This document discusses privacy, security, and safety considerations for using mobile health (mHealth) technologies. It outlines regulations from HIPAA, NIST, FDA, and other organizations regarding protecting electronic protected health information (EPHI) on mobile devices. Key risks include data breaches from lost or stolen devices, and vulnerabilities from device networks. Recommended mitigations include encryption, device authentication, and mobile device management policies. The document also addresses patient safety issues from usability of mobile health apps and technologies.
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
Protecting Privacy, Security and Patient Safety in mHealth
1. Protecting Privacy, Security and
Patient Safety in mHealth
Oklahoma Telemedicine Conference
Telehealth Transition: Opportunity to Value Creation
Patricia D. King, J.D., M.B.A.
2. HIPAA Privacy
and Breach Notification
Many reported breaches of unsecured PHI involve
mobile devices
Examples: Massachusetts Eye & Ear Infirmary settled
case for $1.5 million, agreed to adopt safeguards for
mobile devices
OCR has developed compliance resources specifically
for mobile devices*
Portability and ease of use of mobile devices create
unique risks
http://www.healthit.gov/providers-professionals/your-mobile-device-
and-health-information-privacy-and-security
3. HIPAA Security
HIPAA Security Rule requires covered entities to
periodically review their security procedures when
technology changes and introduces new risks
Access to EPHI on mobile devices is a significant
operational change requiring providers to revisit their
security policies and procedures
BYOD introduces additional vulnerabilities
ENCRYPTION, ENCRYPTION, ENCRYPTION!
4. NIST Guidelines for Mitigating Risk of
Mobile Devices*
Risk: theft or loss
Mitigation:
Encryption
Permitting access to EPHI
but not storage
Device-based
authentication
Network-based
authentication
Risk: inherent
vulnerabilities due to lack
of root of trust features
Mitigation:
Centralized mobile device
management technology
If BYOD is permitted,
isolation of organization’s
data and applications
Guidelines for Managing the Security of Mobile Devices in the
Enterprise, NIST Special Publication 800-124, Rev. 1
5. NIST guidelines (cont’d)
Risk: “man in the middle”
attacks on unsecure
networks
Mitigation:
Use of virtual private
network (VPN)
Risk: introduction of
malware through apps
Mitigation:
Prohibiting installation of
third-party apps unless
“white-listed”
Prohibiting browser
access or forcing through
secure gateway
6. Special Considerations for BYOD*
Advantages: user satisfaction, potential savings on
device purchases
If BYOD is permitted, the user-owned device will have
2 information owners: the user for personal data, and
the organization for EPHI and business processes.
If the organization’s data and apps are confined to a
sandbox/secure container, then a remote wipe can be
performed if the device is vulnerable without
disrupting the owner’s data.
Guidelines on Hardware-Rooted Security in Mobile Devices, NIST Special
Publication 800-164 (draft)
7. Other Security Considerations
FDA guidance on cybersecurity for medical devices
and networked hospital systems*
2014 Work Plan of the HHS Office of Inspector
General states that OIG intends to review security
controls implemented by hospitals for portable
devices containing PHI and networked medical
devices
FDA Safety Communication: Cybersecurity for Medical Devices
and Hospital Networks, June 13, 2013
8. Patient Safety
2011 Institute of Medicine report focused on how
health information technology can itself contribute to
medical errors, through poor usability of electronic
health records, alert fatigue, and other factors*
HHS Office of the National Coordinator for HIT has
developed numerous resources to help providers
assess safety features of health information
technology**
*Institute of Medicine, Health IT and Patient Safety: Building Safer Systems
for Better Care, 2011
**http://www.healthit.gov/sites/default/files/safety_plan_master.pdf
9. FDASIA
2012 Food and Drug Administration Safety and Innovation
Act required the FDA, ONC and FCC to issue a report on
development of an “appropriate risk-based regulatory
framework pertaining to health information technology,
that promotes innovation, protects patient safety, and
avoids regulatory duplication”
FDASIA Health IT Report* recommends that assessment of
risk and needed controls should focus on HIT functionality,
not on the platform (mobile, cloud, etc.) on which the
functionality resides
FDASIA Health IT Report: Proposed Strategy and Recommendations for a
Risk-Based Framework, April 2014
10. FDA Guidance
on Mobile Medical Apps
FDA guidance states that the FDA intends to regulate
only those mobile apps that meet the definition of a
medical device under the Food, Drug and Cosmetic
Act, or that is intended to be used as an accessory to
a medical device or to transform a mobile platform
into a medical device
Since apps that are not mobile medical apps will not
have FDA review, providers considering us of the app
should conduct their own review of the app’s
effectiveness
11. Role of the FCC
The Federal Communications Commission has
expanded access to radio frequency spectrum for
wireless medical communications
Wireless Medical Telemetry Service
MedRadio Service
Medical Micro-Power Networks
Medical Body Area Networks
Focus of FCC regulation is avoiding interference
among users of wireless spectrum