Protecting personal healthcare data

The adoption of personal medical devices and healthcare kiosks that capture consumer health data — like blood pressure and glucose — coupled with data points with a patient’s health record at the pharmacy represents a significant opportunity to enhance disease state management programs.

(Click here to view the full category review.)



However, that same functionality also represents an issue concerning patient privacy as it relates to HIPAA, especially given the ongoing rise in breaches of healthcare data. The number of breaches this year is already close to 12 million records, noted Dan Munro, a Forbes contributor who has covered HIPAA breaches extensively, including the breach of 4.5 million records at Community Health Systems last August. “At this rate, we’ll probably get to 14 million or 15 million records this year alone.”



Hackers aren’t interested in the innocuous personal healthcare measurements generated by personal medical devices or healthcare kiosks. But the devices that capture that data provide a possible entry point to patient health records. “Any device, any endpoint becomes a vulnerability,” Munro said. “The issue isn’t the data itself, the issue is the device as a gateway into the network, which is typically secure.”



And upon accessing those records, hackers can use them to hijack a person’s medical profile. “What they’re looking for is two things,” Munro said. “One is the potential to leverage that [data] quickly for fraud, and the second is for illegal drug use. Prescriptions become another mechanism for which the data has supreme value.”



It’s an issue of significant concern to manufacturers of the devices and healthcare kiosks that capture those data points. “In this day and age if you store data all in one place, it’s not a matter of if you’ll get hacked but when,” said Khan Siddiqui, chief technology officer and chief medical officer for Higi, a kiosk manufacturer. “There are best practices [regarding] how you store [the data] and build the infrastructure to make it extremely difficult for anybody to create a breach,” he said. Higi employs monitoring systems that look for any malicious programming or viruses, he added. “So from an infrastructure point of view, we’ve [implemented] a lot of security layers to really understand what is happening to the data to prevent these kinds of breach scenarios.”



PharmaSmart has a comprehensive program linking the clinical data points captured by their healthcare kiosks to a pharmacy’s patient profile, but the patient data submitted to the profile is de-identified data, which keeps the system in compliance with HIPAA regulations. “The only data PharmaSmart has access to is de-identified data,” Ashton Maaraba, COO and general manager of PharmaSmart, told Drug Store News. And it’s a one-way submission of data, Maaraba said; PharmaSmart does not have access to the pharmacy’s patient profile.



 Protecting medical devices from hackers is also an issue for the Food and Drug Administration, which in October finalized recommendations to manufacturers for managing cybersecurity risks to better protect patient health and information.



The final guidance, titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” recommends that manufacturers consider cybersecurity risks as part of the design and development of a medical device, and submit documentation to the FDA about the risks identified and controls in place to mitigate those risks. The guidance also recommends that manufacturers submit their plans for providing patches and updates to operating systems and medical software.



“There is no such thing as a threat-proof medical device,” said Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health. “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”



The FDA’s concerns about cybersecurity vulnerabilities include malware infections on network-connected medical devices or computers, smartphones and tablets used to access patient data; unsecured or uncontrolled distribution of passwords; failure to provide timely security software updates and patches to medical devices and networks; and security vulnerabilities in off-the-shelf software designed to prevent unauthorized access to the device or network.



The agency is planning a public workshop this fall to discuss how government, medical device developers, hospitals, cybersecurity professionals and other stakeholders can collaborate to improve the cybersecurity of medical devices and protect the public health.