" health applications Archives - LuxSci

Posts Tagged ‘health applications’

The Future of Protected Health Information

Wednesday, May 10th, 2023

HIPAA was introduced in 1996 to protect patient privacy and enable individuals to control their health records. However, over the last 30 years, the proliferation of technology has enabled patients to collect, transmit, and store personal health data in ways that were unimaginable to the original authors of the legislation. This article discusses how the definition of protected health information may expand in the future to account for new types of data, covered entities, and technologies.

the future of phi

Protected Health Information Today

Under the current iteration of HIPAA, protected health information, or PHI, is defined as “individually identifiable protected health information.” Protected health information refers specifically to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition.
  2. The past, present, or future provisioning of health care to an individual.
  3. The past, present, or future payment-related information for the provisioning of health care to an individual.

For protected health information to be “individually identifiable,” the data must be linked to a specific individual (even if this is very indirect). There are 18 types of identifiers for an individual. Any one of these identifiers, combined with health data, would constitute PHI.

protected health information

In addition, under today’s HIPAA rules, only covered entities and business associates must abide by the regulations. Covered entities fall into three categories:

  1. Healthcare providers include hospitals, doctors, clinics, pharmacies, nursing homes, psychologists, and other providers.
  2. Health plans – Health insurance companies, company health plans, HMOs, and Government-paid health care plans such as Medicare are all considered health plans.
  3. Healthcare clearinghouses – These entities either process or facilitate the processing of health information they receive from other entities.

Business associates include a wide range of companies, but most importantly, they are contracted by a covered entity to perform a business function involving PHI. Business associates can include web hosts, billing companies, marketing agencies, legal firms, accountants, and more.

The Future of Protected Health Information

As the world has rapidly changed, new technologies that challenge how we think about personal health data have evolved. IT security teams must consider future security challenges and regulatory changes to futureproof their organization and mitigate risks. Below we explore how technology and PHI have progressed in a way that is pressuring regulators and legislators to protect patient privacy.

Technological Advances

The smartphone was still a decade away from being invented when HIPAA was introduced. In today’s world, the success of the iPhone has trickled down to other internet-connected smart devices like watches, scales, and other wearable devices. Even medical devices, including heart rate monitors and remote patient monitoring devices, can be found in people’s homes today. When medical providers ask patients to use these devices to capture biometric data, HIPAA rules apply.

But what about when healthcare providers do not recommend these technologies? If a consumer wants to use an application to record their daily activity, record their weight, or monitor their heart rate without direction from a doctor, HIPAA does not apply. However, due to the sensitivity of the data and lack of consumer understanding, some are calling for additional privacy protections for device and application manufacturers. It is not hard to imagine that any application designed to collect, store, or transmit health data will become subject to stricter regulations regardless of whether they are involved in an individual’s healthcare.

New Types of Data

When HIPAA was envisioned, genetic science was progressing but still confined to the upper levels of academia and research. Improvements in genetic testing and increased knowledge of the human genome could completely alter what is defined as PHI and how individuals interact with their healthcare providers. In 2013, amendments to the Privacy Rule clarified that genetic information is PHI and needs to be secured. However, over the past decade, genetic testing capabilities have exploded. Anyone can order a genetic test from numerous consumer-facing companies. As a result, personalized medicine is thriving and is likely to grow over the next decade.

As doctors have more access than ever before to information about our genomics, it’s of the highest importance to ensure it is secured.

Change is On The Way: Are You Ready?

Covid-19 rapidly accelerated many of these technological changes, and recent events in the news have already sparked changes to HIPAA enforcement. For example, the use of online tracking pixels to collect and transmit PHI recently caused OCR to issue a statement on their proper use. In addition, last year’s Supreme Court decision in Dobbs vs. Jackson Women’s Health spurred many reproductive health-tracking apps to take additional steps to protect users’ data. The incident highlighted just how much personal health data is contained in unregulated applications.

Even without government intervention, organizations that process health data must secure it to build consumer trust and differentiate from the competition. With breaches and cyberattacks on the rise, only the best-prepared organizations will be able to grapple with future challenges and regulatory changes.

Tags: dna, ePHI, genomics, health applications, health apps, hipaa privacy rule, patient privacy, phi, smartphone
Posted in LuxSci Library: HIPAA, LuxSci Library: Security and Privacy
Comments Off on The Future of Protected Health Information

Medical Device Cybersecurity Standards Are on the Way

Thursday, December 29th, 2022

Internet-connected medical devices have transformed healthcare, but not without introducing significant risks. After years of lobbying, changes to medical device cybersecurity standards are finally coming as part of the Consolidated Appropriations Act. The omnibus spending bill includes language requiring medical device manufacturers to ensure that their devices meet specific cybersecurity requirements. This article looks at the proposed changes and how they could trickle down to include other wearable devices and applications in the future.

medical device security

The State of Medical Device Security

Over the past few years, politicians and healthcare leaders have pushed for further guidance and regulations surrounding medical device security. Healthcare organizations often maintain thousands of medical devices, many of which are internet-connected and could pose security risks.

It’s no secret that cybercriminals frequently target medical devices. Capterra recently surveyed 150 healthcare respondents in the United States to explore the current state of medical IoT security and determine whether medical practices with a high percentage of their medical devices connected to the internet were experiencing more cyberattacks. They found that medical practices with a higher percentage of connected medical devices experienced more cyberattacks than those with a low percentage of connected medical devices.

medical device cybersecurity stats

Ongoing struggles with securing and keeping track of medical devices, the industry’s reliance on legacy systems, and increased federal cybersecurity focus prompted legislative action.

Proposed Changes to Medical Device Security Standards

Once enacted, the omnibus bill would require device manufacturers to “submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.”

Additionally, manufacturers must design and develop processes to ensure that their devices and related systems are secure, including post-market updates and patches. These updates will take effect 90 days after the bill is signed.

The bill would also require manufacturers to provide a software bill of materials (SBOM) to the Secretary detailing the software’s off-the-shelf, open-source, and commercial components. CISA defines a software bill of materials as “a nested inventory, a list of ingredients that make up software components.” SBOMs have grown in popularity because they make it easier to know if a specific threat impacts your software. For instance, one of the reasons that the log4j attack was so threatening was that log4j is widely used in various consumer and enterprise services, websites, and applications to log security and performance information. An average software user had no way of knowing if their services used log4j, putting them at risk of a breach. Having a SBOM makes it easy to know if the exploit threatens your software.

Finally, the omnibus bill would also require the Food and Drug Administration to issue further guidance on improving the cybersecurity of medical devices. The Government Accountability Office (GAO) would also be expected to release a report within the next year to identify remaining challenges surrounding device security. This bill represents only the first step in improving the security and regulations for medical devices.

The Future of Medical Devices and the Internet of Medical Things (IoMT)

These improvements are necessary considering the recent popularity of personal medical devices. Though the proposed regulations do not necessarily apply to fitness trackers and smartwatches, it’s easy to imagine a future in which medical providers use similar devices to record and transmit patient data to electronic health records.

As smartwatches, remote patient monitoring tools, and other devices that allow individuals to track, send, and store health data are gaining market share, they will also come under scrutiny by regulators. Organizations must decide how to safely use these tools and make decisions to ensure interoperability with their systems. Not all medical devices and applications are designed with patient security and privacy in mind.

People love how easy it is to track step counts with a Fitbit or Apple Watch, but as we know, balancing usability with security is a challenging task. Tracking physical activity is one thing, but as these devices evolve to collect more sensitive health information, integrating them with health systems while maintaining patient privacy will be a considerable challenge. It is clear that as health tech evolves, so too must our security practices. These new regulations are only the first step to securing the vast quantities of digital health data that are collected and distributed by third parties not subject to HIPAA requirements.

Tags: cisa, cybersecurity, cybersecurity policy, health applications, iomt, medical devices, remote patient monitoring, sbom, secure apps, smartwatch
Posted in Industry News, LuxSci Library: Security and Privacy
Comments Off on Medical Device Cybersecurity Standards Are on the Way