Mobile health apps or mhealth apps are the craze right now; Apps that help keep track of everything from your weight and blood pressure to medications and diets. You name it and there seems to be an app touting some perceived health or wellness benefit. Many of these apps are free, requiring users to just create an account, sign in and start using the app. Consumers should however be careful about what apps they use due to numerous data security and privacy issues.
An example is the recent report
by Appthority published in the PC Magazine that highlights blatant data privacy and security issues with the iPharmacy app. The iPharmacy app allows individuals to identify pills and manage their medications. Issues regarding lack of proper data encryption, sending personal information to different ad networks, allowing access to identifiable personal information for analytics are cited in the report. According to Appthority "For an app that has earned a top developer award from Google Play, [we] found it to be one of the top offenders when it comes to risky privacy behaviors for apps in the health or medical category".
Unfortunately these data security and privacy issues exist in a number of mobile apps, especially those apps that are available for free. Privacy policies do not exist or are trivial at best. Just think about this for a second. Why is the app offered free? How are the app developers making money if they are not charging us for the product/service they provide? Some companies give away a free version with the hope that we upgrade to the paid version of the app with more features. For many other app developers, the real product these companies are selling is not the app but us, the consumers. The app developers give us the app for free so that they can collect our personal information, learn about our buying habits and sell this information to advertisers who can then bombard us with ads in the hope of getting us to buy the products they sell.
Giving identifiable personal/medical information to ad agencies or leaving it unencrypted, leaves the users of the app susceptible to financial or medical identity theft. Imagine this information in the hands of criminals who can exploit the data in harmful ways.( Learn more about the disastrous consequences of medical identity theft
and steps you can take to prevent it
Employees are increasing using their personal smartphones and tablets for work purposes. This presents a number of security issues for healthcare organizations who have to ensure the security of their electronic protected health information (ePHI). These data security issues could quickly turn in to a nightmare if organizations are proactively addressing the Bring Your Own Device (BYOD) phenomenon.
A recent study from the Ponemon Institute found the following:
- Many organizations are not taking the necessary steps to protect ePHI on mobile devices and in the cloud.
- 54 percent of survey respondents have had on average five data breach incidents involving the loss or theft of a mobile device containing regulated data.
- Approximately 33 percent of respondents said that they need to access PHI to do their work.
- Only 15 percent of survey participants knew of HIPAA's security requirements for regulated data on mobile devices despite 33 percent of respondents indicating that they are part of a HIPAA covered entity.
- Approximately 40 percent of respondents weren't sure if their organization's rules on employee access and use of regulated data on mobile devices were HIPAA compliant.
These findings clearly show that healthcare organizations need to get their act together with respect to ensuring ePHI security on mobile devices. We live in an increasingly digital world where 24/7 access to information is the expectation. Clinicians and other staff need and expect access to ePHI data from remote locations on different devices. Healthcare organizations need to be proactive in their approach towards BYOD. Implementing reasonable policies and procedures, coupled with appropriate security technology can allow employees to use mobile technology in a secure, compliant manner and prevent data breaches.
All healthcare organizations need to do:
- Decide if the organization is going to provide mobile devices such as smartphones/laptops to staff or is it going to allow a BYOD strategy.
- Determine which staff members need access to ePHI to do their jobs.
- Determine how much ePHI access is needed to do the job.
- Develop and implement clear policies and procedures for mobile device usage that state: a)Types of smartphone platforms ( iOS, Android, Windows or Blackberry) supported by your IT infrastructure. b) Minimum hardware or software configurations required on the mobile device to ensure ePHI security. c) A list of Dos and Don’ts with respect to ePHI security and mobile device usage. If employees use their own devices for work, they will have personal data on their devices like photos, music,personal email and text messages. Backing up smartphone data with a cloud based service moves data to the service provider cloud such as iCloud, SkyDrive or Google Drive. Employees could inadvertently transfer ePHI to their personal cloud backup when they connect the device to their cloud based backup. Train employees on proper usage of the device. Make your staff is aware of these risks to ePHI.
- Implement technology to authenticate and authorize access to ePHI.
- Implement audit controls to monitor who is accessing ePHI, from which device and from which location.
- Setup alerts to warn management of any unauthorized attempts to access ePHI.
- Prevent users from downloading ePHI data on their mobile devices if possible.
- Make sure that devices that store ePHI have at minimum, encryption software, device tracking, remote lock or data wipeout capabilities enabled.
- Conduct periodic employee training to reinforce the importance of ePHI security.
- Have strictly enforced sanction policy in place to discourage any non-compliant behavior.
Present day digital copiers/printers used for business purposes are work horses that are constantly used for printing, copying, faxing, scanning and emailing confidential documents. These machines contain hard drives that stores data about documents they handle. In the case of healthcare businesses the ePHI on these documents needs to be protected at all times. These machines are a part of your information technology network and hence susceptible to attack.
All healthcare businesses handling ePHI should conduct a risk analysis which includes copiers/printers along with all other computing devices. Most of the time these copiers are leased on a yearly basis and replaced every couple of years with a new model. The old model is returned to the leasing company who may re-lease or sell the machine to another organization. Your healthcare organization should have security policies that cover the use of printers/copiers to protect ePHI on the hard drives. Policies should cover the security of the ePHI on the printer while it is in use as well as when the copier is replaced. It is extremely important that the ePHI on the hard drives in these machines be destroyed and a certificate of destruction obtained when you decide to replace the machine. Check with the equipment manufacturer or the leasing company if they offer data destruction services. Data destruction services are also offered by independent servicing companies who will securely dispose the ePHI and issue a destruction certificate.
This recent settlement is a prime example of what can happen if ePHI is left unprotected on hard drivers in photocopiers. http://www.hhs.gov/news/press/2013pres/08/20130814a.html “Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information stored in copier’s hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the hard drives to its leasing agents.”
Check out the following links/resources for more information on safeguarding sensitive data stored on the hard drives of digital copiers:
- Copier Data Security: A Guide for Businesses: http://business.ftc.gov/documents/bus43-copier-data-security.
- The National Institute of Standards and Technology has issued guidance on media sanitation: http://csrc.nist.gov/publications/drafts/800-88-rev1/sp800_88_r1_draft.pdf.
How does your healthcare organization prevent unauthorized access to confidential patient data?
As a covered entity or a business associate under HIPAA, having adequate access and audit control is required to prevent unauthorized access to electronic protected health information (ePHI). It access boils down to answering these two questions:
- Who needs access to ePHI in the organization?
- How much ePHI access is needed by an individual to perform his/her job?
Take these steps to secure, monitor and manage ePHI access in your organization:
- Follow the Minimum Necessary Principle -Limit ePHI access to only those individuals who need it to perform their duties AND limit the scope of ePHI access to only that is required for the job. Every staff member in your organization doesn’t need access to ePHI or even the same level of ePHI access. Be stingy in handing out ePHI access privileges.
- Have a well written access policy and procedure in place that clearly communicates the approval procedure for granting ePHI access to an individual.
- Implement audit software that can generate the list of individuals with ePHI access, provide a log of recent access activity and alert management to any attempts to gain unauthorized access to ePHI.
- Implement policy that mandates periodic audits of the ePHI access procedure and revoke or grant access privileges as needed.
- Train employees on their ePHI security and compliance responsibilities
- Have all documentation readily available in case of an audit
Legitimate concerns about data security in the cloud, trusting a third-party with confidential patient healthcare information and potential disastrous consequences of a data breach have held back many healthcare organizations from moving their electronic protected health information (ePHI) to the cloud. The HIPAA Final “Omnibus Ruling” promises to alleviate these concerns and spur the adoption of cloud computing in the healthcare sector.
It has been two years since I wrote my blog “Heading to the Cloud”
and a lot has changed since then. I thought this would be a good time to revisit the adoption of cloud in the healthcare sector which is in the midst of tremendous regulatory, technological and business changes. The old fee for service model is giving way to a health outcomes based model, forcing healthcare organizations to look at mobile technology and cloud computing to streamline their operations, reduce expenses and deliver better health outcomes for their patients.
Cloud computing is a model of computing where the IT infrastructure, applications and data are delivered to the end user as a service over the internet. Cloud is dynamically scalable and allows IT resources to be consumed on-demand by the end user in a secure environment. It is cost-effective, because businesses don't need to make upfront capital investments, nor do they have to worry about high and low demand periods in their business. Cloud computing customers can easily scale up and down as their demand fluctuates. They also do not have to worry about costly repairs and maintenance costs associated with owning their infrastructure. They simply pay for the resources they use, as they use them, usually on a monthly basis. Cloud solutions are also a natural fit for disaster recovery, because they store information offsite and are easily accessible during emergency from a remote location. With cloud-based disaster recovery, it is easy to deploy a failed physical server in a virtual environment, enabling end users to continue to work, reducing business downtime. Moving to the cloud makes a lot of sense because of these benefits.
Concerns about data security and privacy have held back many healthcare practices from using cloud based solutions and services. This situation will soon change. According to the HIPAA Final Omnibus Rule, cloud service providers and other third-party business associates and their contractors are directly liable for a data breach. Just like the covered entity, the business associates are also responsible for implementing the same administrative, physical and technical safeguards for ensuring the security and privacy of the ePHI. All covered entities are also required to execute written business associate agreements with all their third party vendors who create, store, maintain and transmit ePHI as a part of their business responsibilities.
The HIPAA Final Omnibus Rule should further accelerate the adoption of cloud based EMR integrated with practice management and billing as well as cloud based backup and disaster recovery solutions. Healthcare organizations can now reap the benefits of the cloud by only working with those cloud service vendors who have implemented appropriate technology, policies and procedures to secure ePHI and are willing to sign a business associate agreement.
Health insurance exchanges are open to businesses as of Oct 1st. People can now sign up online to buy personal health insurance. These exchanges are in different stages of readiness across different states and we are already hearing reports of stalled computer systems; however, that is not the major problem. As open enrollment in these health insurance- exchanges begins, the real problem is the rise of medical identity theft. Criminals are quick to exploit unsuspecting citizens, steal their personal health and financial information for financial gain. Scammers are calling people with fake health insurance offers and launching fraudulent websites that lure people in to providing their personal information. As I mentioned my earlier blogs, the consequences of medical identity theft
are disastrous for both patients and healthcare organizations.
If you are looking for health insurance and are interested in signing up or learning more about the healthcare exchanges, please be aware of the scams out there. Here are some helpful tips to protect you from falling victim to one of these scams:
- Do not give out personal information to anyone that has called you or emailed you offering insurance policies. There are legitimate education campaigns by state health insurance exchanges via email, letters or phone calls, but they will not sell you policies nor ask for personal information.
- Visit the health exchange websites for your state. Massachusetts residents can check out the Massachusetts Health Connector website at www.mahealthconnector.org. Do not click on any advertisement link that offers cheap policies. Instead, type the correct address of the health insurance exchange website in your internet browser.
- The initial enrollment period runs from October 1, 2013 to March 31, 2014. Don’t be pressured into signing a policy as the preapproval rates won’t change during this period.
- Be vigilant about fraud and medical identity theft. Report any unsolicited phone calls or emails asking for personal information to the appropriate authorities
A few days ago, Apple announced its long awaited iPhone 5S. Though the new phone looks like the old iPhone5 model, it does have a couple of key new features in the hardware namely: the finger print scanner( Touch ID) and the a new M7 coprocessor. I am curious to see how these features play out in the healthcare space.
iPhones and iPads are extremely popular among medical professionals, with over 70% of the doctors owning one or both. Patient data security is critically important in the healthcare sector. Controlling access to the mobile device via strong user authentication is necessary in keeping data from falling in to wrong hands. Strong passwords minimize the risk of unauthorized device access. But thumbing long passwords in the phone is cumbersome which results in many users using weak or no passwords.
Finger printing technology used in the new iPhone 5S, though not completely foolproof, could strike the right balance between convenience and security. The fingerprint scanner does not store the actual finger print scans ( wall street journal
), but stores fingerprint data in encrypted format on the phone’s processor. This data is not stored on Apple servers or the iCloud and is not available to third –party applications. It is only accessible by the Touch ID sensor. This should address data security and privacy concerns.
Of course it remains to be seen how the sensor technology works in real usage scenarios, when oily, sticky fingers could a factor. Hopefully the technology will be robust enough to keep unauthorized users out and won’t keep the rightful cellphone owner locked out of their phone. It would be a pain to enter passcodes every time the fingerprint scan doesn’t work.
The iPhone 5S also has a new M7 coprocessor that works with the new A7 chip. The M7 is designed specifically to continuously measure motion data from the accelerometer, gyroscope, and compass, without continuously involving the A7 chip. This will help lower battery consumption. The M7 coprocessor can also tell if a person is driving, running or walking. So for example if you park your car and start walking, the M7 coprocessor can tell the maps application to switch from driving to walking directions.
The mhealth sector is projected to grow at a tremendous pace in the next few years, with health/wellness and remote monitoring of chronic illness indicators being the prime usage scenarios. Looks like Apple is looking to increase its footprint in the healthcare space. It will be interesting to see how effectively different mhealth apps use the M7 coprocessor capability in their offerings.
Mobile technology has fundamentally changed the way we live. We can communicate with people, do our banking, shop and search for stuff from practically anywhere. So it would seem to be no-brainer that doctors and patients would flock to using remote monitoring devices and mhealth apps in droves. But that is not the case in real life. Even though there are over 20,000 so called mhealth apps in the apple store alone, very few of them are used by consumers on a regular basis.
Mobile technology has tremendous potential to improve the quality of healthcare delivered. Understanding the nature of the healthcare ecosystem is essential if you want your mhealth product/initiative to be a success.
The following mistakes should be avoided when developing a mhealth product:
- Developing technology just because it seems cool to the developer: Avoid this most common mistake made by technologists. Don’t think that the coolness factor of your latest mobile device or app is going to be the main criteria for buying it. Keep its usefulness to potential users in mind when you design your products.
- Not getting provider buy in: Getting input from physicians and other healthcare professionals is important in designing a solution. Your product has to be functional and beneficial to their practice and their patients. Learn their workflow. Does your solution increase productivity, optimize workflow, improve revenue, improve note taking or help deliver higher quality of patient care? Does your solution need to integrate with other software in their practice? Busy doctors are already bombarded with tons of data. Dumping more data from health apps on their plate isn’t going to help them unless the data is actionable. Understand their pain points and then design your products to meet their needs.
- Not closing the feedback loop: This is especially important when developing mhealth apps for consumers and it also reinforces the provider buy-in point. Patients find more value in using a mhealth app regularly if it is recommended by their doctor and they receive feedback from their doctor about the data the app collects.
- Forgetting about reimbursement (alignment of provider-payee incentives): Healthcare is a complex organism with so many disparate parts. In the US it is the only sector where there is a third party (insurance company) between the service provider and the person receiving the service. Understanding that Medicare/Medicaid and third party insurance reimbursement plays a key role in the delivery or healthcare is absolutely critical. Marketing healthcare products directly to consumers without insurance paying for it is a difficult sell.
- Make it complex to use: Keep the technology simple, and easy to use. All those fancy features may seem appealing to your technologically savvy brain, but remember that you are designing products for busy professionals/patients who may not be as tech savvy as you nor are they interested in all those fancy bells and whistles in your product. All they care is whether your solution is easy to use and gets the job done. Many times it is necessary to remove extraneous features to make the product more appealing to users.
- Overlooking Security: Healthcare is a highly regulated industry wherein patient data security is mandated under federal (HIPAA) regulations and State Health laws. Knowing the data security compliance requirements is extremely important if you want your technology to have a chance to succeed in the healthcare space.
- Not realizing that it’s about the service, not the technology. Healthcare is a service business. Technology is an enabler that allows healthcare providers to improve the quality of service and patient care delivered. Any new mobile health technology has to be an invisible part of the total service provided. Understanding how the mobile technology fits in to the whole patient care( service) equation is key in delivering value to both physicians and patients.
Does your healthcare practice store your patient data aka electronic protected health information (ePHI) in the cloud or at a third party data center? If so, then you have some work to do. As a covered entity, you need to sign a business associate agreement( BAA) with your vendor if you haven’t already. If the vendor refuses to sign one, then find another vendor who does.
Sept 23, 2013 is fast approaching. That’s the date by which your business associates and their sub-contractors have to be in compliance with the HIPAA final “Omnibus” Rule. The final rule released earlier this year, not only expands the definition of a “business associate”( BA) under HIPAA, but also holds BAs and their subcontractors responsible for being in compliance with HIPAA and subject to any criminal and civil liability for violating certain provisions of HIPAA.
The expanded definition of a BA now includes:
Under this new rule the number of BA that your healthcare practice deals with might have changed. Here’s what you need to do:
- Persons who "create, receive, maintain or transmit" ePHI.
- Persons who "maintain" ePHI on behalf of a covered entity, even if the person does not actually view the ePHI. For example, most document storage companies and cloud computing providers that maintain ePHI on behalf of a covered entity are business associates.
- Subcontractors - persons who perform functions for or provide services to a business associate are also business associates if they access or store ePHI.
- Make a list of all third party vendors that you work with, that fall under the revised definition of a BA. This list should encompass IT vendors like data storage companies, IT service providers that maintain your systems, cloud service vendors, billing companies, transcriptionists, etc.
- Interview them and question them regarding their HIPAA compliance efforts. Ask them about their security measures and adoption of best practices to protect the ePHI.
- Ask them if they ever conducted a business technology risk assessment. Any vendor who claims to be HIPAA compliant will be proud to tell you about their security measures and should be able to address all your concerns effectively.
- Negotiate and execute an effective BAA that spells out the BA’s legal responsibilities and liabilities in the event of a data breach.
A signed BAA ensures that the BA understands their legal responsibilities to protect the ePHI and have implemented reasonable and appropriate measures to ensure the security and privacy of ePHI and comply with the HIPAA Security Rule.
As a covered entity, ultimately it is your responsibility to protect the ePHI of your patients. Your reputation and financial well-being depend on it. Having a clearly written and executed BAA in place, can serve to mitigate the financial damage to your practice in the event of a third party data breach.
Does your healthcare practice conduct patient satisfaction surveys? Do you ask your patients these follow-up questions:
- How was your experience at our facility?
- How long did you have to wait in the waiting room before you were taken in?
- How long did you wait in the exam room before the doctor saw you?
- Was the doctor engaging? Did he answer all your questions?
- Did you have all the relevant information you needed regarding your health before you left our facility?
- Did you encounter any issues at our facility?
- How can we improve your experience at our facility?
- Would you recommend your doctor and our facility to others?
All other businesses except healthcare, focus on the customer experience. They conduct periodic customer satisfaction surveys to find out how their clients are experiencing their service. They try to do everything they can to make their clients happy and hope that they get a good recommendation for their work. Even small and medium sized business use readily available and affordable technology to solicit customer feedback and identify areas of improvement in their business. So why is this type of customer focus an exception rather than a rule in the healthcare business? Why does every healthcare practice not have an Patient Relationship Officer (PRO), an individual accountable for patient (Client) satisfaction?
Healthcare is after all a service business. One would expect that the patient satisfaction would be the focus of any healthcare practice. Making it convenient for the patient to see their doctor, understanding patient issues, and delivering quality care would be the norm. It sure doesn’t feel that way. Patients experience long wait times, rude/ incompetent staff during their visits. They get talked down to and come away with a feeling that they have been done a favor by the doctor and his staff when in fact the patients are the ones who are paying for the services. But if not for patients, there would be no need for doctors.
Somehow it is very convenient for administrators and staff of a healthcare practice to blame the “system”, shrug their heads and say that its always been done that way. It’s as if this “system” is a nebulous amorphous entity that can’t really change, when in fact the “system” is made up of living breathing people, who have created policies and procedures that dictate how their healthcare practice operates.
Due to the shortage of primary care providers, the demand for their services is so high that many practices are not accepting new patients. Finding new patients is not a concern for them. The patient has become a replaceable commodity available in plenty. After all, where is the patient going to go? To another healthcare practice where the system works in the probably the same way? In any business when the demand for the product or service far exceeds the supply, there is no real incentive for the provider to focus on customer satisfaction.
Yet a focus on the patient satisfaction is precisely what needs to happen to deliver quality care and make this healthcare “system” work for the benefit of those who need it, when they need it. Great leaders within organizations do not waste time blaming the system. They go about changing it for the better. Great service organizations know that it takes effort and an unrelenting customer focus to deliver extraordinary service. I am sure that almost all doctors care about their patients and want to do the best for their patients. They are intimately aware of the inefficiencies in their practices and even have innovative ideas for improving the quality of patient care. Customer satisfaction surveys are a great way to get patient feedback, collect data, measure performance metrics, identify areas of improvement and implement measures that will improve workflow efficiency and ultimately quality of patient care. It also arms those in the organization that want to improve the “system”, with undeniable proof of what is working and what needs to be changed.