Beruflich Dokumente
Kultur Dokumente
About the Author Mary J. Cronin, Ph.D. is a Professor of Information Systems at Boston College, Carroll School of Management. Her latest book, Smart Products, Smarter Services: Strategies for Embedded Control (Cambridge University Press, 2010), analyzes the impact of connected health solutions, mobile and wireless applications and medical devices on the healthcare industry. Dr. Cronin is an editor for MedHealthWorld, covering electronic medical records, healthcare IT and mHealth.
About Diversinet Diversinet Corp. (TSX Venture: DIV, OTCBB: DVNTF) provides a patented and proven secure application platform that enables healthcare organizations to rapidly deploy HIPAA-compliant mobile healthcare (mHealth) applications to anyone, anytime, anywhere, on mobile devices. Diversinets MobiSecure platform helps payers and providers meet growing needs for safe, convenient, on-the-go storage and sharing of personal health data. Connect with Diversinet Corp. at www.diversinet.com. Its tagline is Healthcare. Connected and Protected.
For More Information For more information about Diversinet, or for a discussion of mobile health solutions and strategies, you can send an email to sales@diversinet.com or visit the Diversinet website at www.diversinet.com.
Diversinet Corp., the Diversinet logos, MobiSecure and all other Diversinet product or service names are trademarks of Diversinet Corp. Diversinet products are covered by patents and other patents pending.
Table of Contents
EXECUTIVE SUMMARY ................................................................................................................... 4 INTRODUCTION ............................................................................................................................. 5 HIPAA SECURITY REQUIREMENTS: IMPLICATIONS FOR PROTECTING MOBILE PHI ............................ 6 THE MOBILE SECURITY VENDOR LANDSCAPE .................................................................................. 9 10 QUESTIONS TO ASK MHEALTH SOLUTION PROVIDERS ABOUT MOBILE HEALTH DATA AND PHI SECURITY........... 10 OVERVIEW OF MOBISECURE: CONNECTED AND PROTECTED MOBILE HEALTH DATA .......................11 MOBISECURE PLATFORM COMPONENTS............................................................................................... 11 IMPLEMENTING SECURE MOBILE HEALTH PROGRAMS: MOBISECURE CASE STUDIES.......................13 US ARMY MCARE FOR WOUNDED WARRIORS....................................................................................... 13 MIHEALTH AT THE BLUE SKY FAMILY HEALTH TEAM ............................................................................. 15 REFERENCES .................................................................................................................................16
E XECUTIVE S UMMARY
This Mobile Health and Security white paper analyzes HIPAA security requirements and mobile health security best practices to assist healthcare organizations in evaluating and implementing secure and fully compliant mobile health solutions. The section on HIPAA Security Requirements: Implications for Protecting Mobile PHI reviews the HIPAA Security Rule Technical Safeguards for Protected Health Information (PHI) and discusses the mobile security best practices that directly relate to each Technical Safeguard. With so many mobile health and mobile security solutions competing for attention in todays marketplace, its challenging to compare various implementation options and vendor security architectures. As a tool for evaluating vendor proposals for secure and compliant mobile health solutions, the Mobile Security Vendor Landscape section recommends 10 Questions To Ask MHealth Solution Providers About Mobile Health Data and PHI Security. The features of Diversinets MobiSecure Platform are presented as an example of a secure, scalable and fully compliant option for mobile health implementation in the Overview of MobiSecure: Connected and Protected Mobile Health Data section. This section explains the capabilities and applications of MobiSecure Publisher and MobiSecure SMS and illustrates MobiSecures security architecture for end-to-end protection of PHI across hundreds of mobile device platforms. While mobile health security is an essential foundation for mHealth implementation, the most important impact is improving patient health outcomes and caregiver effectiveness. The benefits of secure mobile health programs for caregivers and for patients are illustrated through MobiSecure case studies of the U.S. Armys mCare project and the Blue Sky Family Health Team in North Bay, Canada in the final section Implementing Secure Mobile Health Programs. Mobile health solutions have enormous potential to improve the quality of care for individual patients as well as overall healthcare system effectiveness. Mobile devices offer caregivers and healthcare consumers an always-on, two-way communication channel that can provide instant access to vital patient data, diagnostic test results, and care management for chronic diseases. MHealth applications can streamline routine processes such as appointment scheduling, medication reminders and prescription refills. However, even though the majority of U.S. consumers rely on their mobile phones as their primary means of communication and express a strong interest in using mHealth applications, many care providers and healthcare organizations do not yet offer their patients mobile access to personal health data. Concerns about mobile security and the implications of HIPAA security requirements for Protected Health Information (PHI) on mobile devices need to be addressed before mHealth applications can fulfill their promise.
I NTRODUCTION
Will 2011 mark a turning point in the adoption of mobile health applications and information services by health care organizations? Many indicators suggest so, including: Thousands of mobile health apps and wireless health monitoring devices are already available for health-conscious consumers. Smartphones and wireless devices with features that improve efficiency at the point of care are increasingly common among physicians and caregivers. Manhattan Research, in its annual "Taking the Pulse" study of physicians and health care technology, reported in April 2010 that 72% of doctors use smartphones personally and professionally, with that number expected to jump to 81% in 2012.i Implementation of electronic health records (EHR) and medical practice management tools is accelerating, spurred by the Health Information Technology for Economic and Clinical Health (HITECH) Act. This is providing a foundation for direct electronic communication with patients about everything from diagnostic test results to immunization records and medical appointments. New models of medical reimbursement that reward improved patient health outcomes are creating pressure to leverage the efficiency and immediacy of mobile interactions with patients.
On the consumer front, mobile phones have already become the primary means of communication. More than 292 million Americans or 90% of the U.S. population have a mobile phone.ii And whether the mobile subscriber is a teenager, a parent, or a senior citizen, the phone they already carry with them can become a vital source of medical information, healthcare support and interactions with caregivers and insurers. Despite these drivers, mHealth solutions are not yet available to the majority of patients who could benefit from them. Many healthcare providers and insurers still are on the sidelines when it comes to transmitting sensitive health information to patients mobile phones for a number of reasons: Concerns about the security of mobile devices The challenge of complying with the Health Insurance Portability and Accountability Act (HIPAA) privacy and security requirements for protected health information (PHI) in a mobile context. The proliferation of mobile devices, mHealth apps, and vendors offering different strategies for securing mobile health data.
To assist healthcare organizations in evaluating and implementing secure and compliant mobile health solutions, this White Paper analyzes how HIPAAs Technical Safeguards for securing protected health data apply in a mobile health setting. It recommends 10 Questions About Mobile Health Data and PHI Security that healthcare organizations should ask their solution providers and mobile health vendors.
Additionally, the features of Diversinets MobiSecure Platform are presented as an example of a secure, scalable and fully compliant option for mobile health implementation. The benefits of secure mobile health programs for caregivers and for patients are illustrated through MobiSecure case studies of the U.S. Armys mCare project and the Blue Sky Family Health Team in North Bay, Canada.
In evaluating the security risks of accessing and storing PHI on a mobile device, healthcare providers and payers should assume that the security built into todays mobile devices is not sufficient, regardless of operating systems, messaging capabilities or applications. As with protecting desktop data and the security of Internet transmissions, covered entities have to take additional steps to ensure that they and their business partners are meeting federal and state security requirements for mobile data security. The following table summarizes the most relevant HIPAA Security Rule provisions in relation to known mobile device and wireless security issues and lists mobile security best practices to overcome the risks for security breaches and exposure of PHI in mobile health communications and applications.
THE HIPPA SECURITY RULE: HIPAA TECHNICAL SAFEGUARDS MOBILE SECURITY BEST PRACTICES
Access Controls Unique User Identification (Required) Emergency Access Procedure (Required) Automatic Logoff (Addressable) Encryption (Addressable)
Provide method for the unique identification of both mobile device and individual device owner Enable generation and distribution of unique encryption keys to ensure that only authorized handsets are provisioned Provide automatic timeout, logoff and device lock Encryption of PHI data stored on the mobile device Generate confirmations of PHI message delivery and message read Client Authenticity and message integrity verification prior to routing PHI data Authentication of individual mobile user and identify the specific mobile device before allowing access to the secured PHI data on their device. PHI cannot be read by non - authorized users even if the phone owner forwards a message or resends it by mistake to another recipient, that recipient will not be able to read it because it remains encrypted and locked to that original phone Two way encryption for all PHI data transmitted to and from the mobile device
Audit Controls Record Internal Uses of PHI by User (Required) Integrity Mechanism to Authenticate Electronic PHI (Addressable) Person or Entity Authentication Person or Entity Seeking Access Is the One Claimed (Required)
Since the publication of the 2003 HIPAA Security Rule, the passage of both the American Recovery and Reinvestment Act (ARRA) and the HITECH law have added to the complexity of defining final rules for the implementation of electronic medical records, as well as for the enforcement of PHI privacy and security regulations. For instance:
The Security Rule requires a risk-based security assessment and the implementation of appropriate policies and procedures by covered entities, as well as by their business associates. ARRA extends the applicability of the HIPAA Security Rule directly to business associates and brings the Federal Trade Commission into the health regulatory landscape to regulate the privacy and security of Personal Health Record (PHR) systems. Designating security areas as addressable in the HIPAA Security Rule does not mean the practices are optional or that covered entities are not required to implement the security safeguards listed. For example, the HIPAA Final Security Rule of February 2003 states, Covered entities are encouraged to consider use of encryption technology for transmitting electronic protected health information, particularly over the Internet." The Centers for Medicare and Medicaid Services, which is responsible for enforcing the HIPAA Security Rule, recommends two-factor authentication as the authentication technical standard for remote access to PHI.
The past several years have been a transition period, as covered entities and healthcare vendors waited for publication of final data protection rules and clarification on the balance of responsibility for compliance between healthcare organizations and their vendors. The final rules are scheduled for publication in March 2011, meaning the transition period of relatively low enforcement is coming to an end. Analysts expect to see significantly more federal and state activity in enforcing the security and privacy requirements in 2011 and beyond, including the imposition of severe penalties on health organizations that demonstrate a pattern of non-compliance. According to Kirk Nahra, writing in the Privacy & Security Law Report,
The HITECH law presaged a substantial development in the overall environment for the protection of health care records. To date, however, almost two years since passage of the law, little has changed, beyond the important developments related to security breaches. Covered entities and their business associates have been forced to rely on their own best guesses about these new rules, in reviewing their compliance obligations and negotiating business associate contracts. Business associates and downstream contractors now face an enormous amount of confusion v and regulatory risk from these new rules.
Discussing What to Expect in Terms of Patient Privacy Enforcement in 2011, Doug Pollack predicts higher levels of PHI security enforcement actions are inevitable in the coming year.
The year of 2010 has been a key period of transition relative to the enforcement of healthcare patient privacy regulations in state and federal laws. It is well known that there has been little to no enforcement of privacy regulations under HIPAA, the Health Information Portability and Accountability Act, since it was passed in 1996. With the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act, added "teeth" now provide a basis for and encourage the enforcement of HIPAA privacy requirements.Whatever your view on the level of enforcement, there is no doubt that enforcement actions are on the rise, and that every hospital and other healthcare organization would be well served to revisit their level adherence to privacy compliance requirements under HITECH and any vi related state laws. 8
In the current mobile healthcare landscape, decision makers need to ensure their vendors and business associates have adopted mobile security best practices and taken appropriate steps to provide a comprehensive PHI security solution. The following 10 questions about specific mobile security practices can assist healthcare organizations in assessing the level of HIPAA security compliance provided by their mobile health vendors.
10 Q UE S TI O N S T O A S K M H E AL TH S O L U TI O N P R O V I D E RS A B O U T M O BI L E H E AL T H D A T A AN D PHI S E C U R I TY
1. Do you provide security for PHI data over and above the general security features of the phones mobile browser and application platform? o If so, what forms of data security do you include in your solution? Data encryption Strong (two factor) authentication for the user and the server Integrity and Non-Repudiation of PHI Assurance that PHI data has not been changed or opened by an unauthorized party 2. If you provide encryption for PHI data as part of your solution, is the encryption end-to-end from the secure server to a secure client on the mobile device? Is data encrypted while stored on the mobile device? 3. Does your solution support encrypted text messaging (SMS)? 4. Can your solution be extended to protect PHI data in multiple applications (including those from other vendors) and mobile browsers, or is it limited to use with the solutions that you offer? 5. Do you provide a method for your customers to remotely delete all covered PHI data from lost or stolen devices? 6. On what mobile devices does your solution currently operate? If there are some mobile devices that are not covered, how is PHI data on these devices supposed to be protected? 7. Is your company primarily focused on the healthcare sector and the protection of mobile health data and services? o If you provide a general mobile security or other services for multiple industries, what percentage of your customers are in healthcare? 8. Can you provide reference accounts that have moved beyond pilot projects and fully implemented your solution? 9. What security standards are utilized in your solution? o Have you received any security certifications? 10. Does your solution provide all of the Technical Safeguards listed in the HIPAA Security Rule (both Required and Addressable)? o If not, what Safeguards are not provided?
10
MobiSecure SMS Enables secure and reliable two-way communication between customer Internet applications and mobile users. Messages confirmed on delivery or on display by the recipient, providing timing around delivery events and a more reliable communication than normal SMS messaging. All messages are encrypted in transit and in storage, ensuring confidentiality of the communication over non-secure SMS channels. MobiSecure SMS capabilities include: End-to-end encryption using dynamic per-message keys Encrypted security and privacy data in each message Mobile-originated messages contain OTP and encrypted data Delivery and read confirmation for sent and received messages Support for messages up to 1,400 characters PIN protection, auto lock and auto data wipe Device/User blocking capabilities Client authenticity and message integrity verification prior to routing messages Software update detection and download Secure address book Provider and patient web portals
The MobiSecure Platform was created to prevent unauthorized access to confidential data, enabling covered entities and their patients, caregivers, and partners to securely connect and communicate critical healthcare information to mobile devices with the utmost protection of PHI data, as illustrated.
12
Healthcare organizations of all types and sizes can benefit from secure mobile interactions between caregivers and patients. As these brief case studies describe, MobiSecure users are accomplishing numerous goals, including: Enabling secure mobile communication of PHI and specialized healthcare advice between high-risk patient populations and care givers Improving case management and treatment compliance Providing anywhere, anytime access to patients consolidated PHR Scheduling visits and treatments with caregivers and sending mobile appointment reminders Reminding patients to take medications or follow programs to maintain their health Enabling patients to access health tips and actively manage chronic conditions
energy, sleep patterns, physical pain, and overall sense of well-being. The mCare program features a downloadable, HIPAA-compliant mobile application that enables daily two-way secure communication between patients and the Armys healthcare team (see illustration below). In addition to safeguarding the security of all patient health data, a key program requirement was availability of mCare across the very broad assortment of mobile phones. mCare participants currently are using more than 270 different mobile brands and models that are compatible with MobiSecure, demonstrating the depth and breadth of Diversinets carrier and device coverage. An evaluation of mCare results in June 2010 showed significant progress toward achieving the goals of the pilot project, including improving patient and provider satisfaction with case management services and improving overall patient compliance as measured by keeping appointments and responding to survey questions. The system demonstrated a significant improvement in appointment attendance rates, a key metric of the efficacy of mobile appointment reminders. In terms of satisfaction, nearly 75% of users surveyed preferred to receive contact with mCare more than once a week, and 65% reported that mCare improved their communications with their unit. Based on the success of the mCare pilot project, the U.S. Army contracted with Diversinet for a fiveyear continuation and expansion of the program, with a goal to improve healthcare communications and outcomes for thousands of Wounded Warriors.
M C A RE A T A
G L AN CE
14
15
REFERENCES
i
Manhattan Research, " Taking the Pulse U.S. -- Physicians and Emerging Information Technologies, 2010
CITA Semi-Annual Wireless Industry Survey, June 2010 online at: http://www.ctia.org/media/industry_info/index.cfm/AID/10316
iii
ii
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/
iv
Guidelines on Cell Phone and PDA Security, SP 800-124, October 2008, NIST, by Wayne Jansen, Karen Scarfone, p. 30
Kirk Nahra, The Top 10 Privacy and Security Developments to Watch in 2011 Privacy & Security Law Report, 10 PVLR 30, 01/03/2011. The Bureau of National Affairs, Inc.
vi
Doug Pollack, What to Expect in Terms of Patient Privacy Enforcement in 2011, IDexperts Blog, January 10, 2011
16