Regulations and Compliace for Enterprise Mobile Health Applications - A Whitepaper by RapidValue...

8/22/2019 Regulations and Compliace for Enterprise Mobile Health Applications - A Whitepaper by RapidValue Solutions

1/13

A RapidValue Solutions Whitepaper

Author: Dilip Chatulingath

REGULATIONS AND COMPLIANCE FORENTERPRISE MOBILE HEALTH APPLICATIONS


2/13

Contents

Mobilizing healthcare applications 01

02

03

05

05

06

09

10

11

A RapidValue Solutions Whitepaper July - 2012 02

Security concerns and challenges

A. Assess the user base

B. Design a strategy

C. Deploy and manage

Defining the application Does your mobile app need FDA approval?

Secure your mobile app Understanding HIPAA compliances

Conclusion

About RapidValue

RapidValueEnabling Mobility RapidValue Solutions


3/13RapidValueEnabling Mobility

Mobilizing healthcare applications

The rapid explosion of mobile platforms and adoption of smart devices have provided greater flexibility and

opportunity for physicians and other staff at hospitals to deliver real-time information at the Point of care.

Mobile Healthcare, or what is more commonly called as mHealth, has created a channel to facilitate,

communicate and deliver healthcare services via mobile communication devices.

Over the last few months, increasing number of mHealth apps have gained traction, that help physicians and

other healthcare providers to keep track of reference drugs, monitor patient health records and status, and

manage schedules. While this provides a plethora of opportunities and possibilities for healthcare

organizations to reduce costs and improve efficiency, this increased mobility trend has created new challenges

towards healthcare IT.

mHealth market 2015: 500m people will be using healthcaresmartphone applications

01

Healthcare organizations and

software firms looking to make

investments in mobile applications

need to assess implications of

HIPAA and FDA in order to protectpatient health information and

ensure compliances are met. This

document outlines some of the

key evaluation criteria on

regulations and security

considerations in healthcare

sector that need to be addressed

while implementing mobility

solutions.

(research2guidance, November 2010 report)

A RapidValue Solutions Whitepaper July - 2012 RapidValue Solutions


4/13RapidValueEnabling Mobility

This paper is a guide for healthcare organizations and their IT department, to assess and identify basic

requirements, help healthcare organizations reduce risk, improve operational efficiencies and achieve

compliance goals to enable them to provide a higher quality of patient care. The whitepaper combines

industry's best practices along with RapidValue's experience in implementing solutions for many customers.

02

Security concerns and challenges

The influx and usage of mobile devices have threatened the traditional policies and processes towards

security. The mode of data transmission over the last few years through client/server approach and fixed-line

infrastructures have become obsolete due to invention of mobile and internet technologies. Mobile devices

provide access to corporate resources and applications from anywhere, through cloud services and remote

mobile desktops.

As more sensitive information is being fed into mobile applications and into the network cloud in general, the

complete security, privacy and regulatory compliance of such information must be assured. Since security

breaches are not uncommon in any industry, the healthcare industry has mandated a few regulations andcompliances to ensure patient information is safe.

HIPAA (Health Insurance Portability and Accountability Act) - HIPAA in correlation with PHI (Protected

Health Information) requires healthcare organizations to ensure that applications are secure, and

sensitive patient and business data is protected when in use, during transmission or when stored in a

mobile device.

FDA regulations - Federal Food, Drug, and Cosmetic Act requires that any standalone device or an

accessory (software applications) that is directly consumed by the end user is subjected to

regulations and approval by the FDA.

HITECH (Health Information Technology for Economic and Clinical Health) Act - HITECH is part of the

American Recovery and Reinvestment Act of 2009 (ARRA). The HITECH Act is intended to encourage

more effective and efficient healthcare through the use of technology, like implementing electronic

health records (eHR), thereby reducing the healthcare costs and enabling greater access to the

system. It aims to address the privacy and security concerns associated with the electronic

transmission of health information.



5/13RapidValueEnabling Mobility03

Defining the application Does your mobile appneed FDA approval?

One of the key steps in defining the security compliance strategy for your mobile app is to determine

whether the application requires FDA approval.

FDA clearance is typically required for apps that are involved in diagnosis, treatment, cure or mitigation of a

device. A few examples are given below:

Standalone device Device in finished form, perhaps ready to use with accessories with an

intended sale to end-user. Example: iPod touch integrated with an external device to view the blood

pressure of a patient.

FDA clearance Yes, requires assessment for exemption

Accessory Software/articles within a standalone device intended for use by end-user.

Example: A) An app that is used by a patient to download information from a blood glucose meter.

B) An app focused on helping people with weight loss and everyday management of diabetes.

FDA clearance - Yes, requires assessment for the type of application

On the other hand, applications that are informational and reference-only do not require FDA approvals.

So how do we know, if the app you developed will be subjected to FDA approval or not? Based on research

and years of experience, we at RapidValue suggest you to consider the below listed questions to help you

evaluate, if your app is not to be subjected to FDA approval.




Brainstorm and evaluate# Possible considerations for app not being subject to FDA approval

1 How is the data going to be

entered into the app?

Make sure the data to the app is

Entered manually

Not connected to external device/machine through which it receivesdata

Does not require physical contact with the patient specimen

2 What is the output of the app? The output

Should not connect to any other device and guide with anyinstruction

Should only interpret the input and provide meaningful data tothe patient

Should not cure/mitigate/treat the patient

3 Does the app provide real-time

updates of a patient?

4 RapidValue's assessment

The app should not

Monitor the patient in real-time

Notify users on alarms about the physical condition of a patient

Patient-specific result using processing algorithms

Apps that do not need approval

Wellness related app like track/log/record food habits, physical fitness exercise

Medical reference application

Medical EHRs/PHRs

Apps that improve efficiency like mobile hospital management care (mHMC), workflow management

Practice-management applications like track billing, determine medical billing codes, remote physicianconsultation (mPrescribing) and appointments

Apps that need approval

PACS apps (Picture Archiving and Communication Systems) that display radiological images fordiagnosis is classified under class II PACS like X-rays scan reports

Monitor blood pressure of patient, display heartbeat of a patient, attachments of ECG reports, deviceconnected to patient to monitor sleep pattern




Secure your mobile app - Understanding HIPAAcompliances

For any healthcare application, security and compliance go hand in hand and it is absolutely essential to

adopt all healthcare compliances and regulations including HIPAA, HITECH, ITRF Regulation or PCI/PHI

compliances governing the Healthcare sector.

While a technical architect or product manager takes the decision of whether an application is subjected to

FDA regulation, compliances and security need to be incorporated by the development team building the

application.

Below are the key steps in ensuring a design that addresses compliance and regulation requirements.

Unlike applications that run on desktop environments where majority of systems run on a singleplatform/operating system, the market share of mobile platforms is pretty fragmented.

Assessing information on the above questions will help the IT team to strategize and tailor unique security

policies on corporate servers constantly which are accessed by wireless devices.

A. Assess the user base

Brainstorm# Diagnose

1 What is the type of user-group

that will access the application? Is the application going to be accessed by consumers?

Is it an enterprise application, which will be accessed only byemployees of the organization?

2 Mobile platforms On what platforms does the mobile application need to be supported?

iOS (Apple), Android, Blackberry, Windows or All?

3 Server requirements Is the application a standalone app or does it communicate withbackend server for data synchronization?

What will be the application usage at most times? Will the applicationbe utilized by a large user base? The bandwidth which the server can

handle needs to be evaluated




Over the very few years of inception, smartphones have got smarter and powerful by the year with the

capabilities of communicating through multiple channels combined with significant processing power and

large storage capabilities. Hence these devices have become the easiest threat to data vulnerability and

security compared to laptops.

B. Design a strategy

The Center for Medicare and Medicaid Services (CMS), which oversees HIPAA security rule enforcement, has

published a 'HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health

Information' to help organizations determine the best way to protect ePHI available to mobile device users.

Our framework of implementing a secure mobile application is based around the CMS guidance with

recommendations from a development and implementation perspective.

Access to data

through external

entities

(hacking/ theft)

Loss of deviceExposure of

device to Malware

Primary risk

Areas




Make sure the mHealth application requires a set of unique credentials (username and password) to access

the application.

Risk scenario: Login credentials are lost/stolen, which could potentially result in unauthorized access to

view/modify ePHI.

Solution:

a) Implement a two-factor authentication for granting remote access to systems that contain ePHI. Other

than username and password,

Create a security question like 'Which city you were born

Create a four-digit security code that will always be requested when the application has been inactive

for a specific period of time

The four-digit security code can be used for logging into the application when device is in offlinemode

b) Enable access to application using a VPN client connection through 'Cisco anytime connect' or

'RSA secure ID'.

c) Set password protection rules such as 6 character pin, expirations, failure thresholds, data wipe after

failure.

d) Implement a technical process for creating unique user names and performing authentication whengranting remote access to a workforce member.

e) Set up devices to automatically lock after a specified period of inactivity.

f) Whenever a device is stolen, the IT helpdesk should be notified on the same and a user interface

should be provided on the backend system for the representative to de-register the username.

1. Secure your device




Make sure the data sent to the mobile application is secure on the device as well as during transmission.

Risk scenario: Hacking the network or a mobile device from unprotected access points (like hotel business

center, airport) is a growing concern and can potentially result in loss of ePHI data

Solution:

a) Prevent downloading and storing of ePHI data on the device whenever possible. Ensure the data when

downloaded is operationally justifiable.

b) Minimize caching of data on browsers for web-based applications.

c) Implement strong encryption solutions (validated encryption AES256 & Triple DES) for transmission of

ePHI using SSL (Secure Socket Layer) as the minimum requirement for mHealth applications.

d) Create policies to prevent use of and/or encrypt SD cards and other removable media on mobile devices.

e) Ensure that the server to which all web-services request are sent/received from the mobile devices is

firewall protected.

f) Ability to perform 'Remote wipe-off' from the server to delete ePHI data from the device. Remote wipe-off

can be designed in any of the following ways

Monitor the application 'Agent' continuously during online/offline activities and perform remote

wipe-off from the server for suspicious activities.

Monitor application 'Agent' during online activities and perform remote wipe-off from the server. If

Agent' cannot be tracked during offline mode, the data on the device should be deleted for inactive

activity of application for about five days.

2. Secure your data

FACILITYFIREWALL

DATABASE 128 bit encrypted pipeline

Authentication + SSL

SERVER MOBILE DEVICES

Data (text and

pictures) sent over the

SSL pipeline is

encrypted and cannot

be deciphered

Unique username and

password authenticated

against device on every

login




Once the development team implements the application with the compliances discussed above, the next

step is in assessing how to deploy the application and manage them over subsequent releases and

upgrades.

For applications that are not going to be used by consumers but rather within the organization employees,

we recommend rolling out using the enterprise distribution model, through which users have access to and

download the recommended enterprise apps, receive them in a secure way over-the-air (OTA), and are

alerted to and download updates when available. Moreover organizations can leverage this feature to keep

an accurate inventory of the mobile apps that are installed at any given time, and be able to monitor them

by device and user groups.

While there is a significant concern about application vulnerability, integrity and user privacy in Apple app

store and Android market, we believe that implementing some of the below security measures will

strengthen the compliance policies significantly.

Develop processes to ensure backup of all ePHI data sent/received by the mobile are preformed on

the server side regularly.

For enterprise controlled apps/devices, apply Over-the-Air (OTA) provisioning and management of

smartphones.

Scan for suspicious activities and malware on server network platform regularly.

Ensure workforce is appropriately trained on policies and also on the application usage that require

accessing any ePHI data. Recommend users to search for and delete any files intentionally or

unintentionally saved to external devices.

Perform regular internal HIPAA audits when an application is planned for an upgrade to include new

enhancements/bug fixes.

C. Deploy and manage



12/13

ConclusionWhen considering the trends towards adoption of different digital technologies, today's healthcare

organizations are facing enormous challenges in compliance and regulation. As we have witnessed more

recently, personal information theft have proven to be costly for organizations, resulting in loosing their

credibility and being forced out of business.

With robust auditing required for HIPAA security compliance, IT groups can no longer ignore mobile devices

in their security policy implementation. Companies looking to develop mHealth solutions should consider

leveraging their existing IT infrastructure, policies, and services and ensure that newer technologies are

seamlessly integrated. This will add significant value to the organization by providing quality care for their

patients.

DisclaimerThis white paper brings out the evaluation criteria of mobile health apps related to FDA and HIPAA

compliance aspects based on our research, analysis and understanding. Any architectural assessment and/or

design decisions related to the above policies should not be implemented based solely on the

recommendations in the document. RapidValue shall have no liability for any direct, incidental, or

consequential damages suffered by any third party as a result of decisions/actions taken, or not taken,

based on this document.

RapidValueEnabling Mobility10A RapidValue Solutions Whitepaper July - 2012

RapidValue Solutions


13/13

RapidValueEnabling Mobil

About RapidValue

RapidValue is a leading provider of mobility solutions to enterprises worldwide. Armed with a team of 175+

experts in mobility consulting and application development, along with experience delivering over 200

mobility projects, we offer a range of mobility services across industry verticals. RapidValue delivers its

services to the worlds top brands and Fortune 1000 companies, and has offices in the United States and

India.

www.rapidvaluesolutions.com www.rapidvaluesolutions.com/blog

+1 877.690.4844 [email protected]

Date post:	08-Aug-2018
Category:	Documents
Upload:	kavyanidhi
View:	215 times
Download:	0 times

Regulations and Compliace for Enterprise Mobile Health Applications - A Whitepaper by RapidValue...

Documents