Healthcare Information Technology

HHS’ ONC Releases Second Draft of Trusted Exchange Framework and Common Agreement

Posted by HIPAA Journal

The HHS’ Office of the National Coordinator for Health IT (ONC) has released the second draft of its Trusted Exchange Framework and Common Agreement (TEFCA) and is seeking comments on the updated text.

The purpose of TEFCA is to help ensure there is seamless, interoperable exchange of health information, which is critical to the creation of a health system that empowers providers and patients and delivers better healthcare at a lower cost.

The 21st Century Cures Act promoted a national framework and common agreement for the trusted exchange of health information. The framework is required as there is currently no core exchange mechanism that can be used by healthcare providers, health plans, vendors, public health departments, and federal, state, local and tribal governments. Trusted exchange is too complex.

Currently, multiple exchange methods need to be used. The majority of hospitals use three or four exchange methods and three in ten use more than five methods. This approach is inefficient and expensive. Healthcare organizations are having to build several point-to-point interfaces to communicate health information with each other. The Trusted Exchange Framework will reduce the need for individual interfaces to be developed and maintained.

The five key goals of TEFCA are to create a single on-ramp for nationwide connectivity, to ensure electronic information is available whenever and wherever it is needed, to build a competitive market to allow all entities to compete on data services, to support nationwide scalability for network connectivity, and to achieve long-term sustainability.

In addition to helping healthcare entities efficiently exchange health information, the trusted exchange framework has important benefits for patients, including the ability to find all of their health information that has been recorded by multiple providers, even if they do not remember the names of those providers. This will help patients and their caregivers to participate more fully in their care and manage their health information.

After publishing the first draft of TEFCA, ONC received more than 200 comments from industry stakeholders. After careful consideration of the comments, ONC has made key revisions to the Trusted Exchange Framework (TEF) and the Minimum Required Terms and Conditions (MRTCs) for trusted exchange and has released the first draft of a Qualified Health Information Network (QHIN) Technical Framework.

Together, these documents form the basis of a Common Agreement for QHINs and their participants and include technical and legal requirements for the sharing of electronic health information nationwide across disparate networks.

ONC will be responsible for maintaining the TEF and the HHS is looking to appoint a non-profit industry-based organization – a Recognized Coordinating Entity (RCE) – to develop, update, implement and maintain the Common Agreement. The HHS has announced the release of a notice of funding opportunity to engage an RCE. Applications will be received up until June 17, 2019.

“We expect that the implementation of the Trusted Exchange Framework and the Common Agreement, will bring us all that much closer to achieving the administration’s goals of nationwide interoperability,” said HHS’ national coordinator for health information technology, Dr. Donald Rucker.

The HHS is seeking comments on the second draft of TEFCA until June 17, 2019.

The post HHS’ ONC Releases Second Draft of Trusted Exchange Framework and Common Agreement appeared first on HIPAA Journal.

HHS Extends Comment Period on Proposed Rules to Improve ePHI Interoperability

Posted by HIPAA Journal

The Department of Health and Human Services has extended the deadline for submitting comments on its proposed rules to promote the interoperability of health information technology and electronic protected health information to June 3, 2019.

Two new rules were released on February 11, 2019 by the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS). The purpose of the new rules is to support the secure access, exchange, and use of electronic health information. The rules cover technical and healthcare industry factors that are proving to be barriers to the interoperability of health information and are limiting the ability of patients to gain access to their health data.

The deadline has been extended to give the public and industry stakeholders more time to read the proposed rules and provide meaningful input that can be used to help achieve the objectives of the rules. The extension has come in response to feedback from many stakeholders who have asked for more time to review the rules, which have potential to cause a range of issues for healthcare organizations.

Two other factors influenced the decision to extend the deadline. There appeared to be some confusion over HIPAA and whether healthcare providers are accountable for how patients use their health data. Also, the ONC has recently released the second draft of its Trusted Exchange Framework and Common Agreement (TEFCA), which could factor into comments. While there is not a great deal of overlap between TEFCA and the ONC/CMS proposed rules, both do cover interoperability and operate in the same space.

In addition, the HHS’ Office for Civil Rights has released a new FAQ for patients to explain the HIPAA right of access in relation to health apps used by patients and application programming interfaces (APIs) used by healthcare providers’ electronic health record systems. The FAQ confirms that after a patient discloses health information via an app, subsequent uses and disclosures are only the responsibility of the healthcare provider if the app developer is one of the healthcare provider’s business associates.

The post HHS Extends Comment Period on Proposed Rules to Improve ePHI Interoperability appeared first on HIPAA Journal.

AWS Chief Technology Officer Allays Fears about Cloud Security and Talks about the Huge Potential of Alexa Voice Technology

Posted by HIPAA Journal

Amazon Web Services’ chief technology officer, Werner Vogels, has been dispelling security myths about cloud computing at the Dublin Tech Summit in Ireland this week.

Concerns have been raised about the security of data stored in the cloud, especially following the discovery that 540 million Facebook records had been exposed on AWS: One of several high-profile data breaches that have involved AWS-stored data in the past 12 months.

Fears About Compliance and the Cloud

Companies required to comply with General Data Protection Regulation (GDPR) must ensure that the personal data of EU citizens is secured and kept private and confidential. Since GDPR came into effect on May 25, 2018, the potential penalties for data exposures have increased significantly. It is therefore understandable that companies are concerned about storing data in the cloud rather than on-premise infrastructure that they feel better able to secure.

Germany’s federal commissioner, Ulrich Kelber, spoke before Vogels at the Tech Summit and voiced his concerns about American cloud storage providers, stating that they should not be used for hosting police data as there was a risk of snooping. The federal commissioner was particularly concerned about the passing of the Cloud Act in 2018, which could allow federal law enforcement to gain access to data stored by U.S. technology companies.

Many companies in the United States are also wary about using the cloud for storing sensitive data such as protected health information, and the potential for HIPAA violations. As is the case with GDPR, the penalties for data exposure can be severe and, for small healthcare organizations, potentially catastrophic.

Vogels explained that cloud security should not be a concern and storing data on AWS is perfectly secure. His advice to all AWS users is “encrypt everything,” but at a minimum, make sure that all personally identifiable information is encrypted.

By encrypting data, companies can meet the requirements of GDPR, HIPAA, and other federal and state regulations. As for the Cloud Act, if a technology company is issued with a warrant to release data, if the AWS customer has encrypted their data using modern encryption standards, and only they hold the key to decrypt the data, it is perfectly secure. Any conversation about data access is then between law enforcement and the customer. AWS will not be involved.

Vogels also explained that AWS has improved its controls to make it harder for data to be exposed. All customer information is now closed off by default. It takes a deliberate action to remove AWS protections and leave data accessible. Should that happen, major red flags are raised.

Vogels said, “We’re very strong believers that the best way to help our customers protect themselves from whatever bad actors you can imagine is to ensure encryption is as easy to use as any other digital service.” Encryption is offered through AWS to make securing sensitive data as easy as possible.

Voice Technology Has Huge Potential

Vogels also spoke about one potential big area for Amazon. Big even by Amazon’s standards. Vogels said Amazon is not looking to invest in technologies that will add $100 million to the balance sheet. Amazon is looking for billion-dollar plus opportunities. Alexa voice technology is a prime example.

Amazon Alexa is the leading voice technology and has already found uses in healthcare. HIPAA was something of a stumbling block as the regulations covering protected health information are strict, but Amazon has recently solved that problem. Amazon is offering business associate agreements to a select group of companies and has made sure that its voice tech can transfer data securely in a manner compliant with HIPAA Rules. Last week Amazon announced that six new healthcare skills had been launched that could be used in connection with PHI. The company will be collaborating further with healthcare organizations, although by invite only at this stage.

Skills have also been developed by WebMD which allow users to ask questions about their symptoms using voice commands rather then entering information on a website. These skills are just the tip of the iceberg and the potential uses of voice technology in healthcare are huge. Alexa could even be used by people to gain access to healthcare information stored in their EHRs in the not too distant future.

Vogels certainly believes voice technology is the way forward and thinks voice commands will be the main way that people interact with digital systems in the future.

The post AWS Chief Technology Officer Allays Fears about Cloud Security and Talks about the Huge Potential of Alexa Voice Technology appeared first on HIPAA Journal.

FDA Considers New Review Framework for AI-Based Medical Devices

Posted by HIPAA Journal

AI-based medical devices can be used to identify diseases and individuals at risk of developing medical conditions. They can perform a great deal of time-consuming work on behalf of doctors and radiologists and can help to speed up the diagnosis of diseases. Faster diagnoses mean patients can receive treatment more quickly at a time when it is most likely to be effective. They can also help to identify the most effective treatments to allow personalized medicine to be provided.

Currently, the U.S. Food & Drug Administration (FDA) performs reviews of medical devices as part of its market authorization processes. Generally, in order to be granted market authorization the algorithms used by the devices need to be locked and not have the ability to learn each time they are used.

These locked algorithms can be subsequently updated by developers at intervals using new data, but after those updates have been applied, the devices need to be subjected to a further manual review and the updated algorithm must be validated.

The FDA authorized two AI-based medical devices in 2018: An AI-based device which can detect diabetic retinopathy and another that can generate alerts for providers of potential strokes in patients. The FDA anticipates there will be many more such devices developed for use in healthcare and is looking to formalize the review process.

In healthcare, there is tremendous potential for adaptive algorithms that continuously update rather than those that require periodic developer updates. Adaptive algorithms learn from new data through real world use and get better over time.

These algorithms could, for example, be used to identify cancerous lesions. Adaptive algorithms could learn to improve the level of confidence in detections of cancerous lesions and could potentially identify different sub-types of cancer based on real-world feedback.

The FDA is looking to develop a regulatory framework that will allow AI-based medical devices to be authorized for use which incorporate machine learning and is considering easing restrictions on adaptive algorithms. To start that process, the FDA released a discussion paper on a new framework for the AI-based medical devices on April 2, 2019.

The framework is based on the FDA’s benefit-risk framework, the International Medical Device Regulators Forum risk categorization, the risk management principles of the software and the device manufacturer’s total product lifecycle.

In certain situations, it would be necessary for the device makers to provide the FDA with a new submission and obtain additional approval, but in general, the framework would not require additional reviews to be conducted for updates to the devices made through their adaptive algorithms.

The document is only a discussion paper that outlines the FDA’s thinking. It doesn’t count as guidance, but it does start a conversation about medical devices that use adaptive algorithms and shows the FDA appreciates that its current regulatory framework for software-as-a-medical device needs to change.

The FDA has detailed its proposal in the PDF document: Proposed Regulatory Framework for Modifications to Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device. The FDA has requested feedback on the proposed document, which can be downloaded here.

The FDA say the document is “the foundational first step to developing a total product lifecycle approach to regulating these algorithms that use real-world data to adapt and improve.”

“As algorithms evolve, the FDA must also modernize our approach to regulating these products. We must ensure that we can continue to provide a gold standard of safety and effectiveness. We believe that guidance from the agency will help advance the development of these innovative products,” said FDA Commissioner Scott Gottlieb, M.D.

The post FDA Considers New Review Framework for AI-Based Medical Devices appeared first on HIPAA Journal.

Amazon Announces 6 New HIPAA Compliant Alexa Skills

Posted by HIPAA Journal

Six new HIPAA compliant Alexa skills have been launched by Amazon that allow protected health information to be transmitted without violating HIPAA Rules.

The new HIPAA compliant Alexa skills were developed by six different companies that have participated in the Amazon Alexa healthcare program. The new skills allow patients to schedule appointments, find urgent care centers, receive updates from their care providers, receive their latest blood sugar reading, and check the status of their prescriptions.

This is not the first time that Alexa skills have been developed, but a stumbling block has been the requirements of the HIPAA Privacy Rule, which limit the use of voice technology with protected health information. Now, thanks to HIPAA compliant data transfers, the voice assistant can now be used by a select group of healthcare organizations to communicate PHI without violating the HIPAA Privacy Rule.

Amazon has stated that it plans to work with many other developers through an invite-only program to develop new skills to use within its HIPAA-eligible environment. Amazon is offering those organizations business associate agreements to meet HIPAA requirements. The initial roll-out has been limited to six new HIPAA compliant Alexa skills as detailed below:

New HIPAA Compliant Alexa Skills

The purpose of the new skills is to allow patients, caregivers, and health plan members to use Amazon Alexa to manage their healthcare at home through voice commands. The skills make it easier for patients to perform healthcare-related tasks, access their health data, and interact with their providers.

The six new HIPAA compliant Alexa skills are:

Express Scripts

Members of the Express Scripts pharmacy services organization can check the status of a home delivery prescription and can ask Alexa to send notifications when prescriptions have been shipped and when they arrive at their door.

Cigna Health Today

Employees who have been enrolled in a Cigna health plan can use this Alexa skill to check wellness program goals, receive health tips, and access further information on rewards.

My Children’s Enhanced Recovery After Surgery (ERAS)

Parents and caregivers of children enrolled in Boston Children’s Hospital’s ERAS program can send updates to their care teams on recovery progress. Care teams can also send information on post-op appointments and pre- and post-op guidance. Initially, the skill is being used in relation to cardiac surgery patients, although the program will be expanded in the near future.

Livongo Blood Sugar Lookup

Participants in Livongo’s Diabetes Program can query their latest blood sugar reading from their device, check blood sugar monitoring trends such as their weekly average reading, and receive personalized health tips through their Alexa device.

Atrium Health

Atrium Health’s new Alexa skill allows patients to find urgent care locations near them and schedule same-day appointments, find out about opening hours, and current waiting times. Initially the Alexa skill is being offered to customers in North and South Carolina.

Swedish Health Connect

Providence St. Joseph Health has created an Alexa skill that allows patients to find Swedish Express Care Clinics in their vicinity and schedule same day appointments at 37 of its locations on the west coast.

The post Amazon Announces 6 New HIPAA Compliant Alexa Skills appeared first on HIPAA Journal.

Malware Alters CT Scans to Create and Remove Tumors

Posted by HIPAA Journal

There is growing concern about hackers gaining access to medical devices and conducting attacks to cause harm to patients. Now malware has been created that can add fake tumors to CT scans.

The malware is not being used in real-world attacks. It has been created by researchers at the Ben Gurion University Cybersecurity Center in Israel to demonstrate just how easy it is to exploit vulnerabilities in medical imaging equipment.

In addition to adding tumors to medical images the malware could be used to remove real tumors. The former could be conducted for political reasons such as preventing a candidate from running for office, the latter would prevent individuals from receiving treatment for a life-threatening illness. The technique could also be used for insurance fraud, sabotaging of medical trials, and cyber terrorism.

Prior to a patient being prescribed radiation therapy or chemotherapy additional tests would be performed and the incorrect diagnosis would be identified, but patients would still be caused considerable emotional distress. The removal of tumors to make the patient appear healthy could have much more serious implications. Treatment could be delayed until a point when it is too late to be effective.

The researchers used a deep learning neural network called a generative adversarial network to alter the CT scans intercepted by the malware.

The attack scenario demonstrated by the researchers would require a man-in-the-middle device to be built and physical access to a hospital. The device could be planted close to the scanner, such as at night when there is less chance of detection. With the device in place it would be possible to intercept CT scans and manipulate them at will.

The researchers created such a device from a Raspberry Pi 3 which was connected to a USB to Ethernet adapter. Both could be purchased for around $40.

The device was loaded with the Raspbian OS and was configured as a network bridge and set up as a WiFi access point. Once connected to the network, the device was capable of intercepting scan data as it was sent to the PAC system. The attacker had full control over scan data and could alter it at will and create or remove any number of tumors while retaining the same anatomy as the original scans.

But how effective is the malware at altering CT scans? Were the alterations good enough to fool trained radiologists?

In tests, 70 images were manipulated. The accuracy of the alterations was such that it was possible to fool three radiologists in 99% of instances where fake tumors were added and 94% of images where real tumors were removed. The altered images fooled AI systems every time.

When the radiologists were made aware that scans had been altered, in a second test using a mix of genuine and doctored images, they were still fooled by 60% of the images that had tumors added and 87% of images where tumors had been removed.

In the tests, the researchers used lung scans and injected fake tumors, but brain tumors could be created or removed just as easily and the system could be used on a wide range of health conditions such as bone fractures, blood clots, or spinal problems.

The alteration of images would be difficult to detect as scans are typically not encrypted nor digitally signed. Healthcare organizations are usually good at implementing robust perimeter controls to prevent attacks from remote threat actors but are less good at protecting internal networks. This eggshell approach to security leaves hospitals vulnerable to attacks conducted inside the facility by malicious insiders.

A video of the simulated attack can be viewed on the following link: https://youtu.be/_mkRAArj-x0

 

The post Malware Alters CT Scans to Create and Remove Tumors appeared first on HIPAA Journal.

Study Reveals Health Information the Least Likely Data Type to be Encrypted

Posted by HIPAA Journal

Health information is the least likely data type to be encrypted, even though health information is highly valuable to cybercriminals, according to the Global Encryption Trends Study conducted by the Ponemon Institute on behalf of cryptographic solution provider nCipher.

The study was conducted on 5,856 people across several industry sectors in 14 countries, including the United States. The aim of the study was to investigate data encryption trends, the types of data most likely to be encrypted, how extensively encryption has been adopted to improve security, and the challenges faced by companies when encrypting data.

The study shows the use of encryption has steadily increased over the past four years. 45% of surveyed organizations said they have an overall encryption plan or strategy that is applied across the whole organization. 42% said they have a limited encryption plan or strategy, with encryption only used on certain applications and data types. 13% of respondents said they do not use encryption at all on any type of data.

The use of encryption varies considerably from country to country. Germany leads the world with the highest prevalence of encryption, followed by the United States, Australia, and the United Kingdom. Out of the 14 countries represented in the survey, the Russian Federation and Brazil had the lowest prevalence of encryption. 65% of companies in the United States had an overall encryption plan that was consistently applied across the whole organization.

The industries that had the highest prevalence of encryption were tech & software (52%), financial services (50%), and the healthcare and pharmaceutical industries (49%).

Encryption technology varied considerably and there was no single technology that dominates in organizations. The most common uses of encryption were for Internet communications, databases and laptop hard drives.

The main reasons for implementing encryption, cited by 54% of respondents, were to protect sensitive intellectual property and customers’ personal information.

The types of data most commonly encrypted are payment-related data (55%), financial records (54%), HR/employee data (51%), and intellectual property (51%). Health information was the least likely type of data to be encrypted. This is surprising, given the value of healthcare data to cybercriminals and the harm that can be caused should information fall into the wrong hands. Only 24% of respondents said health data was routinely encrypted.

Organizations looking to encrypt data face several challenges. The biggest challenge which was faced by 69% of respondents was identifying all sensitive data on the network. The initial implementation of encryption was a major challenge for 49% of respondents and 32% of respondents said they faced problems classifying which data they should encrypt.

One of the biggest encryption headaches is key management. Respondents were asked to rate key management on a pain scale of 1-10. 61% of respondents said key management was very painful and managing keys was a major challenge.

The main reason why key management is difficult is a lack of clear ownership of the key management function, a lack of skilled personnel, and isolated or fragmented key management systems.

Various key management systems are used by organizations, the most common being formal key management policy (KMP), followed by formal key management infrastructure (KMI) and manual process.

The post Study Reveals Health Information the Least Likely Data Type to be Encrypted appeared first on HIPAA Journal.

Amazon Launches New System for De-identifying Medical Images

Posted by HIPAA Journal

Amazon has announced that it has developed a new system that allows identifying protected health information contained in medical images to be automatically removed to prevent patients from being identified from the images.

Medical images often have patients’ protected health information stored as text within the image, including the patient’s name, date of birth, age, and other metrics. Prior to the images being used for research, authorization must be obtained from the patient or all identifying data must be permanently removed.  Removing PHI from images requires a manual check and alteration of the image to redact the PHI and that can be an expensive and time-consuming process, especially when large number of images must be de-identified.

The new system uses Amazon’s Rekognition machine-learning service, which can detect and extract text from images. The text is then fed through Amazon Comprehend Medical to identify any PHI. In combination with Python code it is possible to quickly redact any PHI in the images. The system works on PNG, JPEG, and DICOM images.

A confidence score is provided by the service which indicates the level of confidence in the accuracy of the detected entity, which can form the basis of reviews to make sure that information has been correctly identified. The desired confidence level – from 0.00 to 1.00 – can be set by the user. A confidence level of 0.00 will see all text identified by the service be redacted.

Amazon says the system allows healthcare organizations to de-identify large numbers of images quickly and inexpensively. Amazon notes that the system can be used to batch process thousands or millions of images. Also, once an image has been processed and the location of PHI has been identified, it is possible to associate a Lambda function to automatically redact PHI from any new images when they are uploaded to an Amazon S3 bucket.

The post Amazon Launches New System for De-identifying Medical Images appeared first on HIPAA Journal.

Critical Vulnerability Affects Medtronic CareLink Monitors, Programmers, and ICDs

Posted by HIPAA Journal

Two vulnerabilities have been identified in the Conexus telemetry protocol used by Medtronic MyCarelink monitors, CareLink monitors, CareLink 2090 programmers, and 17 implanted cardiac devices. Both vulnerabilities require a low level of skill to exploit, although adjacent access to a vulnerable device would be required to exploit either vulnerability.

The most serious vulnerability, rated critical, is a lack of authentication and authorization controls in the Conexus telemetry protocol which would allow an attacker with adjacent short-range access to a vulnerable device to inject, replay, modify, and/or intercept data within the telemetry communication when the product’s radio is turned on.

An attacker could potentially change memory in a vulnerable implanted cardiac device which could affect the functionality of the device.

The vulnerability is being tracked as CVE-2019-6538 and has been assigned a CVSS v3 base score of 9.3.

A second, medium severity vulnerability concerns the transmission of sensitive information in cleartext. Since the Conexus telemetry protocol does not use encryption, an attacker with adjacent short-range access to a vulnerable product could intercept communications and obtain sensitive patient data.

The vulnerability is being tracked as CVE-2019-6540 and has been assigned a CVSS v3 base score of 6.5.

The vulnerabilities affect the following Medtronic devices:

  • Versions 24950 and 24952 of MyCareLink Monitor
  • Version 2490C of CareLink Monitor
  • CareLink 2090 Programmer

All models of the following implanted cardiac devices are affected:

  • Amplia CRT-D
  • Claria CRT-D
  • Compia CRT-D
  • Concerto CRT-D
  • Concerto II CRT-D
  • Consulta CRT-D
  • Evera ICD
  • Maximo II CRT-D and ICD
  • Mirro ICD
  • Nayamed ND ICD
  • Primo ICD
  • Protecta ICD and CRT-D
  • Secura ICD
  • Virtuoso ICD
  • Virtuoso II ICD
  • Visia AF ICD
  • Viva CRT-D

Medtronic has implemented additional controls for monitoring and responding to any cases of improper use of the telemetry protocol used by affected ICDs. Further mitigations will be applied to vulnerable devices through future updates.

In the meantime, users of the devices should ensure home monitors and programmers cannot be accessed by unauthorized individuals and home monitors should only be used in private environments. Only home monitors, programmers, and ICDs that have been supplied by healthcare providers or Medtronic representatives should be used.

Unapproved devices should not be connected to monitors through USB ports and physical connections and programmers should only be used to connect with ICDs in hospital and clinical environments.

The vulnerabilities were identified by multiple security researchers who reported them to NCCIC. (Peter Morgan of Clever Security; Dave Singelée and Bart Preneel of KU Leuven; former KU Leuven researcher Eduard Marin; Flavio D. Garcia; Tom Chothia; and Rik Willems.

The post Critical Vulnerability Affects Medtronic CareLink Monitors, Programmers, and ICDs appeared first on HIPAA Journal.