowed access to the network beyond visiting hours? How manyConnections have real cost associated with them, such as support and bandwidth Your plan needs to consider limiting the number of guest users on your network at one time, permitted usage (eg, streaming music, and video) Develop guidelines and best practices to support BYOD policies
Define within the mHIMSS guidelines the FDA requirements Set up a subcommittee to monitor FDA activity as it pertains to mHealth
Follow and report on the standardizing of A/V files and formats Develop a standard for transferring and storing of files
Policy Challenges
Bring Your Own Device (BYOD)
BYOD is not a new concept: employees have been bringing their laptops to their work places for many years The clear impact to organizations is the number of devices that require access to the healthcare network No longer is it just employees demanding access
Recommendation
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
Riggan St Elizabeth St
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-10
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
teChNology
roI payMeNt
HIPAA
HHS states: The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety There is a lot of confusion around HIPAA guidelines and who has to abide by them The HIPAA Privacy and Security Rules apply only to covered entities These entities include healthcare providers (doctors, clinics, etc), health plans, and healthcare clearing houses (processors of non-standard health data) If an entity is not a covered entity, it does not have to comply with the Privacy Rule or the Security Rule The University of Miami Miller School of Medicine states that HIPAA has two main goals, as its name implies: Portability: ensuring that health insurance is portable when persons change employers; and Accountability: making the healthcare system more accountable for coststrying especially to reduce waste and fraud (ie, save money) HIPAA states: To amend the Internal Revenue Code
Storage of PHI
Secure storage of PHI is the legal mandate that patients and their families have entrusted to healthcare organizations It is the duty of developer, vendors, and organizations to extend this trust relationship and guarantee that patients health data is not compromised The process of securing PHI goes lockstep with strong policies and procedures, as well enforcement The second part of securing PHI is the use of technical barriers and security solutions such as encryption, the best and only way to ensure that PHI is safe Recommendations
of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled It is the purpose of this subtitle to improve the Medicare program under title XVIII of the Social Security Act, the Medicaid program under title XIX of such Act, and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information
HITECH
The HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA), was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules: Consent (informed) HIPAA Consent ruling Standards for Privacy of Individually Identifiable Health Information [45 CFR Parts 160 and 164] International standards
PHI should be encrypted utilizing AES128 PHI should remain encrypted at all times (except when in use), regardless if it is on a device or not
Breach Reporting
The Breach Notification Rule is covered by the HITECH Act (see below) The regulations and notification instruction can be found on the HHS website
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
Riggan St Elizabeth St
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-11
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
teChNology
roI payMeNt
Laws that govern providers worldwide may differ in many ways International organizations set uniformed guidelines for providers One example is consent After World War II, the Nuremberg Code of 1947 set guidelines on informed consent followed by the Declarations of Helsinki
Best Practices/Resources
Healthcare best practices provide consistently well performing guidelines and methods that can serve as trusted benchmarks to develop and evaluate systems
Develop a subcommittee to track international health laws and guidelines as they pertain to mHealth
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
Riggan St Elizabeth St
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-12
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
teChNology
roI payMeNt
The standards organization HL7 International covers multiple segments of mobile health and other healthcare security standards They recently formed a workgroup for mobile health and are working on many initiatives including collaborating with mHIMSS They publish security information on their website and wiki, Cookbook for Security Considerations Center for Internet Security Center for Democracy and Technology; Best Practices for Mobile Application Developers Open Web Applications Security Project (OWASP) is a not-for-profit open source organization that focuses on improving software security worldwide All material is free to use under open source licensing Their projects include initiatives focused on many aspects of security including: Programming languages Testing tools Legal Others Telehealth Resource Centers (TEC) and CA-TEC The following best practices for mHealth are provided by the Department of Homeland Security: Purchase only those networkable medical devices, which have well documented and finegrained security features available, and which the medical IT network engineers can configure safely on their networks Include in purchasing vehicles vendor support for ongoing firmware, patch, and antivirus updates where they are a suitable risk mitigation strategy
Operate well maintained external facing firewalls, network monitoring techniques, intrusion detection techniques, and internal network segmentation, containing the medical devices, to the extent practical Configure access control lists (ACL) on these network segments so only positively authorized accounts can access them Establish strict policies for the connection of any networked devices, particularly wireless devices, to the Health Information Network (HIN) including laptops, tablets, USB devices, PDAs, smartphones, etc, such that no access to networked resources is provided to unsecured and/or unrecognized devices Establish policies to maintain, review, and audit network configurations as routine activities when the medical IT network is changed Use the principle of least privilege to decide which accounts need access to specific medical device segments, rather than providing access to the whole network Implement safe and effective, but legal patch and software upgrade policies for medical IT networks, which contain regulated medical devices Secure communications channels, particularly wireless ones, by the use of encryption and authentication at both ends of a communication channel Have and enforce password policies to protect patient information
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
Riggan St Elizabeth St
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-13
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
teChNology
roI payMeNt
after proper identification on the patient and while preserving data integrity 9. Mobile devices are capable of detecting/protecting against breaches of patient data Lost/stolen devices are capable of remote wiping, destroying, or rendering the patient data unreadable 10. All medical apps/portable computing devices store and transmit data using industry-recognized interoperability/data portability standards
Downloading of MDM to all devices that access the network All phones must have remote wiping software installed Require or implement electronic inventory of devices Create and manage password policies
Policies
Policies are the best tools for protecting organizations and patients PHI The following is a list of mobile app policies that should be implemented in healthcare organizations: Restrict access of jailbroke or rooted phones to the network Encrypt all HIPAA-covered data stored on mobile devices and during transmission State terms and conditions of network and app use All phones must have remote wiping software installed If MDM is utilized, a provision of use must be included in the terms and conditions Develop user ID and password policies Utilize authentication schema for all apps that display or store PHI
Passwords on mobile devices offer management challenges that are different than conventional wired devices NIST provides a draft Guideline to Enterprise Password Management that is also valid for mobile devices Activate the auto lock feature; set timeout for no longer than ten minutes Develop policy governing password complexity; strive for balance between security and annoyance
BYOD Policies
Some of the policies that should be considered are the following: Develop employee and guest access policies Policies should be presented to guests each time they get access; e-signatures should be required verifying that they have read and agreed to the terms and conditions
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
Riggan St Elizabeth St
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-14
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
teChNology
roI payMeNt
Future Considerations
Technology is ever changing and the need for new and updated policies shall continue For example, the Federal Health IT Policy Committee met on October 3, 2012 to fine tune Meaningful Use Stage 3 regulations and one question is whether users of EHRs should require an additional authentication factor beyond two-factor authentication (eg, username and password for Stage 3 of Meaningful Use)1
Big Data
Big data or the collecting, filtering, and analyzing of huge amounts of health data is going to change the way that healthcare is delivered in the world (for example, storing the populations Genome data to assist doctors with diagnosis based on patient-reported sensor data) The amount of data that has to be securely stored as a covered entity is about to explode in size At the recent StrataRX Conference in San Francisco, one on the speakers referred to yottabytes of health data (1024) We are creating 5 exabytes (1018) of data every 48 hours The production of data of this magnitude opens more challenges to privacy and security in management of volume, devices, and storage Staff skills are a significant challenge to support this data growth New skills and training will be needed as these changes near the healthcare horizon Big data may be the next inflection point in healthcare Vinod Khosla, co-founder of Sun Microsystems and an investor in health technology, shocked the audience at the StrataRX Conference when he said this about big data: Technology will replace 80% of doctors Regardless whether you believe his statement or not, big money is flowing into big data for healthcare and this will bring change Much of this data will be patient-
reporteddata that has not traditionally been a part of the patients record A significant part of this data will be collected and transmitted via mobile devices The smartphone is the ubiquitous choice to act as a patient service point or body server, responsible for aggregating and transmitting the patient-reported data New challenges shall quickly arise as the uses of big data infiltrate healthcare: new data types, different collection points, additional reporting mechanisms, and addition privacy and security concerns These are just a few examples of the transitions in healthcare that big data will spawn We must stay ahead of the curve
De-identification
De-identification of PHI is part of the HIPAA ruling and ARRA De-identification is a risk management exercise, states David Houlding, Lead Architect of Healthcare Privacy and Security at Intel If your organization is planning to store, transmit, or share data, you will need to make de-identification part of your risk assessment strategy Recommendations
Risk management should be added to mHIMSS best practices Develop best practices for policies concerning PHI security Suggest websites and documentation to assist organizations in developing risk management strategies
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
Riggan St Elizabeth St
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-15
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
teChNology
roI payMeNt
referenceS authorS
Jeffrey L. Brandt
Comsi Co-author: HIMSS publication mHealth: Smartphones to SmartSystems @jeffbrandt
Stacie Durkin
Durkin & Associates
Staff LiaiSonS
Lisa Gallagher
Senior Director Informatics HIMSS
Mike Kroll
Associate Manager Informatics HIMSS
mHealth Task Force Findings and Recommendations: Improving care delivery through enhanced communications among providers, patients, and payers September 2012 www2itiforg/2012-mhealthtaskforce-recommendationspdf 2 Wang H, Liu J Mobile Phone Based Health Care Technology Recent Patents in Biomedical Engineering 2009; Volume 2; pp 15-21 3 CompTIAs 3rd Annual HIT Insights and Opportunities study Accessed September 15, 2012 /members/research/allreports/3rdAnnualHealthc areITInsightsandOpportunities.aspx 4 MobiHealthNews accessed September 15, 2012 http:// mobihealthnewscom/14206/remote-patient-monitors-post-fastestgrowing-revenues/ 5 Remote & Wireless Patient Monitoring Markets; Kalorama Information Accessed September 15, 2012 http://wwwmarketresearch com/Kalorama-Information-v767/Remote-Wireless-PatientMonitoring-2645944/ 6 Vitera Healthcare EHR Solutions and Mobile Technologies Study http://wwwviterahealthcarecom/company/Pages/pr_ ViteraHealthcareSolutionsStudyIndicatesThattheMajorityof HealthcareProfessionalsAreInterestedinaMobileEHRSolutionaspx 7 Istepanian R, Jovanov E, Zhang YT Introduction to the special section on M-Health: beyond seamless mobility and global wireless healthcare connectivity IEEE Transactions on Information Technology in Biomedicine 2004; 8(4):405-414 8 Lamminmki E, Prkk J, Hermersdorf M, Kaasinen J, Samposalo K, Vainio J, Kolari J, Kulju M, Lappalainen R, Korhonen I Wellness diary for mobile phones Proceedings of the 3rd EMBEC Conference, Prague, Czech Republic; November 2025, 2005 9 comScore, inc 01/2012 10 Merriam-Webster Dictionary An application, or a component of an interface, that enables a user to perform a function or access a service 11,12 Definition of PHI UC Berkeley Research Administration and Compliance Accessed October 1, 2012 http://cphsberkeleyedu/ hipaa/hipaa18html 13 Department of Commerce Commercial Encryptions Export Controls Accessed September 4, 2012http://wwwbisdocgov/encryption/ encfaqs6_17_02html 14,15 Herzig T Information Security in Health Care: Managing Risk Chicago: HIMSS; 2010
16 Department of Health and Human Services Health Information Privacy http://wwwhhsgov/ocr/privacy/hipaa/understanding/coveredentities/ indexhtml 17 Department of Health and Human Services HIPAA http://wwwhhs gov/ocr/privacy/hipaa/administrative/statute/indexhtml 18 Department of Health and Human Services HITECH Act Enforcement Interim Final Rule http://wwwhhsgov/ocr/privacy/hipaa/ administrative/enforcementrule/hitechenforcementifrhtml 19 Health Breach Notification Rule Final Rule FTC 16 CFR Part 318 August 25, 2009 http://wwwftcgov/os/2009/08/R911002hbnpdf 20 Senator Franken The Protect Our Healt Privacy Act of 2012 Accessed 9/3/12 http://wwwfrankensenategov/files/ documents/120627_Protect_Health_Privacy_Summarypdf 21 Martin G CE Marking and Mobile Medical Software Apps BSI America Accessed September 3, 2012 4/17/2012 1 CE Marking and Mobile Medical Software Apps - NTEC 22 Office of the Data Protection Commissioner EU Directive 95/46/EC The Data Protection Directive http://wwwdataprotectionie/viewdoc asp?docid=89 23 Mobile Medical Applications 24 Herzig T Information Security in Health Care: Managing Risk Chicago: HIMSS; 2010 25 Health Information Privacy http://wwwhhsgov/ocr/privacy/ hipaa/understanding/coveredentities/De-identification/ deidentificationworkshop2010html
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
Riggan St Elizabeth St
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-16
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo