For the video presentation of this paper, click here.
Intro
This paper discusses how to protect patient data in the US and EU/UK by overviewing the basics of HIPAA and GDPR, the differences between the two, and how medical device companies can follow them and other resources to protect patient data.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the US Congress in 1996. It is governed by the Health & Human Services Department (HHS) and is enforced by the Office for Civil Rights (OCR). Main tenets of HIPAA include the Privacy Rule, Security Rule, and Breach Notification Rule. This paper discusses the first two rules because they are more software technical and most appropriate to this discussion.
What is the Privacy Rule?
The Privacy Rule requires appropriate safeguards to protect the privacy of Protected Health Information (PHI) and sets limits and conditions on the use and disclosure of data without the patient’s consent.
What is Protected Health Information?
An individual’s past, present, or future physical or mental health or condition
The provision of health care to the individual
Past, present, or future payment for the provision of health care to the individual
What is the Security Rule?
The Security Rule protects a subset of information covered by the Privacy Rule – individually identifiable health information maintained and transmitted in electronic form (e-PHI). It is essential how digital security is implemented. These are the tenets of the Security Rule:
Ensure confidentiality, integrity, and availability of all e-PHI created, received, maintained, or transmitted. Identifiers (discussed below) are HIPAA-protected e-PHI.
Identify and protect against reasonably anticipated threats to the security of the data.
Prevent reasonably anticipated, impermissible uses or disclosures.
Ensure compliance in the workforce.
The following are Technical Safeguards to secure data according to the Security Rule:
Access Controls
Audit Controls - Log everything, and pull up those logs to see who does what with the data.
Integrity Controls - Maintain data integrity by knowing where it starts, where it’s stored, and how it’s used.
Transmission Security
What is an Identifier?
An identifier is anything that can trace data back to a person. Identifiers include:
Names
Addresses - Geographic subdivisions smaller than a State
Telephone/Fax Numbers
Emails
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Vehicle identifiers, serial numbers, license plate numbers
URLS/IP addresses
Biometric identifiers, (finger and voice prints, retinal scans, EKGs)
Photographs
Any other identifying numbers, characteristics, or codes
There are no restrictions on the use of de-identified health information. If one completely anonymizes the data, they can use it however they would like under HIPAA.
How else does the United States govern patient data security?
HIPAA is not cybersecurity-specific, so there are some supplements. The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 expanded responsibilities of business associates by making them directly liable for their own HIPAA compliance. There is also the FDA Cybersecurity draft guidance, the most recent of which was issued in April 2022. Since the FDA does not deal directly with medical privacy, it does not enforce HIPAA directly. But both HIPAA and the FDA refer to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, so there is some overlap.
GDPR
The General Data Protection Regulation (GDPR) covers health information (as a subset of personal data) in the EU and UK. Enforced by the European Data Protection Board, its focus is on privacy in general, with health naturally falling under its umbrella.
The GDPR applies if:
A company processes personal data and is based in the EU or UK, regardless of where the actual data processing takes place.
A company processes personal data for people in the EU, regardless of where the actual data processing takes place.
A company is established outside the EU but processes personal data in relation to the offering of goods or services to individuals in the EU.
What are the Key Principles of the GDPR?
The following are the key principles of the GDPR:
Lawfulness, transparency, and fairness
Purpose limitation (What you collect has to be for the purpose you declare.)
Data minimization
Data accuracy
Storage limitation (Don’t keep data around forever.)
Integrity and confidentiality
Accountability (Whoever is managing the data is accountable for protecting the data.)
How else does the EU govern patient data security?
The European Union Medical Device Regulation (EU MDR) identifies and sets standards for medical devices that are produced in or supplied to countries in the EU. In Vitro Diagnostics Regulation (IVDR) applies specifically to in vitro diagnostic medical devices manufactured and sold in the EU. Medical Device Coordination Group (MDCG) released their Guidance on Cybersecurity in 2019 and references standards ISO/IEC 27001 and IEC 60601-4-5.
How is GDPR different from HIPAA?
Sharing Data
Unlike with HIPAA, there is no free pass for de-identified data. With the GDPR, it is forbidden to share ANY health and genetic data unless:
A patient gives explicit and unambiguous consent.
It is in the patients’ vital interest (ex: medical emergency).
It is for healthcare purposes (ex: specialist notifies general practitioner).
It is in the interest of public health, ex. to protect the population in a pandemic, to ensure high quality standards and safeguards of medicinal products or medical devices.
The right to object to processing their data, even if processing it is in the public interest or legitimate purpose of the controller
The right to rectification of data in the case of inaccurate data (ex. in medical record) or an incomplete record
The right to erasure (right to be forgotten)
Note: This makes navigating data back-ups a bit tricky. According to CNIL (Commission Nationale de l'Informatique et des Libertes - French Data Protection Authority) one doesn’t need to delete a backup set in order to remove an individual from it. A solution may be to create/amend data retention policies or devise a way to remove an individual from backups (ex. separate by patient or delete the encryption key).
The right of transparency/to be informed of the purpose of processing the identity of the person
Exemptions to patient rights in research (ex: blind trial)
Moving Data
The map below measures countries’ adequacy, a standard decided by the EU Commission that determines how closely a country’s protection level abides with theirs. In order for a company in the EU to transfer data to an “inadequate” country, it must adhere to a set of data protection policies called the Binding Corporate Rules. Note that the US does not ensure adequacy. Thus, the Privacy Shield is an agreement between the US and the EU that allows US companies to apply and prove that they are adequately protecting the data.
What are some practical ways to respond to these guidelines and effectively protect patient data?
Implement Access Control
Authenticate users and devices - Use strong passwords and MFA (Multi-Factor Authentication) for privileged access.
Assign roles - Incorporate the principle of least privilege (in one’s role, they only see what they need to see) and separation of duties (users, administrators, technicians, etc. granting higher authentication to more privileged roles).
Keep audit records - Be able to tell who did what.
Ensure Data Security
Protect data at rest with methods like strong encryption with securely managed keys.
Protect data in transit using Transport Layer Security (TLS) and securing Bluetooth Low Energy (BLE, level 3 or 4).
Protect against data leaks with methods like siloing data with encryption or by network or account.
Check integrity by authenticating the source and target (ex. code and data signatures).
Perform Continuous Security Monitoring and Intrusion Prevention
Use available tools to detect and prevent intrusion such as a network firewall and application firewall, etc.
Monitor networks for potential cybersecurity events.
Establish Alert thresholds.
Scan national databases for known vulnerabilities and apply appropriate patches and upgrades.
Create and Follow Compliant Processes and Procedures
Maintain processes and procedures to manage protection of data.
Implement breach detection and response activities and processes.
Implement data recovery procedures.
Get certified. It’s not just for marketing; it is invaluably helpful and informative.
Address Web Application Security Risks
A great cybersecurity resource is the Open Web Application Security Project (OWASP). They are not medical device specific, but they release their Top 10 Web Application Security Risks every few years with examples and ways to fix the problems.
OWASP also provides information on how to protect mobile apps with their Mobile Application Security (MAS) project. The following are security protections to protect mobile apps:
In-app rooted/jailbreak detection
Code tampering protection
Code obfuscation
Data encryption
Secure BLE communications (They can’t just be encrypted - they must be secure.)
Conclusion – Handling Patient Data
To protect patient data, it must be secured and encrypted with established risk management processes, continual monitoring for and resolution of known vulnerabilities, and awareness of responsibilities under privacy regulations.
Frances is President of Promenade Software and a leading expert on Software for Medical Devices.
.png)
