mHIMSS Roadmap 6

New Care Models
teChNology
roI payMeNt
legal aNd polICy
Privacy and Security

contentS
Introduction 6-02 Overview of Current State 6-02 Medical Device Regulations 6-04 Telehealth 6-04 Health and Wellness Services / Applications 6-05 Bring Your Own Device (BYOD) 6-05 Benchmarking and Potential Goals for Privacy and Security 6-06 Future or Proposed State of Privacy and Security for mHealth 6-06 Current State of Organizational Readiness 6-07 Use Cases, Emerging and Best Practices 6-07 Medical Apps: Definition 6-08 Consumer Sites 6-09 Patient-reported Data: The Integration of Consumer Data into EMR 6-09 Medical Devices 6-09 Telehealth and Monitoring 6-10
Policy Challenges 6-10 Breach Reporting 6-11 Legal Policies and Regulations 6-11 Best Practices/Resources 6-12 mHIMSS Privacy and Security Best Practices 6-12 Other Resources for Best Practices 6-13 Policy, Mandates, and Regulations 6-13 Proposed Future State 6-14 Strategies, Priorities, and Recommendations for Action 6-14 Future Considerations 6-15 Risks and Mitigation Strategies 6-15 Measuring & Benchmarking 6-15 Authors 6-16 References 6-16
6
staNdards aNd INteroperabIlIty Privacy and Security
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
Riggan St Elizabeth St
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
St t d d d d d d d d d d d d d d d d d St dS ard ard pard
rez St
Ho How
ito St
annan St
unbar St
h s Spo istu em Chr al-M d spit Ho Blv tal spi Ho
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
anki Ran mR Sam
n St
Ct ham Cts Gris ham Gris
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-01
St
St
Pres
Nim
lema
Boli
w vie Bay ery Old etery C Cem
Be
nA
d Bel
Te Tem Par eP ple k
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
New Care Models
teChNology
roI payMeNt
legal aNd polICy
staNdards aNd INteroperabIlIty
P
an Jacinto
ark
g Ct
rivacy and security are the backbone of trust in healthcare. The mHIMSS Road-
map goal is to provide resources to help healthcare organizations and vendors protect patients privacy and enable a secure environment. Mobile health (mHealth) data presents a greater challenge to maintain security; however, it must still comply with HIPAA mandates, Food and Drug Administration (FDA) regulations, Office of Civil Rights (OCR) enforcements, and requirements from other governing agencies, as does the non-mobile health
Overview of Current State

The terms mobile and wireless are used interchangeably when referring to devices, even though their formal definitions are different Mobile refers to the ability to provide untethered functionality A mobile device is anything that can be used on the move and unwired, ranging from WIFI-enabled laptops and mobile phones, to wireless devices that can communication via Federal Communications Commission (FCC)- allocated frequency If the location of the connected device is not fixed, it is considered mobile When voice and data are transmitted over radio waves it is considered wireless A mobile device in fixed locations can access the wireless network That is, a physical connection to the network is not required for connectivity Wireless devices include anything that uses a wireless network to either send or receive data Wireless is a subset of mobile, but in many cases, an application can be mobile without being wireless The FCC mHealth Task Force recently defined mHealth: mHealth traditionally stands for mobile health This Task Force adopted the term more broadly to refer to mobile health, wireless health, and e-care technologies that improve patient care and the efficiency of healthcare delivery1 Mobile smartphone apps (applications) provide many functions that require security and privacy (for example, mobile banking, passwords storage, personal health records [PHRs], and mobile payments) Legislation, such as the Sarbanes-Oxley Act, governs corporate security and privacy The Payment Card Industry Data Security Standard (PCI DSS) provides guidelines for the credit card industry The Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Health Information Technology for Economic and Clinical Health
sector. Privacy and security in a mobile environment are, by nature, more of a challenge than data stored behind firewalls and concrete. However, many of the same rules apply to mHealth as in the enterprise environment. We need to remember that the only difference for a personal computer (PC), enterprise server, and a smartphone is size. For the majority of the breaches that are reported today, the thief just carried the equipment out the door or nabbed the device from a car seat. Size plays a very little role in protecting the data. Privacy and security in healthcare involve a process that must be navigated to reach our destination of protecting the patient, providers, organizations, and vendors. The navigation process is complex and ever changing because of outside influences, such as legislation, politics, crime, and technology. The mHIMSS Roadmap is our navigation tool of goals and the pathway of our organization.
Topics covered in this section of the Roadmap include:
Impact of Medical Device Regulations Bring Your Own Device Concerns Benchmarking and Potential Goals Patient Reported Data Breach Notifications
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
anki Ran mR Sam
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-02
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
Te Tem Par eP ple k
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
New Care Models
teChNology
roI payMeNt
legal aNd polICy
Act (HITECH) provide the governance over healthcare privacy and security These laws and guidelines cross the boundaries of healthcare and impact compliance responsibility As mobile technology emerges in healthcare, it brings significant changes in healthcare delivery, increased engagement of patients, and the financial efficiencies of healthcare2 Mobile technology can give providers a closer to real-time view of patients and their conditions mHealth provides the opportunity to improve medical system efficiencies and clinical outcomes by engaging patients in chronic disease management and medication compliance, and by extending healthcare access to the underserved (ie, closing the Digital Divide) Handheld devices (pads, tablets, smartphones, tablet PCs, and handheld scanners) use an array of messaging techniques, including short messaging service (SMS/ TXT), general packet radio service (GPRS), the global positioning system (GPS), short-range Bluetooth, ANT+, and wider-range third and fourth generation mobile telecommunications known as 3G and 4G According to a recent industry study,3 38% of physicians use health-related mobile apps daily on smartphones or tablets, and that number is expected to increase above 50% within the next year A study from Manhattan Research found that 71% of physicians surveyed already consider a smartphone essential to their practice The remaining 70% of apps are directly engaging the consumer; this is also referred to as consumer facing, according to GlobalData, a New York-based market research firm The growing senior population in the US is driving advances in remote patient monitoring The senior segment represented 13% of the US population in 2010 and is expected to reach 207% by 20504 Chronic disease is more prevalent in our senior population
The point of care is shifting and wireless remote patient monitoring provides the ability to monitor a patient in his or her own environment, thus giving healthcare providers an extended, more inclusive view of the patient Implementing remote patient monitoring can provide cost-cutting intervention and many benefits, especially when incorporating remote patient-reported device data with electronic health records (EHRs) Advances in remote patient monitoring include new peripherals, real-time audio and video for face-to-face interaction between clinicians and patients, wireless communication, systems that sort the vast amount of data collected in order to put it into the context of a patients condition, portable and ambulatory monitors, web-based access to the patient record, systems that transfer data to an electronic medical record (EMR), and full-service outsourcing that includes a clinician to evaluate data and send a report to the attending physician, according to a summary of remote patient monitoring by a market research firm5
recommended that companies developing these types of products contact a medical device advisor and/or the FDA to determine if their product needs Premarket Notification 510(k) and Premarket Approval Many of the FDA requirements concern labeling and this labeling can be the difference between a needing a 510k or not For example, a company develops an app to monitor consumers hearts If the app is marketed as a device that could assist a doctor in diagnosing a heart problem, the app will most likely have to have a 510k classification If the same app is marketed as a device for personal use for monitoring ones heart and warnings are provided that this app is not a medical device or should not replace a doctor, then the app will most likely not be classified as a medical device by the FDA Note: The FDA has tools and guidance on their website to assist developers with these issues
Healthcare Applications on Mobile Devices

The increased use of smartphones, pads, and tablets to achieve a physicians daily tasks drives adoption of mobile devices This adoption of devices impacts providers medical record choices and selections and ultimately security choices Mobile functionality is a higher priority for early-adopter and tech savvy providers, but is now moving to the more general population of physicians Physicians are now using mobile devices for routine office activities such as maintaining schedules and signing-off on prescriptions However, this is quickly changing: a survey by EHR vendor Vitera Healthcare shows that nine of ten doctors would like to be able to access EHRs on their mobile devices The new non-tethered Cloud EHRs will become more prevalent in the near future and most likely replace many first-generation EHRs Some EHR vendors are providing secure products to notify patients of laboratory results and changes in
Wireless Patient Monitoring Equipment

Wireless patient monitoring equipment covers a vast array of products Wireless can be mobile or stationary Handheld wireless patient monitoring devices include a wide range of products that provide to physicians data that supports diagnosis, consulting, monitoring, and treatment Mobile administrative apps include products to streamline healthcare workflow and improve efficiency for better patient care Other products include apps available on pads/tablets, smartphones, personal digital assistants (PDAs), and tablet PCs Hardware includes passive and active radio frequency identification (RFID) tag and readers, scanners, and mBan sensors, to name a few Active patient monitoring devices are normally deemed an FDA Class II Medical Device It is
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
anki Ran mR Sam
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-03
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
Te Tem Par eP ple k
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
New Care Models
teChNology
roI payMeNt
legal aNd polICy
medications via secure email or secure (not telecom carrier) SMS/TXT sent directly to patients cell phones One workflow example: patients receive an email or SMS indicating that a new message or a lab result is available to view within the providers secure patient portal A system that utilizes SMS/TXT must not use standard telecom delivery systems because they are not secure A HIPAA-compliant system must be sending these messages SMS/TXT messages are asynchronous and do not provide a guaranteed delivery Another issue that needs to be considered is ambient or vicinity privacy Many times cellphones are not secure and often are shared between friends, acquaintances, and family members We must consider the content that is being delivered to the phone and the environment in which the phone is used to determine if the content is appropriate for this type of retrieval
Medical Device Regulations

The mobile medical device market is experiencing an explosion of software solutions, apps (ie, Smartphone Applications, see below) that potentially offer new modalities of care, blurring the distinction between a more traditional provision of clinical care by physicians, and the self-administration of care and well-being Mobile medical devices are reaching the next generation of development The healthcare industry recognizes a greater need for a regulatory framework that will govern development, promotion, and use Regulations by which healthcare is regulated are quite different than those for commercial industry To those unfamiliar, medical device regulations can appear complex and burdensome, even a hindrance to innovation and product development However, patients
health, well-being, and right to privacy mandate these stringent regulations Development of mobile medical applications is opening new and innovative ways for technology to improve health and healthcare Apps that allow medical professionals and patients to access already publicly available material, or perform administrative tasks are not regulated However, regulators are indicating that other types of mobile medical apps should be regulated FDAclassified apps should be developed, manufactured, and supported in compliance with regulations On July 19, 2011, the FDA announced its proposed official action, including defining mobile medical applications (MMA) that are subject to FDA action The FDA defines MMA as a software application that can be executed (run) on a mobile platform or a web-based software application that is tailored to a mobile platform but is executed on a server, where that software already meets the general definition of a medical device as found in 210(h) of the Federal Food, Drug, and Cosmetic (FD&C) Act There are three categories of apps identified: Apps for the purpose of displaying, storing, analyzing, or transmitting patient specific medical device data, ie, data that originated from a classified medical device, a Medical Device Data System (MDDS), class 1 Apps that transform or make a mobile platform into a regulated medical device [] or [performs] similar medical device functions Apps that allow the user to input patient-specific information andusing formulae or a processing algorithmoutput a patient-specific result, diagnosis, or treatment recommendation that is used in clinical practice or to assist in making clinical decisions For more information the legal definitions of MDDS, see the policy section of the mHIMSS Roadmap
Telehealth
Telehealth, as defined by the Department of Health and Human Services (HHS), is: The use of electronic information and telecommunications technologies to support remote clinical health care, patient and professional health-related education, public health and health administration Telehealth enables collaboration of healthcare professionals to provide healthcare services across a variety of settings and distances Telemedicine usage ranges from synchronous video chat between a patient and a doctor, to conferencing between doctors, to conferencing between doctors and allied health professionals (eg, nutritionists, physical therapists), to providing live or recorded presentations to groups of patientsall who are geographically separated But telehealth, currently being used worldwide, still faces challenges The primary obstacle to widespread adoption of telemedicine is provider reimbursement Currently, each episode of care is monetized; the more visits the higher the cost The accountable care organization (ACO) model as illustrated in the American Care Act incentivizes providers to see patients in a number of convenient ways (eg, in person or via email, SMS, TXT, video chat, or data transfer) Alternative communication methods can be helpful for both parties in terms of time, convenience, and care access Telehealth privacy and security are governed by HIPAA and HITECH Just as patients are protected in encounters within the walls of a health facility, so they are in remote telehealth sessions
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
anki Ran mR Sam
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-04
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
Te Tem Par eP ple k
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
New Care Models
teChNology
roI payMeNt
legal aNd polICy
Health and Wellness Services / Applications

Currently, consumer health and wellness services/ applications are largely based on using mobile phones as user PCs Historically, the mobile devices processing power has been slow at the user-interface, producing a sluggish user experience This is changing with availability of the faster 3G and 4G communication standards Smartphones are becoming ubiquitous In January 2012 there were more than 100 million smartphones in the US alone The consumer app choices include the following: Use of mobile platforms (phones, tablets, portable entertainment devices) to access health and wellness information, track personal health conditions, and interact with care professionals and care organizations; Use of mobile apps and widgets10 for health-related purposes; Motivational factors, satisfaction, and unmet needs when consumers use mHealth apps and solutions; Use of Web 20 tools and mobile social networking solutions for health-related purposes; Interest in mobile-based care solutions, services, and apps, as well as willingness to spend for these offerings; and Games are being developed to improve overall health and well being These apps are available primarily from the phone manufacturers online stores, such as Google Play or iStore Soon patients will be able to obtain health apps directly from their doctors or insurance companies via their own online stores
Bring Your Own Device (BYOD)

Providers and patients initiated the consumerization of health IT by driving the adoption of consumer technologies in the healthcare enterprise However, employees have been bringing devices such as laptops and mp3 players to the workplace and accessing company networks for many years The amount and types of devices are growing at an unprecedented rate Today there are many different types of devices that have the ability to access the network The volume of guests requesting access has also changed, from children with their own smartphones and electronic game devices, to retirees with WIFI tablets Bring-your-own-device (BYOD) is one of the more dramatic results of consumer preference, rather than corporate initiative However, many of these technologies were not developed with enterprise requirements in mind Currently, health IT staff may lack the knowledge or experience associated with enterprise mobile security and privacy The enterprise is requiring a well-defined risk management strategy with which to govern devices, application deployment, and daily management In recent comments, HHS posted a warning against employing a BYOD strategy that stated, If IT administrators dont implement the correct mobile device for the right job or are slow to integrate [mobile devices] into the work place, they run the risk that employees may use their personal mobile devices to perform their duties If a healthcare professional uses a personal device such as a smart phone, tablet or USB device to access patient information, at risk for theft or accidental loss of the device is patient information on an unencrypted or protected device that is not password protected
Though this statement is valid, organizations have the opportunity to preempt security issues with the proactive approach of enacting policies and procedures to control access Organizations BYOD strategy for privacy and security should include the following: Device choices: Do you support all devices, and do you understand the privacy and security implication of each? Trust model or risk assessment Liability Sustainability User experience and privacy (eg, agreements, signature, opt-in) App design and governance Economics Internal marketing Employee (user) training Cost and budget Traffic and bandwidth considerations Guest policies Up-to-date terms and conditions in electronic form Priority and preemption BYOD holds tremendous advantage for organizations as a way of reducing costs For example, if employees purchase their own devices and use them at work, there is saving of capital equipment, support, and maintenance However, the true value of a well-designed BYOD program is increasing provider and employee satisfaction, productivity, and rapid adoption of technology across the enterprise
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
anki Ran mR Sam
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-05
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
Te Tem Par eP ple k
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
New Care Models
teChNology
roI payMeNt
legal aNd polICy
Use Case: Providing Network Access for Visiting Caregiver

Problem: On the first day of the locum physicians assignment at a local hospital, she brings her personal laptop, smartphone, and tablet and requests access to the network Policies objectives:
Benchmarking and Potential Goals for Privacy and Security

The ultimate goal of privacy and security is to provide as much effort as needed to protect patients PHI from a breach or from being compromised This is a tall order to strive for; however, technology and policies make it is possible and highly probable Patient privacy is based and protected by HIPAA UC Berkeley summarizes PHI as any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment HIPAA regulations allow researchers to access and use PHI when necessary to conduct research However, HIPAA only affects research that uses, creates, or discloses PHI that will be entered in to the medical record or will be used for healthcare services, such as treatment, payment or operations The benchmark for privacy must be 100% secure PHI Electronic security restraints are always changing as computers become faster and have a better capability of breaking encryption As hackers become more skilled in finding new vulnerabilities in both software and hardware, a once-secure platform of protection can be compromised Testing is an organizations tool to benchmark and locate vulnerabilities in systems
Future or Proposed State of Privacy and Security for mHealth

To envision the future of security and privacy in mHealth, follow the money, politics, and culture Although no one is a good predictor of the future, privacy and security remain the same, whether digital or paper, stationary or mobile, or protecting patients PHI The extent of protection depends on what individuals and cultures demand The US, France, and others have stringent demands concerning security, while other countries are more lax in their efforts There are many issues that surround this discrepancyeg, political, payment systems, and culture There is also the perception of security that surrounds how we live Most of us get into cars, or walk down the sidewalk without a second thought to security However, perceptions do change without warning, as do security and privacy needs The point is that privacy and security are a fluid force that must be constantly monitored and scrutinized During a conversation at the StrataRX Conference with John Mattison, CMIO of Kaiser, he mentioned the possibility of utilizing avatars to provide proxies for identificationa concept of disassociating a persons true identity or persona with one or more symbols (avatars) In the event of a breach, the proxy persona could be deleted
Control access; provide access when appropriate; Provide terms and conditions of usage; Mobile device management (MDM); Secure control access to patients personal health information (PHI) Multiple guest devices to support
IT objective:

Control access via technology; Provide caregivers access to do their job; Protect network and PHI; Monitor who and what is on the network Determine locum physicians network needs as it relates to her job
Recommendations

Overview of Current State

In 2011, nearly all of the 164 respondents participating in the 1st Annual HIMSS Mobile Technology Survey indicated that clinicians in their organizations accessed information via a mobile device, with laptop computers and computers/workstations on wheels (COWs/WOWs)
Develop guidelines for protection of PHI; Develop guidelines and examples of test plans for testing PHI This should include software and hardware systems and devices; and Develop Acceptance and regression testing guidelines
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
anki Ran mR Sam
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-06
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
Te Tem Par eP ple k
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
New Care Models
teChNology
roI payMeNt
legal aNd polICy
Additionally, a wide variety of other professionals, including executives and support staff, were using mobile devices to perform daily activities Key results of the survey include: Respondents believed that the mobile technology environment was very immature Tools were needed to secure devices Policies were very wide in coverage, though many were planning to update policies Majority of use of mobile in a clinical environment was to access non-PHI information Two thirds of the respondents noted that they could access clinical data off-site with approved security Inadequate privacy and security was the most frequently identified by survey respondents as a barrier to the use of mobile technology at their organization About half of respondents noted that their organization supported BYOD for daily work activities Passwords provided the dominate element of system security
Current State of Organizational Readiness

According to an mHIMSS annual mobile survey, only 73% of healthcare facilities use data encryption Only 52% utilized remote wiping capabilities on their mobile devices These results do not provide a clear view into the readiness of organizations; however, they do show a trend towards security Organizations indicated that passwords are used by 92% to protect devices; however, passwords provide very little protection for actually securing data The primary method to protect PHI is by encrypting the PHI This is a major concern when there are so many storage devices containing PHI that just disappear from healthcare facilities, causing breaches The key survey results show that there is more work to be done in the area of mobile security at the organizational level Mobile technology connecting to the Cloud is expected to increase as the need to retrieve app and sensor data increases. These platforms accelerate the ease of updating remote client software, increasing deployment of new features and enhancing security of PHI by storing data in the Cloud rather than on mobile devices.
Use Cases, Emerging and Best Practices

Technology Challenges
The challenge that we face in healthcare today is the accelerated rate with which mobile technology is changing healthcare The movement from paper records to digitalized records via the EHR has opened the door to use patient data as never before This is not a phenomenon that is exclusive to the US The challenge is to keep abreast of the latest trends and momentum in technology
Encryption
Encryption is essential in protecting patients PHI along the entire chain of responsibility For example, a physician accepts patient-reported health data via email and responds to the patient via email The patient-reported data is now the responsibility of the provider to secure as protected (covered) PHI The communication of the provider to the client is also protected and must be secure If the physician decides to store the PHI online, the covered organization should consider using encryption as a means to protect the data in the event of a breach Encryption is one of the best tools to secure PHI; in the event that the media that houses the PHI is compromised, the encrypted PHI is still safe We must remember that the need to protect PHI is the same for mobile or other systems Many obstacles such as on-board storage or processing power, present only a few months ago, are no longer issues The latest mobile devices have 4G transmitters that can receive over 20Mbs and house Quad-core 14Ghz processors with up to 1 GB RAM and 64GB of storage By the time this document is posted, this may seem obsolete
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
anki Ran mR Sam
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-07
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
Te Tem Par eP ple k
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
New Care Models
teChNology
roI payMeNt
legal aNd polICy
To summarize, the power needed in a mobile device is no longer an issue that needs to be discussed Recommendations
Medical Apps: Definition

Though not a definition of a medical app, the FDA states, Consumers use mobile medical applications to manage their own health and wellness which in some instances includes apps Health care professionals are using these applications to improve and facilitate patient care These applications include a wide range of functions from allowing individuals to monitor their calorie intake for healthy weight maintenance to allowing doctors to view a patients x-rays on their mobile communications device Many media sources have mentioned the everincreasing number of medical apps on the market today Though these numbers seem to be staggering, we must place these findings into context Companies like Apple and Google create a lot of buzz by tossing out these public-relations-based statistics Although the app is self-proclaimed by the developer to be a health app, that is not always reflective of the functionality of the app Currently, there is no consistent formal definition of a health app within the industry The FDA does define a medical device However, the majority of manufacturerclassified health apps are not medical devices and many have little to do with clinical or even personal health App developers should be versed on the FDA law on labeling This is an issue that can lead the developer into problems with the FDA
Develop a recommendation on the type of encryption that should be utilized (Advanced Encryption Standard or AES) Develop recommendations for transmission of PHI (secure socket layer, or SSL; virtual private network or VPN) Define PHI to clarify what protection is needed and when Develop best practices for encryption use Develop an international approach to security Develop export recommendation for US companies It is a violation of the Department of Commerce to export products with symmetric algorithms with more than 64 bits keys Develop guidelines for documenting procedures and policies for securing PHI data Note: the majority of encryption guidelines are the same for both mobile and non-mobile with one exception: export laws It is illegal to export software from the US that is stronger than 64bit, per the Department of Commerce
son, under her name We should not be concerned with the age of the developer; instead, the concern should be directed at what is produced and the transparency of the developer Currently, there are no requirements for skill, age, knowledge, credentials, and cited documents that support app development Recommendations
Develop guidelines for developers, including standards for acceptance specific to healthcare Develop peer review standards for apps and software Develop standards for proving efficacy
Security
The majority of apps on the market today provide little or no security and many of the users are unaware of this shortcoming Some of the leading apps, which display users PHI, do not even have a password to secure access Recommendations
Develop guidelines on securing PHI for software and hardware Develop guidelines for transmitting and storing PHI Develop testing requirement guidelines Develop policies and procedures (most important)
Target Market: Consumers

The mHealth consumer market is predicted to explode, leading to the marketing of more apps to all healthcare stakeholders As with the provider market, it is difficult to provide an accurate count of true medical apps The definition of a medical app is ambiguous at best For example, Epocrates is known to be one of the best provider apps made However, Epocrates is a content app that displays data, the same data that could be viewed via a mobile browser Should this be classified as a medical app or online documentation?
Code (Software) and Architecture: Who Writes Software and What about Security?
Currently, almost anyone from anywhere, at almost any age can write and publish an app onto the Web Apples developer age limit is 13 years old; however, there have been younger children submitting apps under their parents accounts A mother of a 12 year old told me that she set up a developers account with Apple for her
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
anki Ran mR Sam
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-08
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
Te Tem Par eP ple k
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
New Care Models
teChNology
roI payMeNt
legal aNd polICy
Consumer Sites
Medical apps are available from many sources including smartphone manufacturer sites such as Apples iTunes, Google Play, and Windows Phone Android apps, unlike the other phones, are available on multiple locations including Google Play, Amazon, and developers websites Rules and regulations of distribution, which are provided by these sites, are produced for all apps and are not clinical in nature Security and efficacy are the responsibility of the developer, providing little oversight except unskilled consumer reviews/opinions There is no oversight of the reviewer, leaving the consumer very exposed to biased, unqualified opinions
Patient-reported Data: The Integration of Consumer Data into EMR

Electronic patient-reported data is a new frontier in patient-centric care and very little work has been done to address associated issues The majority of apps on the market today do not provide a method to securely export the app-collected health data A few of the apps do provide a feature which allows the user to insecurely email their data to a provider One reason that providers are reluctant to except patient-reported data is because of HIPAA liability and their responsibility to secure patient data One of the primary issues with importing patientreported data into an EMR is how to identify the collector of the data EMRs are designed to store providers clinical entered data, not patient-reported data The Health Level 7 (HL7) organization is working on initiatives to label patient data, to be able to differentiate the data HL7 is also working on modern protocols that are more suited for the mobile environment: Fast Healthcare Interoperability Resources (FHIR) The filtering and aggregating of the possible deluge of incoming patientreported data is a topic of concern as more sensors become available for remote monitoring For example: the patient is an 85-year-old woman with co-morbidity; she utilizes several health smartphone apps and connected bio-sensors; ECG, CHF, images, and diabetes monitor The collected data is automatically uploaded to the physicians EHR Recommendations
Medical Devices
The FDA defines a medical device as an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is: Recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them; Intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals; or Intended to affect the structure or any function of the body of man or other animals, and which does not achieve any of its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes State laws and regulations must also be considered when developing medical apps State laws can and do differ from FDA rulings, as well as from other states It is prudent for developers to understand the laws for states to which they are marketing Software apps as medical devices are new, untested ground for medical regulations agencies Several federal agencies were vying for the responsibility to monitor and regulate apps until July 9, 2012, when Congress gave the FDA jurisdiction over apps in the Food and Drug Administration Safety and Innovation Act (FDASIA) Medical Device Data Systems (MDDS) is a newly identified FDA Class 1 Medical Device, which affects many of the apps on the market today The classification covers systems that transport medical data from a classified medical device (eg, downloading glucose monitoring data from a monitoring device) It also covers
Education and Monitoring

Consumers awareness and knowledge of privacy and security vary in many ways, and are influenced by the abundance of political and corporate rhetoric that surrounds healthcare privacy and security Education and awareness campaigns provide an effective way to assist consumers in understanding and trusting health privacy and security measures Monitoring these efforts serves as a barometer of consumers attitudes towards these issues Recommendations
Develop efficacy plan/guidelines for consumer apps An efficacy plan is a means to assist developers in building apps on cited studies A number of organizations are looking to establish guidelines to inform consumers of 1 The review of apps by an independent body and 2 The guidelines are readily understandable by the consumer
Provide guidelines for patient-reported data for EMR integration
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
anki Ran mR Sam
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-09
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
Te Tem Par eP ple k
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
New Care Models
teChNology
roI payMeNt
legal aNd polICy
apps that display medical data that is collected from a classified medical device (eg, Microsoft HealthVault is a classified medical device [Class 1] and by default, apps that connect to HealthVault and display data collected by HealthVault also fall under the classification of a Medical Device Data System, Class 1 medical device) There are many apps on the market today that are disregarding this requirement for classification It is only a matter of time until the FDA begins to enforce this requirement and issue fines Note: The reference to HealthVault was made to illustrate that the relationship between Classified FDA medical devices and consumer apps Recommendations
Telehealth and Monitoring

IMS Research forecasts that more than 50 million wireless health monitoring devices will ship for consumer monitoring applications during the next five years, with a smaller number being used in managed telehealth systems (ie, associated with managed care) Active patient monitoring requires an FDA Class 2 certification and 510k clearances Certification is a costly and timeconsuming process
Integration of Patient-reported Data into EMR

Patient-reported datainformation that is not collected by a physician or a licensed medical provideris an important part of patient-centric care Several EMR vendors claim to have integrated telehealth data into their EMR Little is known about the formats of these stored files Many EHRs can import files into a patients electronic records; it is possible to utilize this facility to store telehealth systems exported files (audio/video) Recommendations
patients, visitors, and guests are now vying for network resources As more devices are added to the network, the more exposure an organization has to intrusion The challenge is to provide a balanced solution for all stakeholders BYOD policies need to be crafted explicitly for the facility and its users Smartphone apps usage can also increase liability, compromise privacy, and add load to the network In the soon-to-be-published (March 2013) HIMSS book on security and protecting organizations, Jeff Brandt illustrates the following guidelines for BYOD policies: Access and authorization: WhoWho are you allowing on the network? WhatWhich devices are you allowing on the network (this will be a moving target as new devices are introduced)? What apps will have access to the network? WhereWhat are the boundaries and far-reaching arms of remote networks (eg, can providers reach the network from remote sites on their own devices)? How powerful is the WIFI signal and how far away from the building can it be accessed? Is there video capability in the operating room or emergency department? WhenConsider time-of-day usage per user profile (eg, the human resources department has access from 9:00am-6:00pm only) Are visitors allowed access to the network beyond visiting hours? How manyConnections have real cost associated with them, such as support and bandwidth Your plan needs to consider limiting the number of guest users on your network at one time, permitted usage (eg, streaming music, and video) Develop guidelines and best practices to support BYOD policies
Define within the mHIMSS guidelines the FDA requirements Set up a subcommittee to monitor FDA activity as it pertains to mHealth
Follow and report on the standardizing of A/V files and formats Develop a standard for transferring and storing of files
Policy Challenges
Bring Your Own Device (BYOD)
BYOD is not a new concept: employees have been bringing their laptops to their work places for many years The clear impact to organizations is the number of devices that require access to the healthcare network No longer is it just employees demanding access
Recommendation
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
anki Ran mR Sam
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-10
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
Te Tem Par eP ple k
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
New Care Models
teChNology
roI payMeNt
legal aNd polICy
Medical Apps Policy Challenges

Medical apps, and apps in general, have the opportunity to expose protected data and compromise an organization Since smartphones are employees property and many times their only telecommunications device, the phones present an ongoing challenge in the workplace Currently, smartphones have storage capability up to 64GB, providing the opportunity to quickly upload a significant amount of information Many organizations limit what an employee can download onto company-owned devices Organizations may want to consider developing a white list of apps that have been declared safe for use
Legal Policies and Regulations

This section of the Roadmap covers laws and regulations as they pertain to the privacy and security of healthcare IT Though not an extensive list, we are focusing on highlighting the recent federal drafted legislations Individual state policies, regulation, and legislation are beyond the scope of this document
HIPAA
HHS states: The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety There is a lot of confusion around HIPAA guidelines and who has to abide by them The HIPAA Privacy and Security Rules apply only to covered entities These entities include healthcare providers (doctors, clinics, etc), health plans, and healthcare clearing houses (processors of non-standard health data) If an entity is not a covered entity, it does not have to comply with the Privacy Rule or the Security Rule The University of Miami Miller School of Medicine states that HIPAA has two main goals, as its name implies: Portability: ensuring that health insurance is portable when persons change employers; and Accountability: making the healthcare system more accountable for coststrying especially to reduce waste and fraud (ie, save money) HIPAA states: To amend the Internal Revenue Code
Storage of PHI
Secure storage of PHI is the legal mandate that patients and their families have entrusted to healthcare organizations It is the duty of developer, vendors, and organizations to extend this trust relationship and guarantee that patients health data is not compromised The process of securing PHI goes lockstep with strong policies and procedures, as well enforcement The second part of securing PHI is the use of technical barriers and security solutions such as encryption, the best and only way to ensure that PHI is safe Recommendations

of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled It is the purpose of this subtitle to improve the Medicare program under title XVIII of the Social Security Act, the Medicaid program under title XIX of such Act, and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information
HITECH
The HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA), was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules: Consent (informed) HIPAA Consent ruling Standards for Privacy of Individually Identifiable Health Information [45 CFR Parts 160 and 164] International standards
PHI should be encrypted utilizing AES128 PHI should remain encrypted at all times (except when in use), regardless if it is on a device or not
Breach Reporting
The Breach Notification Rule is covered by the HITECH Act (see below) The regulations and notification instruction can be found on the HHS website
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
anki Ran mR Sam
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-11
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
Te Tem Par eP ple k
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
New Care Models
teChNology
roI payMeNt
legal aNd polICy
Laws that govern providers worldwide may differ in many ways International organizations set uniformed guidelines for providers One example is consent After World War II, the Nuremberg Code of 1947 set guidelines on informed consent followed by the Declarations of Helsinki
Best Practices/Resources
Healthcare best practices provide consistently well performing guidelines and methods that can serve as trusted benchmarks to develop and evaluate systems
mHIMSS Privacy and Security Best Practices

mHIMSS goal is to provide a list of privacy and security best practices to assist developers and healthcare organizations in better managing their devices 1. Encryption: PHI data should be encrypted with AES128/258 (export Max 64 ) bit when stored or transmitted 2. Risk assessment: Risk management starts with a risk assessment, guidelines for a risk assessment can be found on healthitgov Recommendation
HIMSS Mobile Toolkit

The HIMSS Mobile Security Toolkit assists healthcare organizations and security practitioners in managing the security of their mobile computing devices HIMSS has also produced several toolkits that can assist organizations with their policies and strategy development
Breach Notification Rule

The Federal Trade Commissions (FTC) Breach Notification Rule on improper access of PHI has been extended to EHR and PHR vendors and services that connect to PHRs in their final rule PHR vendors or connected vendors are required to notify the FTC and all individuals whose information is the subject of a breach no later than 60 days after discovery There are also additional obligations for PHR vendors (see Final Rule) Recommendation
ONC Mobile Initiative

The Office of the National Coordinator for Health Information Technology (ONC) launched a Privacy & Security Mobile Device project as part of their mHealth initiative The ONC mentioned in their press release on Privacy and Security Mobile Device Good Practices Project Launched that the ONCs goal is to develop an effective and practical way to bring awareness and understanding to those in the clinical sector to help them better secure and protect health information while using mobile devices (eg, laptops, tablets and smartphones)
Host and update the mHIMSS best practices on a regular bases
Develop a subcommittee to track international health laws and guidelines as they pertain to mHealth
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
anki Ran mR Sam
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-12
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
Te Tem Par eP ple k
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
New Care Models
teChNology
roI payMeNt
legal aNd polICy
Other Resources for Best Practices
The standards organization HL7 International covers multiple segments of mobile health and other healthcare security standards They recently formed a workgroup for mobile health and are working on many initiatives including collaborating with mHIMSS They publish security information on their website and wiki, Cookbook for Security Considerations Center for Internet Security Center for Democracy and Technology; Best Practices for Mobile Application Developers Open Web Applications Security Project (OWASP) is a not-for-profit open source organization that focuses on improving software security worldwide All material is free to use under open source licensing Their projects include initiatives focused on many aspects of security including: Programming languages Testing tools Legal Others Telehealth Resource Centers (TEC) and CA-TEC The following best practices for mHealth are provided by the Department of Homeland Security: Purchase only those networkable medical devices, which have well documented and finegrained security features available, and which the medical IT network engineers can configure safely on their networks Include in purchasing vehicles vendor support for ongoing firmware, patch, and antivirus updates where they are a suitable risk mitigation strategy
Operate well maintained external facing firewalls, network monitoring techniques, intrusion detection techniques, and internal network segmentation, containing the medical devices, to the extent practical Configure access control lists (ACL) on these network segments so only positively authorized accounts can access them Establish strict policies for the connection of any networked devices, particularly wireless devices, to the Health Information Network (HIN) including laptops, tablets, USB devices, PDAs, smartphones, etc, such that no access to networked resources is provided to unsecured and/or unrecognized devices Establish policies to maintain, review, and audit network configurations as routine activities when the medical IT network is changed Use the principle of least privilege to decide which accounts need access to specific medical device segments, rather than providing access to the whole network Implement safe and effective, but legal patch and software upgrade policies for medical IT networks, which contain regulated medical devices Secure communications channels, particularly wireless ones, by the use of encryption and authentication at both ends of a communication channel Have and enforce password policies to protect patient information
Policy, Mandates, and Regulations

mHealth has inspired many new governmental and private initiatives, policies, mandates, and regulations These guidelines are being produced by agencies of numerous governments, and for-profit and not-for-profit organizations throughout the world One example of US legislation is the draft of Senator Frankens Protect Our Health Privacy Act of 2012 The bill introduces legislation that would require all covered entities to encrypt portable devices that store protected health information One guideline that has the potential to directly affect mobile medical devices is the FDAs Draft Guidance for Industry and Food and Drug Administration Staff - Mobile Medical Applications HIMSSs Legal and Regulatory Group covers government and healthcare industry policies, as well as focusing on privacy and security initiatives Europes CE Marking for medical devices is covered in the Medical Device Directive 93/42/EEC Also, the European Commission DG Enterprise and Industry, MEDDEV 21-1 rev 6 provides guidelines for the classification of standalone software used in healthcare, within the regulatory framework of medical devices Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
anki Ran mR Sam
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-13
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
Te Tem Par eP ple k
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
New Care Models
teChNology
roI payMeNt
legal aNd polICy
Proposed Future State

Technical
1. Mobile medical applications are defined by the FDA as software programs that run on smartphones and other mobile communications devices23 Apps are downloaded/used on mobile devices in hospital/ enterprise/small provider organizations only after review and approval by IT staff for appropriate security features 2. Medical apps are developed according to best practices for app security 3. Currently medical apps that are selected and used by patients are the responsibility of the patients to make sure that they protect their privacy and are secure 4. It is proposed that all PHI data be encrypted on all portable devices and that this is standard practice when storing data on the devices 5. If a medical app is recommended or prescribed by a provider, the app should fail under the same review and approval process as illustrated above 6. Medical devices contain state-of-the-art security controls and these features are disclosed to potential purchasers using the latest Manufacturers Disclosure Statement for Medical Device Security (MDS2) form 7. Medical devices include an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory as defined by the FDA This definition has been extended to include software and medical apps 8. Telehealth/monitoring apps are able to integrate patient data into patients medical records only
after proper identification on the patient and while preserving data integrity 9. Mobile devices are capable of detecting/protecting against breaches of patient data Lost/stolen devices are capable of remote wiping, destroying, or rendering the patient data unreadable 10. All medical apps/portable computing devices store and transmit data using industry-recognized interoperability/data portability standards
Downloading of MDM to all devices that access the network All phones must have remote wiping software installed Require or implement electronic inventory of devices Create and manage password policies
Policies
Policies are the best tools for protecting organizations and patients PHI The following is a list of mobile app policies that should be implemented in healthcare organizations: Restrict access of jailbroke or rooted phones to the network Encrypt all HIPAA-covered data stored on mobile devices and during transmission State terms and conditions of network and app use All phones must have remote wiping software installed If MDM is utilized, a provision of use must be included in the terms and conditions Develop user ID and password policies Utilize authentication schema for all apps that display or store PHI
Passwords on mobile devices offer management challenges that are different than conventional wired devices NIST provides a draft Guideline to Enterprise Password Management that is also valid for mobile devices Activate the auto lock feature; set timeout for no longer than ten minutes Develop policy governing password complexity; strive for balance between security and annoyance
Strategies, Priorities, and Recommendations for Action

Privacy and security is front-of-mind for most stakeholders of healthcare and governing agencies Mobile has come to the forefront, driven by consumers and the opportunities to reduce costs and engage patients more in their own health The value placed on privacy and security is enormous and the call for action is now We first shall prioritize the tasks listed in the Roadmap, draft a strategy, and develop the tactics to deliver In order to best serve our members, we will start with guidelines to govern privacy and security strategy in organization
BYOD Policies
Some of the policies that should be considered are the following: Develop employee and guest access policies Policies should be presented to guests each time they get access; e-signatures should be required verifying that they have read and agreed to the terms and conditions
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
anki Ran mR Sam
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-14
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
Te Tem Par eP ple k
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
New Care Models
teChNology
roI payMeNt
legal aNd polICy
Future Considerations
Technology is ever changing and the need for new and updated policies shall continue For example, the Federal Health IT Policy Committee met on October 3, 2012 to fine tune Meaningful Use Stage 3 regulations and one question is whether users of EHRs should require an additional authentication factor beyond two-factor authentication (eg, username and password for Stage 3 of Meaningful Use)1
Big Data
Big data or the collecting, filtering, and analyzing of huge amounts of health data is going to change the way that healthcare is delivered in the world (for example, storing the populations Genome data to assist doctors with diagnosis based on patient-reported sensor data) The amount of data that has to be securely stored as a covered entity is about to explode in size At the recent StrataRX Conference in San Francisco, one on the speakers referred to yottabytes of health data (1024) We are creating 5 exabytes (1018) of data every 48 hours The production of data of this magnitude opens more challenges to privacy and security in management of volume, devices, and storage Staff skills are a significant challenge to support this data growth New skills and training will be needed as these changes near the healthcare horizon Big data may be the next inflection point in healthcare Vinod Khosla, co-founder of Sun Microsystems and an investor in health technology, shocked the audience at the StrataRX Conference when he said this about big data: Technology will replace 80% of doctors Regardless whether you believe his statement or not, big money is flowing into big data for healthcare and this will bring change Much of this data will be patient-
reporteddata that has not traditionally been a part of the patients record A significant part of this data will be collected and transmitted via mobile devices The smartphone is the ubiquitous choice to act as a patient service point or body server, responsible for aggregating and transmitting the patient-reported data New challenges shall quickly arise as the uses of big data infiltrate healthcare: new data types, different collection points, additional reporting mechanisms, and addition privacy and security concerns These are just a few examples of the transitions in healthcare that big data will spawn We must stay ahead of the curve
De-identification
De-identification of PHI is part of the HIPAA ruling and ARRA De-identification is a risk management exercise, states David Houlding, Lead Architect of Healthcare Privacy and Security at Intel If your organization is planning to store, transmit, or share data, you will need to make de-identification part of your risk assessment strategy Recommendations
Risks and Mitigation Strategies

Risk and mitigation strategies normally fall under the jurisdiction of an organizations risk management team The author-Jeff Brandt-summarizes risk management as the action of managing risk through understanding the threat, identification, containment, and control Mitigation is the reduction of risk and the containment of damage caused by a breach, as it pertains to security and legal obligations Managing risk is one of the most important strategies that a vendor and organization can provide to protect PHI Strategies for mitigation of risk are structured on an organizations policies and procedures, which provide the guidelines to develop the tactics needed to secure an organization and its patients In the mobile space we must consider everything from RFID interference to smartphone apps when considering policies and risk management objectives
Risk management should be added to mHIMSS best practices Develop best practices for policies concerning PHI security Suggest websites and documentation to assist organizations in developing risk management strategies
Measuring & Benchmarking

Benchmarking is a valuable tool to help organizations gauge their effectiveness and determine how they stand in comparison of other like entities Although there are many benchmarking publications on health security, there are few for mHealth The best practices listed above can also provide benchmarking for an organization
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
anki Ran mR Sam
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-15
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
Te Tem Par eP ple k
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo
New Care Models
teChNology
roI payMeNt
legal aNd polICy
referenceS authorS
Jeffrey L. Brandt
Comsi Co-author: HIMSS publication mHealth: Smartphones to SmartSystems @jeffbrandt
Stacie Durkin
Durkin & Associates
Staff LiaiSonS
Lisa Gallagher
Senior Director Informatics HIMSS
Thomas Martin, MBA

Manager mHIMSS
Mike Kroll
Associate Manager Informatics HIMSS
mHealth Task Force Findings and Recommendations: Improving care delivery through enhanced communications among providers, patients, and payers September 2012 www2itiforg/2012-mhealthtaskforce-recommendationspdf 2 Wang H, Liu J Mobile Phone Based Health Care Technology Recent Patents in Biomedical Engineering 2009; Volume 2; pp 15-21 3 CompTIAs 3rd Annual HIT Insights and Opportunities study Accessed September 15, 2012 /members/research/allreports/3rdAnnualHealthc areITInsightsandOpportunities.aspx 4 MobiHealthNews accessed September 15, 2012 http:// mobihealthnewscom/14206/remote-patient-monitors-post-fastestgrowing-revenues/ 5 Remote & Wireless Patient Monitoring Markets; Kalorama Information Accessed September 15, 2012 http://wwwmarketresearch com/Kalorama-Information-v767/Remote-Wireless-PatientMonitoring-2645944/ 6 Vitera Healthcare EHR Solutions and Mobile Technologies Study http://wwwviterahealthcarecom/company/Pages/pr_ ViteraHealthcareSolutionsStudyIndicatesThattheMajorityof HealthcareProfessionalsAreInterestedinaMobileEHRSolutionaspx 7 Istepanian R, Jovanov E, Zhang YT Introduction to the special section on M-Health: beyond seamless mobility and global wireless healthcare connectivity IEEE Transactions on Information Technology in Biomedicine 2004; 8(4):405-414 8 Lamminmki E, Prkk J, Hermersdorf M, Kaasinen J, Samposalo K, Vainio J, Kolari J, Kulju M, Lappalainen R, Korhonen I Wellness diary for mobile phones Proceedings of the 3rd EMBEC Conference, Prague, Czech Republic; November 2025, 2005 9 comScore, inc 01/2012 10 Merriam-Webster Dictionary An application, or a component of an interface, that enables a user to perform a function or access a service 11,12 Definition of PHI UC Berkeley Research Administration and Compliance Accessed October 1, 2012 http://cphsberkeleyedu/ hipaa/hipaa18html 13 Department of Commerce Commercial Encryptions Export Controls Accessed September 4, 2012http://wwwbisdocgov/encryption/ encfaqs6_17_02html 14,15 Herzig T Information Security in Health Care: Managing Risk Chicago: HIMSS; 2010
16 Department of Health and Human Services Health Information Privacy http://wwwhhsgov/ocr/privacy/hipaa/understanding/coveredentities/ indexhtml 17 Department of Health and Human Services HIPAA http://wwwhhs gov/ocr/privacy/hipaa/administrative/statute/indexhtml 18 Department of Health and Human Services HITECH Act Enforcement Interim Final Rule http://wwwhhsgov/ocr/privacy/hipaa/ administrative/enforcementrule/hitechenforcementifrhtml 19 Health Breach Notification Rule Final Rule FTC 16 CFR Part 318 August 25, 2009 http://wwwftcgov/os/2009/08/R911002hbnpdf 20 Senator Franken The Protect Our Healt Privacy Act of 2012 Accessed 9/3/12 http://wwwfrankensenategov/files/ documents/120627_Protect_Health_Privacy_Summarypdf 21 Martin G CE Marking and Mobile Medical Software Apps BSI America Accessed September 3, 2012 4/17/2012 1 CE Marking and Mobile Medical Software Apps - NTEC 22 Office of the Data Protection Commissioner EU Directive 95/46/EC The Data Protection Directive http://wwwdataprotectionie/viewdoc asp?docid=89 23 Mobile Medical Applications 24 Herzig T Information Security in Health Care: Managing Risk Chicago: HIMSS; 2010 25 Health Information Privacy http://wwwhhsgov/ocr/privacy/ hipaa/understanding/coveredentities/De-identification/ deidentificationworkshop2010html
Copyright 2012 Healthcare Information and Management Systems Society (HIMSS)

The inclusion of an organization name, product or service in this document should not be construed as a HIMSS endorsement of such organization, product or service, nor is the failure to include an organization name, product or service to be construed as disapproval For more information: www.mhimss.org
s Crews St
17th
Betel S
e Prescott St
Lanier Dr
SC
Kin
10
th
St
Elizabeth St
St
cott
th
Pre Pres
12
gg
Hawthor
y Tracy S
St
St
ull Cu NC
an Jacinto
ark
g Ct
16th
Montgome
rez St
Ho How
ito St
annan St
unbar St
St
ncis Fra
Lake St
dley St
ns
mo St
ora St
ry Ma
St
anki Ran mR Sam
n St
Wainwrig
Guadalu
Waco St
t
Burnet St
mHIMSS Roadmap
Halsey
ard
Tarlt
St
Goliad
Nogale
Co
6-16
St
St
Pres
Nim
lema
Boli
Be
nA
d Bel
Te Tem Par eP ple k
et Burnet St
itt D
Andrews Dr
gg Twi
Burnet St
Blu che r St
N Ca
NU
r ppe
e N Low
S 19th
St
Blu
Loritte
S Sch
St
Keys
Law
Tw
che
Star
17
Tre
Ju
Peo

mHIMSS Roadmap 6

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

mHIMSS Roadmap 6

Загружено:

Авторское право:

Доступные форматы

New Care Models

legal aNd polICy

Privacy and Security

St t d d d d d d d d d d d d d d d d d St dS ard ard pard

h s Spo istu em Chr al-M d spit Ho Blv tal spi Ho

anki Ran mR Sam

Ct ham Cts Gris ham Gris

w vie Bay ery Old etery C Cem

Te Tem Par eP ple k

New Care Models

legal aNd polICy

staNdards aNd INteroperabIlIty

Privacy and Security

Overview of Current State

Topics covered in this section of the Roadmap include:

St t d d d d d d d d d d d d d d d d d St dS ard ard pard

h s Spo istu em Chr al-M d spit Ho Blv tal spi Ho

anki Ran mR Sam

Ct ham Cts Gris ham Gris

w vie Bay ery Old etery C Cem

Te Tem Par eP ple k

New Care Models

legal aNd polICy

staNdards aNd INteroperabIlIty

Privacy and Security

Healthcare Applications on Mobile Devices

Wireless Patient Monitoring Equipment

St t d d d d d d d d d d d d d d d d d St dS ard ard pard

h s Spo istu em Chr al-M d spit Ho Blv tal spi Ho

anki Ran mR Sam

Ct ham Cts Gris ham Gris

w vie Bay ery Old etery C Cem

Te Tem Par eP ple k

New Care Models

legal aNd polICy

staNdards aNd INteroperabIlIty

Privacy and Security

Medical Device Regulations

St t d d d d d d d d d d d d d d d d d St dS ard ard pard

h s Spo istu em Chr al-M d spit Ho Blv tal spi Ho

anki Ran mR Sam

Ct ham Cts Gris ham Gris

w vie Bay ery Old etery C Cem

Te Tem Par eP ple k

New Care Models

legal aNd polICy

staNdards aNd INteroperabIlIty

Privacy and Security

Health and Wellness Services / Applications

Bring Your Own Device (BYOD)

St t d d d d d d d d d d d d d d d d d St dS ard ard pard

h s Spo istu em Chr al-M d spit Ho Blv tal spi Ho

anki Ran mR Sam

Ct ham Cts Gris ham Gris

w vie Bay ery Old etery C Cem

Te Tem Par eP ple k

New Care Models

legal aNd polICy

staNdards aNd INteroperabIlIty

Privacy and Security

Use Case: Providing Network Access for Visiting Caregiver

Benchmarking and Potential Goals for Privacy and Security

Future or Proposed State of Privacy and Security for mHealth

Overview of Current State