Protecting Privacy, Security and
Patient Safety in mHealth
Oklahoma Telemedicine Conference
Telehealth Transition: Opportunity to Value Creation
Patricia D. King, J.D., M.B.A.
HIPAA Privacy
and Breach Notification
 Many reported breaches of unsecured PHI involve
mobile devices
 Examples: Massachusetts Eye & Ear Infirmary settled
case for $1.5 million, agreed to adopt safeguards for
mobile devices
 OCR has developed compliance resources specifically
for mobile devices*
 Portability and ease of use of mobile devices create
unique risks
http://www.healthit.gov/providers-professionals/your-mobiledevice-and-health-information-privacy-and-security
HIPAA Security
 HIPAA Security Rule requires covered entities to
periodically review their security procedures when
technology changes and introduces new risks
 Access to EPHI on mobile devices is a significant
operational change requiring providers to revisit their
security policies and procedures
 BYOD introduces additional vulnerabilities
 ENCRYPTION, ENCRYPTION, ENCRYPTION!
NIST Guidelines for Mitigating Risk of
Mobile Devices*
 Risk: theft or loss
 Mitigation:
 Encryption
 Permitting access to EPHI
but not storage
 Device-based
authentication
 Network-based
authentication
 Risk: inherent
vulnerabilities due to lack
of root of trust features
 Mitigation:
 Centralized mobile device
management technology
 If BYOD is permitted,
isolation of organization’s
data and applications
Guidelines for Managing the Security of Mobile Devices in the
Enterprise, NIST Special Publication 800-124, Rev. 1
NIST guidelines (cont’d)
 Risk: “man in the middle”
attacks on unsecure
networks
 Mitigation:
 Use of virtual private
network (VPN)
 Risk: introduction of
malware through apps
 Mitigation:
 Prohibiting installation of
third-party apps unless
“white-listed”
 Prohibiting browser
access or forcing through
secure gateway
Special Considerations for BYOD*
 Advantages: user satisfaction, potential savings on
device purchases
 If BYOD is permitted, the user-owned device will have
2 information owners: the user for personal data, and
the organization for EPHI and business processes.
 If the organization’s data and apps are confined to a
sandbox/secure container, then a remote wipe can be
performed if the device is vulnerable without
disrupting the owner’s data.
Guidelines on Hardware-Rooted Security in Mobile Devices, NIST Special
Publication 800-164 (draft)
Other Security Considerations
 FDA guidance on cybersecurity for medical devices
and networked hospital systems*
 2014 Work Plan of the HHS Office of Inspector
General states that OIG intends to review security
controls implemented by hospitals for portable
devices containing PHI and networked medical
devices
FDA Safety Communication: Cybersecurity for Medical Devices
and Hospital Networks, June 13, 2013
Patient Safety
 2011 Institute of Medicine report focused on how
health information technology can itself contribute to
medical errors, through poor usability of electronic
health records, alert fatigue, and other factors*
 HHS Office of the National Coordinator for HIT has
developed numerous resources to help providers
assess safety features of health information
technology**
*Institute of Medicine, Health IT and Patient Safety: Building Safer Systems
for Better Care, 2011
**http://www.healthit.gov/sites/default/files/safety_plan_master.pdf
FDASIA
 2012 Food and Drug Administration Safety and Innovation
Act required the FDA, ONC and FCC to issue a report on
development of an “appropriate risk-based regulatory
framework pertaining to health information technology,
that promotes innovation, protects patient safety, and
avoids regulatory duplication”
 FDASIA Health IT Report* recommends that assessment of
risk and needed controls should focus on HIT functionality,
not on the platform (mobile, cloud, etc.) on which the
functionality resides
FDASIA Health IT Report: Proposed Strategy and Recommendations for a
Risk-Based Framework, April 2014
FDA Guidance
on Mobile Medical Apps
 FDA guidance states that the FDA intends to regulate
only those mobile apps that meet the definition of a
medical device under the Food, Drug and Cosmetic
Act, or that is intended to be used as an accessory to
a medical device or to transform a mobile platform
into a medical device
 Since apps that are not mobile medical apps will not
have FDA review, providers considering us of the app
should conduct their own review of the app’s
effectiveness
Role of the FCC
 The Federal Communications Commission has
expanded access to radio frequency spectrum for
wireless medical communications




Wireless Medical Telemetry Service
MedRadio Service
Medical Micro-Power Networks
Medical Body Area Networks
 Focus of FCC regulation is avoiding interference
among users of wireless spectrum