Healthcare Information Technology

FDA Issues New Guidance on Use of EHR Data in Clinical Investigations

Posted by HIPAA Journal

The U.S. Food and Drug Administration has released new guidance on the use of EHR data in clinical investigations and the requirement to ensure that appropriate controls are in place to ensure the confidentiality, integrity, and availability of data.

While the guidance is non-binding, it provides healthcare organizations with valuable information on steps to take when deciding whether to use EHRs as a source of data for clinical investigations, how to use them and ensure the quality and integrity of EHR data, and how to make sure that any data collected and used as an electronic source of data meets the FDA’s inspection, recordkeeping and data retention requirements.

The aim of the guidance is to promote the interoperability of EHR and EDC systems and facilitate the use of EHR data in clinical investigations, such as long-term studies on the safety and effectiveness of drugs, medical devices, and combination products.

The guidance does not apply to data collected for registries and natural history studies, the use of EHR data to evaluate the feasibility of trial design or as a recruitment tool for clinical investigations, or the use of EHR data in postmarketing observational pharmacoepidemiologic studies that assess adverse events and risks associated with drug exposure or those that are designed to test prespecified hypotheses for such studies.

The FDA is aware that EHRs have the potential to provide researchers with access to real time data for reviews and allow post-trail follow ups on patients to determine the long -term effectiveness of specific treatments. They also provide access to the data or large numbers of patients, which can be particularly useful in clinical investigations, especially when certain outcomes are rarely observed. The use of EHR data in clinical investigations is broadly encouraged by the FDA.

However, it is important for best practices to be adopted to ensure patient privacy is protected, data integrity is maintained, and data are secured at all times.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 required the Office of the National Coordinator of Health IT (ONC) to establish a voluntary certification program for Health IT. Certified EHRs comply with 45 CFR part 170 of the HITECH Act which covers interoperability and data security and confirms EHRs meet minimum requirements for privacy and security.

The FDA recommends that only certified EHR systems are used in clinical investigations and that policies and procedures on their use should be developed. The FDA recommends that a list of EHR systems is maintained, detailing the manufacturer of the system, the model number, version number, and whether it is certified by ONC.

There may be times when EHRs are de-certified by ONC during the clinical investigation, as they may no longer meet appropriate standards. In such cases, sponsors should determine the reason for de-certification and its impact on the quality and integrity of data used in the clinical investigation.

At times, it may be necessary to incorporate data from EHR systems used in other countries, which are not certified by ONC. While the use of data from these systems is acceptable, and can be highly beneficial for clinical investigations, sponsors should evaluate whether the systems have appropriate privacy and security controls in place to ensure the confidentiality, integrity, and availability of data.

Sponsors should ensure that policies and procedures for these EHRs are in place at the investigation site and appropriate measures have been implemented to protect study data. They must also ensure that access to the electronic systems housing the EHRs is limited to authorized personnel. Authors of the records must be clearly identifiable, audit trails need to be maintained, and records need to be available and retained for FDA inspection.

If these controls are not in place, sponsors should consider the risks associated with using those systems, including the potential for harm to research subjects, the impact on data integrity of the clinical investigation, and the regulatory implications.

The guidelines also suggest EHRs not certified by ONC should meet various data standards, and the guidance offers advice about choosing between structured and unstructured data, and the validation of interoperability between EHRs and electronic data capture (EDC) systems.

The post FDA Issues New Guidance on Use of EHR Data in Clinical Investigations appeared first on HIPAA Journal.

Coding Error by EHR Vendor Results in Impermissible Sharing of 150,000 Patients’ Health Data

Posted by HIPAA Journal

The UK’s National Health Service (NHS) has announced that approximately 150,000 patients who had opted out of having their health data shared for the purposes of clinical research and planning have had their data shared against their wishes.

In the UK, there are two types of opt-outs patients can choose if they do not want their confidential health data shared. A type 1 opt-out allows patients to stop the health data held in their general practitioner (GP) medical record from being used for anything other than their individual care. A Type 2 opt-out is used to prevent health care data being shared by NHS Digital for purposes other than providing individual care.

150,000 patients who had registered a Type 2 opt-out have had their data shared. The impermissible sharing of health data occurred as a result of an error by one of its EHR vendors, TPP. TPP provides the NHS with the SystmOne EHR system, which is use in many GP practices throughout the UK.

A coding error in the system meant that these Type 2 requests were not passed on to NHS Digital, and as a result, NHS Digital was unaware that opt-outs had been registered. Patients affected had opted out after March 31, 2015.

Action has now been taken to correct the error and all patients affected have been notified. NHS Digital has also contacted all organizations with whom the data were shared and they have been instructed to permanently delete the data received since the opt-outs were registered.

The NHS had implemented changes prior to the discovery of this breach that will prevent such an incident from occurring in the future. The type 2 opt outs have now been replaced with a national opt out system, in which patients are able to control their data sharing preferences via a secure website, by phone, or by submitting a written request. This system ensures that NHS Digital receives the requests directly, rather than the previous system which saw the requests recorded via GP practices on a third-party systems.

While the issue has now been corrected and similar privacy breaches should be prevented, what is of particular concern is the length of the breach. This suggests the appropriate processes were not in place to continuously monitor the EHR system for errors.

Healthcare organizations in the U.S. should take note of the breach and take steps to ensure similar privacy breaches cannot occur at their own organization. It is important to ensure that current and future vendors have appropriate systems in place to monitor for errors and security flaws and that they meet all appropriate standards.

While EHR vendors, as business associates, can be fined directly for errors and mistakes that lead to the exposure of PHI, healthcare providers can similarly be fined if they have failed to obtain assurances that HIPAA Rules will be followed by their vendors, and breaches can also cause significant damage to reputation.

The post Coding Error by EHR Vendor Results in Impermissible Sharing of 150,000 Patients’ Health Data appeared first on HIPAA Journal.

HIMSS Warns of Exploitation of API Vulnerabilities and USB-Based Cyberattacks

Posted by HIPAA Journal

HIMSS has released its June Healthcare and Cross-Sector Cybersecurity Report in which healthcare organizations are warned about the risk of exploitation of vulnerabilities in application programming interfaces, man-in the middle attacks, cookie tampering, and distributed denial of service (DDoS) attacks. Healthcare organizations have also been advised to be alert to the possibility of USB devices being used to gain access to isolated networks and the increase in used of Unicode characters to create fraudulent domains for use in phishing attacks.

API Attacks Could Be the Next Big Attack Vector

Perimeter defenses are improving, making it harder for cybercriminals to gain access to healthcare networks. However, alternative avenues are being explored by hackers looking for an easier route to gain access to sensitive data. Vulnerabilities in API’s could be a weak point and several cybersecurity experts believe APIs could well prove to be the next biggest cyber-attack vector.

API usage in application development has become the norm, after all, it is easier to use a third-party solution that to develop a solution from scratch. APIs allow healthcare organizations to integrate third-party services. A study by One-Poll suggests that on average, businesses are managing 363 different APIs and two thirds of organizations expose the APIs to the public or their partners. As with any software solution, if vulnerabilities exist, it is only a matter of time before they are exploited.

Torsten George at Security Week has explained several ways that APIs can be exploited to gain access to sensitive data.

Unicode Characters Used in Convincing Impersonation Attacks

The ability to include Unicode characters in domain names is allowing cybercriminals to easily create highly convincing domains using homographs. These domains can be virtually indistinguishable to the genuine domain to the casual eye, making them ideal for use in phishing attacks. Examples include use of the Cyrillic small letter a in place of a standard a, or the use of the Latin small letter iota or the Latin small letter dotless i, in place of an i. Farsight Security has released a useful report on the matter in its Global Internationalized Domain Name Homograph Report.

New USB-Based Attack Method Identified

A new attack method has been detailed by Eleven Paths on the exploitation of hidden networks created via USB devices. This attack method could allow access to be gained to isolated computers not connected to the Internet. Simply disconnecting a computer from WiFi or not connecting the device to a network via an Ethernet cable may not be sufficient at preventing a malicious actor from gaining access to the device and sensitive data, as was demonstrated by the infection of an isolated computer with Stuxnet malware at a Nuclear power plant.

The post HIMSS Warns of Exploitation of API Vulnerabilities and USB-Based Cyberattacks appeared first on HIPAA Journal.

AHA Voices Concern About CMS’ Hospital Inpatient Prospective Payment System Proposed Rule

Posted by HIPAA Journal

The American Hospital Association (AHA) has voiced the concerns of its members about the HHS’ Centers for Medicare and Medicaid Services’ hospital inpatient prospective payment system proposed rule for fiscal year 2019, including the requirement to allow any health app of a patient’s choosing to connect to healthcare providers’ APIs.

Consumer Education Program Required to Explain that HIPAA Doesn’t Apply to Health Apps

Mobile health apps can con collect and store a considerable amount of personal and health information – in many cases, the same information that would be classed as protected Health Information (PHI) under Health Insurance Portability and Accountability Act (HIPAA) Rules.

However, HIPAA does not usually apply to health app developers and therefore the health data collected, stored, and transmitted by those apps may not be protected to the level demanded by HIPAA. When consumers enter information into the apps, they may not be aware that the safeguards in place to protect their privacy may not be as stringent as those implemented by their healthcare providers.

There is even greater cause for concern when PHI flows from a healthcare provider to a health app. Consumers may not be aware that their PHI ceases to be PHI when it is transferred to the app and that app developers would not be bound by HIPAA Privacy Rule requirements that prohibit the sharing of health data with third parties.

“Most individuals will not be aware of this change and may be surprised when commercial app companies share their sensitive health information obtained from a hospital, such as diagnoses, medications or test results, in ways that are not allowed by HIPAA,” explained AHA in its comments.

AHA suggests the CMS work closely with the Office for Civil Rights and the Federal Trade Commission to develop a consumer education program to communicate this to consumers.

AHA suggests that the education program should explain to consumers the distinction between PHI and health data in health apps, that app developers may choose to share health data with third parties, and that it is important for consumers to carefully review the privacy policies and terms of conditions of the apps to find out what is likely to happen to their data and with whom the information is likely to be shared.

A Secure App Ecosystem Must Be Developed

Health apps can allow patients to engage with their healthcare providers and encourages them to take greater interest in their own health care. AHA notes that “America’s hospitals and health systems are committed to moving forward with new forms of sharing health information with individuals.”

The CMS has proposed that healthcare providers should allow any application of a patient’s choice to connect with their APIs, provided they meet the technical specifications of the API. While sharing healthcare information in this manner will help to engage patients in their own health, there are security issues to consider. “We believe that CMS must balance the pace for moving in this positive direction with the real and developing risks that this approach raises for systems security and the confidentiality of health information,” wrote AHA.

To improve confidence in the security of provider to patient exchange, AHA suggests stakeholders should work together to develop a secure app ecosystem for the sharing of health data. Standards should be developed to ensure a baseline of security, similar to the Payment Card Industry Data Security Standard (PCI DSS) and that there should be a vetting process for apps, similar to that used by the CMS before apps can connect to Medicare claims data via the Blue Button 2.0 API.

In the case of PCI DSS, safeguards need to be incorporated to ensure the security of payment card data. In the case of the Blue Button 2.0 system, an app evaluation process exists to assess apps before they are permitted to connect. Developers must also agree to the terms and conditions of the CMS. It is not possible to connect any app that meets the technical specifications of its API.

The AHA suggests the protections put in place by the CMS could serve as a basis for a sector-wide approach to developing a trusted app ecosystem.

Concern has also been raised about the potential for healthcare organizations that deny an app from connecting to their API out of security concerns to be seen to be information blocking, thus placing them at risk of a meaningful use payment penalty. CMS suggests, “To ensure that reasonable actions to secure systems are not considered noncompliant, we recommend that CMS work with ONC and OIG to ensure that these protective measures are included in the forthcoming guidance on actions that do not constitute information blocking.” Further, CMS recommends “CMS work with ONC and FTC to develop a place for hospital and health systems to report suspect apps so that others can be aware and take needed steps.”

The post AHA Voices Concern About CMS’ Hospital Inpatient Prospective Payment System Proposed Rule appeared first on HIPAA Journal.

Qcentive Controls AWS Costs & Enables Cloud Computing in Healthcare with ParkMyCloud

Posted by HIPAA Journal

The Massachusetts-based healthcare startup Qcentive, the developer of a cloud-based platform that helps healthcare companies with the creation and management of value-based contracts, was one of the first companies authorized to move healthcare data to the cloud.

The first-in-class transaction platform has been certified as HIPAA compliant and incorporates appropriate safeguards to ensure the confidentiality, integrity, and availability of ePHI. The company uploads patient and healthcare contract information to AWS, where the data are accessed by the company’s application.

The platform helps its health plan clients and their value-based contracting providers analyze claims data and patient information such as emergency room visits and use the information to quickly calculate potential savings.

While developing the platform, Qcentive uploaded large quantities of patient and claim data to AWS and created AWS resources as necessary, although as many companies discover, AWS costs can quickly mount up. Qcentive tried to find a way to keep its AWS costs under control, starting with rightsizing resources and using Reserved Instances. That resulted in savings of around 30%-40% over their on-demand EC2 costs. However, such a strategy was not ideal, as Reserved Instances require a long-term commitment for non-production instances.

Qcentive was running instances 24/7/365 and was being charged by the minute, even though those resources did not need to be running round the clock and were often underutilized. The company experimented with switching off resources using standard AWS tools and restarting them when needed. However, that tactic lacked flexibility and greater user governance was required.

The firm searched for a tool that allowed automated scheduling of AWS resources and discovered ParkMyCloud. The PArkMyCloud platform allowed Qcentive to run instances 12 hours a day instead of 24, halving the company’s cloud costs.

Using the platform to automate and schedule resources resulted in immediate savings of 20% on its AWS bill, while maintaining flexible access for its end users. Schedules are set on resources with them typically running 12 hours a day Monday to Friday. If access to resources is required outside of the scheduled hours, such as over the weekend, they can be easily switched back on via a mobile app.

Now the firm is placing all AWS instances, databases and auto-scaling groups on a schedule and only turns the instances on when there is a workload to run. Around 40%-50% of its resources are now only running Monday to Friday, resulting in significant savings. The cost of the ParkMyCloud platform is covered through the savings that have been realized, and the firm is now saving far more than was possible using Reserved Instances.

“Reserved Instances look great the day you buy them, but then the first time you have to change the size on something, all of the sudden you’ve got Reserved Instances that you’re not using anymore. With ParkMyCloud that never happens. It’s all savings,” said Bill Gullicksen, Director of IT, Qcentive.

The post Qcentive Controls AWS Costs & Enables Cloud Computing in Healthcare with ParkMyCloud appeared first on HIPAA Journal.

Vulnerabilities Identified in Medtronic MyCareLink Heart Monitors

Posted by HIPAA Journal

ICS-CERT has issued an advisory about two recently discovered vulnerabilities in Medtronic MyCareLink patient monitors.

The devices are used by patients with implantable cardiac devices to transmit their heart rhythm data directly to their clinicians. While the devices have safeguards in place and transmit information over a secure Internet connection, the vulnerabilities could potentially be exploited by a malicious actor to gain privileged access to the operating system of the devices.

The vulnerabilities – a hard-coded password vulnerability (CWE-259 / CVE-2018-8870) and an exposed dangerous method of function (CWE-749 / CVE-2018-8868) vulnerability – exist in all versions of 24950 and 24952 MyCareLink Monitors.

The former has been assigned a CVSS v3 score of 6.4 and the latter a CVSS v3 score of 6.2. The vulnerabilities were discovered by security researcher Peter Morgan of Clever Security, who reported the issues to NCCCIC.

Exploitation of the hard-coded password vulnerability would require physical access to the device. After removing the case, an individual could connect to the debug port and use the hard-coded password to gain access to the operating system.

Debug code in the device is used to test functionality of the communications interfaces, including the interface between the monitor and the implanted cardiac device. After using the hardcoded password, an attacker could gain access to the debug function and read and write arbitrary memory values, provided that individual in close proximity to the patient with the implanted cardiac device.

While exploitation of the vulnerabilities is possible, Medtronic has determined that the risks are ‘controlled’ i.e. A sufficiently low and acceptable risk of patient harm. An attacker would need physical access to the monitor and have to be in close proximity to the patient at the same time. It is not possible to exploit the vulnerabilities remotely.

Medtronic is implementing mitigations and will be issuing automatic software updates to prevent exploitation of the vulnerabilities. The updates are being rolled out as part of its standard update process. Medtronic notes there have been no reported cases of the vulnerabilities being exploited.

Patients can reduce the risk of exploitation of these vulnerabilities by maintaining sound physical controls to prevent unauthorized access to their patient monitor. Medtronic has pointed out the use of secondhand MyCareLink patient monitors or those obtained from unofficial sources carry a much higher risk of exploitation of the above vulnerabilities. Patients should only use MyCareLink patient monitors that have been obtained directly from Medtronic or their clinicians. Any concerning behavior of patients’ home monitors should be reported to their healthcare providers or Medtronic.

The post Vulnerabilities Identified in Medtronic MyCareLink Heart Monitors appeared first on HIPAA Journal.

Medical Device Security a Major Concern, Yet Funds Not Available to Improve Security

Posted by HIPAA Journal

A recent HIMSS survey has confirmed that medical device security is a concern and strategic priority for most healthcare organizations, yet fewer than half of healthcare providers have an approved budget for tackling security flaws in medical devices.

For the study, HIMSS surveyed 101 healthcare industry practitioners in the United States and Asia on behalf of global IT company Unisys.

85% of respondents to the survey said medical device security was a strategic priority and 58% said it was a high priority, yet only 37% of respondents had an approved budget to implement their cybersecurity strategy for medical devices. Small to medium sized healthcare providers were even less likely to have appropriate funds available, with 71% of companies lacking the funds for medical device security improvements.

Vulnerabilities in medical devices are frequently being identified. ICS-CERT has issued several recent advisories about flaws in a wide range of devices. In many cases, flaws are identified and corrected before they can be exploited by cybercriminals, although the WannaCry attacks last year showed just how much of a risk is involved – to providers as well as patients.

A recent MedCrypt-funded study from the University of California Cyber Team has revealed some healthcare organizations have experienced cybersecurity incidents involving insecure medical devices that have had an adverse effect on patients. The organizations that had experienced incidents involving compromised medical devices said between 100 and 1,000 patients had been affected.

“While most life sciences and healthcare organizations understand the need to strengthen device security, many are struggling with legacy devices that were never designed to be internet-accessible – and with the explosion of ransomware and sophisticated cyberattacks like WannaCry, that can put both the provider and the patient at risk,” said Bill Parkinson global senior director, Unisys Life Sciences and Healthcare.

Respondents to the HIMSS/Unisys survey were asked what security measures they had in place to secure their medical devices. 85% said they used firewalls and network access control systems, although only 53% said they used segregated networks for medical devices, even though segmentation of networks can help organizations manage risk.

“To ensure proper security, all devices require equally strong protection – firewalls alone are not enough in today’s environment,” said Parkinson. “In this regard, microsegmentation, the ability to segment and restrict network and device data to pre-authorized groups of users and devices, can be a critical asset for hospitals and medical providers.”

The survey also investigated how healthcare providers are capturing and managing data collected by medical devices. Approximately 60% of healthcare providers said they were ready for a device audit at all times, but fewer than a third of providers were capturing device data in real-time.

“The importance of having access to real-time data cannot be underestimated. Not only can data analytics help life sciences and healthcare organizations reduce device downtime by ensuring devices are operational, it can significantly improve audit readiness and better inform future purchasing decisions,” said Parkinson.

The post Medical Device Security a Major Concern, Yet Funds Not Available to Improve Security appeared first on HIPAA Journal.

More than 90% of Hospitals and Physicians Say Mobile Technology is Improving Patient Safety and Outcomes

Posted by HIPAA Journal

90% of hospitals and 94% of physicians have adopted mobile technology and say it is helping to improve patient safety and outcomes, according to a recent survey conducted by Black Book Research.

The survey was conduced on 770 hospital-based users and 1,279 physician practices between Q4, 2017 and Q1, 2018.

The survey revealed 96% of hospitals are planning on investing in a new clinical communications platform this year or have already adopted a new, comprehensive communications platform.

85% of surveyed hospitals and 83% of physician practices have already adopted a secure communication platform to improve communications between care teams, patients, and their families. Secure text messaging platform are fast becoming the number one choice due to the convenience of text messages, the security offered by the platforms, and the improvements they make to productivity and profitability.

98% of hospitals and 77% of physician practices said they have implemented secure, encrypted email and are using intrusion detection systems to ensure breaches are detected rapidly.

Many providers of secure text messaging solutions have developed their platforms specifically for the healthcare industry. The platforms incorporate all the necessary safeguards to meet HIPAA requirements and ensure PHI can be transmitted safely and securely. Text messaging is familiar to almost all employees who are provided access to the platforms and they make communication quick and easy.

However, 63% of respondents to the survey said they are still facing ongoing challenges with buy-in of general mobile adoption strategies and related enterprise technology execution.

30% of respondents said that even though secure methods of communication have been implemented such as encrypted text messaging platforms and secure email, they are still receiving communications on a daily basis from unsecured sources that contain personally identifiable information such as patients’ names and birthdates.

Part of the study involved an assessment of cybersecurity and privacy software and services, allowing the company to identify the vendors that are most highly regarded by customers. TigerText, the market leading provider of secure text messaging solutions for the healthcare industry, was rated highly across the board, as were Vocera, Spok, Doc Halo, and Imprivata.

Doc Halo was the highest rated secure communications platform provider among physician organizations, with Perfect Serve, Patient Safe Solutions, OnPage, Telemediq, and Voalte also scoring highly. Spok ranked highest among hospital systems and inpatient organizations, with Qlik and Cerner also receiving high marks.

“Stakeholders across the healthcare industry are in the quest of finding solutions to use comprehensive real-time data and connectivity cleverly to advance patient safety, productivity and profitability,” Doug Brown, president of Black Book Market Research. “Organizations are adopting secure text messaging platforms because texts are convenient, as well.”

The post More than 90% of Hospitals and Physicians Say Mobile Technology is Improving Patient Safety and Outcomes appeared first on HIPAA Journal.

Apple Launches API for Developers to Allow EHR Data to be Used in Care Management Apps

Posted by HIPAA Journal

Apple has launched a new application programming interface (API) for developers that will allow them to create health apps that incorporate patients’ EHR data. Patients who load their EHR data into the Apple Health Records app will be able to pass the information directly to third party apps.

The move allows app developers to create a wide range of apps that can help patients manage their care.  The first apps that will be allowed to access EHR data, if permitted by the patient, should be available in the fall to coincide with the release of iOS 12.

One such app that can be used in connection with EHR data through the Apple Health Records app is Medisafe. The Medisafe app will allow patients of participating health systems to download their prescriptions lists and set reminders when their medications need to be taken. The app will also alert them to any potentially harmful interactions between their medications.

Apple suggests apps could be developed to help patients manage their medical conditions. Access to EHR data will allow those apps to provide more accurate and useful recommendations.

Apps that help patients with nutrition could benefit from access to blood sugar readings and cholesterol levels, and those provide help with meal planning. The API will also help patients share their health data with researchers far more easily.

Privacy of Protected Health Information

Apple has avoided being classed as a business associate by ensuring no protected health information passes through its servers. If patients decide to download information from their electronic health records into the Apple Health Records app, the information is passed from their provider directly to their iPhone. No protected health information passes through Apple’s servers or is stored by Apple. All EHR data downloaded to the app are stored securely on the device and are encrypted. If the patient decides to allow third-party apps to have access to their data, that information will pass directly from their iPhone to the third-party app.

Patients who use the Apple Health Records App to view or store information taken from their EHRs should bear in mind that while data are secure on their device, that may not be the case with third-party apps.

While EHR data is subject to HIPAA laws and must be secured by patients’ healthcare providers, if the information is downloaded and provided to a third party, HIPAA Rules will not apply to any transferred data.

Patients should therefore carefully check the terms and conditions and privacy protections of any third-party app developer before passing their health data to a third-party app.

Any developers that decide to take advantage of the new Health Records API should ensure privacy and security is built into the core of the design of their apps. While app developers may not be bound by HIPAA requirements, the information provided to the apps is highly sensitive and appropriate security controls should be applied to ensure it remains confidential.

The post Apple Launches API for Developers to Allow EHR Data to be Used in Care Management Apps appeared first on HIPAA Journal.