Date post: | 08-Aug-2018 |
Category: |
Documents |
Upload: | kavyanidhi |
View: | 215 times |
Download: | 0 times |
of 13
8/22/2019 Regulations and Compliace for Enterprise Mobile Health Applications - A Whitepaper by RapidValue Solutions
1/13
A RapidValue Solutions Whitepaper
Author: Dilip Chatulingath
REGULATIONS AND COMPLIANCE FORENTERPRISE MOBILE HEALTH APPLICATIONS
8/22/2019 Regulations and Compliace for Enterprise Mobile Health Applications - A Whitepaper by RapidValue Solutions
2/13
Contents
Mobilizing healthcare applications 01
02
03
05
05
06
09
10
11
A RapidValue Solutions Whitepaper July - 2012 02
Security concerns and challenges
A. Assess the user base
B. Design a strategy
C. Deploy and manage
Defining the application Does your mobile app need FDA approval?
Secure your mobile app Understanding HIPAA compliances
Conclusion
About RapidValue
RapidValueEnabling Mobility RapidValue Solutions
8/22/2019 Regulations and Compliace for Enterprise Mobile Health Applications - A Whitepaper by RapidValue Solutions
3/13RapidValueEnabling Mobility
Mobilizing healthcare applications
The rapid explosion of mobile platforms and adoption of smart devices have provided greater flexibility and
opportunity for physicians and other staff at hospitals to deliver real-time information at the Point of care.
Mobile Healthcare, or what is more commonly called as mHealth, has created a channel to facilitate,
communicate and deliver healthcare services via mobile communication devices.
Over the last few months, increasing number of mHealth apps have gained traction, that help physicians and
other healthcare providers to keep track of reference drugs, monitor patient health records and status, and
manage schedules. While this provides a plethora of opportunities and possibilities for healthcare
organizations to reduce costs and improve efficiency, this increased mobility trend has created new challenges
towards healthcare IT.
mHealth market 2015: 500m people will be using healthcaresmartphone applications
01
Healthcare organizations and
software firms looking to make
investments in mobile applications
need to assess implications of
HIPAA and FDA in order to protectpatient health information and
ensure compliances are met. This
document outlines some of the
key evaluation criteria on
regulations and security
considerations in healthcare
sector that need to be addressed
while implementing mobility
solutions.
(research2guidance, November 2010 report)
A RapidValue Solutions Whitepaper July - 2012 RapidValue Solutions
8/22/2019 Regulations and Compliace for Enterprise Mobile Health Applications - A Whitepaper by RapidValue Solutions
4/13RapidValueEnabling Mobility
This paper is a guide for healthcare organizations and their IT department, to assess and identify basic
requirements, help healthcare organizations reduce risk, improve operational efficiencies and achieve
compliance goals to enable them to provide a higher quality of patient care. The whitepaper combines
industry's best practices along with RapidValue's experience in implementing solutions for many customers.
02
Security concerns and challenges
The influx and usage of mobile devices have threatened the traditional policies and processes towards
security. The mode of data transmission over the last few years through client/server approach and fixed-line
infrastructures have become obsolete due to invention of mobile and internet technologies. Mobile devices
provide access to corporate resources and applications from anywhere, through cloud services and remote
mobile desktops.
As more sensitive information is being fed into mobile applications and into the network cloud in general, the
complete security, privacy and regulatory compliance of such information must be assured. Since security
breaches are not uncommon in any industry, the healthcare industry has mandated a few regulations andcompliances to ensure patient information is safe.
HIPAA (Health Insurance Portability and Accountability Act) - HIPAA in correlation with PHI (Protected
Health Information) requires healthcare organizations to ensure that applications are secure, and
sensitive patient and business data is protected when in use, during transmission or when stored in a
mobile device.
FDA regulations - Federal Food, Drug, and Cosmetic Act requires that any standalone device or an
accessory (software applications) that is directly consumed by the end user is subjected to
regulations and approval by the FDA.
HITECH (Health Information Technology for Economic and Clinical Health) Act - HITECH is part of the
American Recovery and Reinvestment Act of 2009 (ARRA). The HITECH Act is intended to encourage
more effective and efficient healthcare through the use of technology, like implementing electronic
health records (eHR), thereby reducing the healthcare costs and enabling greater access to the
system. It aims to address the privacy and security concerns associated with the electronic
transmission of health information.
A RapidValue Solutions Whitepaper July - 2012 RapidValue Solutions
8/22/2019 Regulations and Compliace for Enterprise Mobile Health Applications - A Whitepaper by RapidValue Solutions
5/13RapidValueEnabling Mobility03
Defining the application Does your mobile appneed FDA approval?
One of the key steps in defining the security compliance strategy for your mobile app is to determine
whether the application requires FDA approval.
FDA clearance is typically required for apps that are involved in diagnosis, treatment, cure or mitigation of a
device. A few examples are given below:
Standalone device Device in finished form, perhaps ready to use with accessories with an
intended sale to end-user. Example: iPod touch integrated with an external device to view the blood
pressure of a patient.
FDA clearance Yes, requires assessment for exemption
Accessory Software/articles within a standalone device intended for use by end-user.
Example: A) An app that is used by a patient to download information from a blood glucose meter.
B) An app focused on helping people with weight loss and everyday management of diabetes.
FDA clearance - Yes, requires assessment for the type of application
On the other hand, applications that are informational and reference-only do not require FDA approvals.
So how do we know, if the app you developed will be subjected to FDA approval or not? Based on research
and years of experience, we at RapidValue suggest you to consider the below listed questions to help you
evaluate, if your app is not to be subjected to FDA approval.
A RapidValue Solutions Whitepaper July - 2012 RapidValue Solutions
8/22/2019 Regulations and Compliace for Enterprise Mobile Health Applications - A Whitepaper by RapidValue Solutions
6/13RapidValueEnabling Mobility04
Brainstorm and evaluate# Possible considerations for app not being subject to FDA approval
1 How is the data going to be
entered into the app?
Make sure the data to the app is
Entered manually
Not connected to external device/machine through which it receivesdata
Does not require physical contact with the patient specimen
2 What is the output of the app? The output
Should not connect to any other device and guide with anyinstruction
Should only interpret the input and provide meaningful data tothe patient
Should not cure/mitigate/treat the patient
3 Does the app provide real-time
updates of a patient?
4 RapidValue's assessment
The app should not
Monitor the patient in real-time
Notify users on alarms about the physical condition of a patient
Patient-specific result using processing algorithms
Apps that do not need approval
Wellness related app like track/log/record food habits, physical fitness exercise
Medical reference application
Medical EHRs/PHRs
Apps that improve efficiency like mobile hospital management care (mHMC), workflow management
Practice-management applications like track billing, determine medical billing codes, remote physicianconsultation (mPrescribing) and appointments
Apps that need approval
PACS apps (Picture Archiving and Communication Systems) that display radiological images fordiagnosis is classified under class II PACS like X-rays scan reports
Monitor blood pressure of patient, display heartbeat of a patient, attachments of ECG reports, deviceconnected to patient to monitor sleep pattern
A RapidValue Solutions Whitepaper July - 2012 RapidValue Solutions
8/22/2019 Regulations and Compliace for Enterprise Mobile Health Applications - A Whitepaper by RapidValue Solutions
7/13RapidValueEnabling Mobility05
Secure your mobile app - Understanding HIPAAcompliances
For any healthcare application, security and compliance go hand in hand and it is absolutely essential to
adopt all healthcare compliances and regulations including HIPAA, HITECH, ITRF Regulation or PCI/PHI
compliances governing the Healthcare sector.
While a technical architect or product manager takes the decision of whether an application is subjected to
FDA regulation, compliances and security need to be incorporated by the development team building the
application.
Below are the key steps in ensuring a design that addresses compliance and regulation requirements.
Unlike applications that run on desktop environments where majority of systems run on a singleplatform/operating system, the market share of mobile platforms is pretty fragmented.
Assessing information on the above questions will help the IT team to strategize and tailor unique security
policies on corporate servers constantly which are accessed by wireless devices.
A. Assess the user base
Brainstorm# Diagnose
1 What is the type of user-group
that will access the application? Is the application going to be accessed by consumers?
Is it an enterprise application, which will be accessed only byemployees of the organization?
2 Mobile platforms On what platforms does the mobile application need to be supported?
iOS (Apple), Android, Blackberry, Windows or All?
3 Server requirements Is the application a standalone app or does it communicate withbackend server for data synchronization?
What will be the application usage at most times? Will the applicationbe utilized by a large user base? The bandwidth which the server can
handle needs to be evaluated
A RapidValue Solutions Whitepaper July - 2012 RapidValue Solutions
8/22/2019 Regulations and Compliace for Enterprise Mobile Health Applications - A Whitepaper by RapidValue Solutions
8/13RapidValueEnabling Mobility06
Over the very few years of inception, smartphones have got smarter and powerful by the year with the
capabilities of communicating through multiple channels combined with significant processing power and
large storage capabilities. Hence these devices have become the easiest threat to data vulnerability and
security compared to laptops.
B. Design a strategy
The Center for Medicare and Medicaid Services (CMS), which oversees HIPAA security rule enforcement, has
published a 'HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health
Information' to help organizations determine the best way to protect ePHI available to mobile device users.
Our framework of implementing a secure mobile application is based around the CMS guidance with
recommendations from a development and implementation perspective.
Access to data
through external
entities
(hacking/ theft)
Loss of deviceExposure of
device to Malware
Primary risk
Areas
A RapidValue Solutions Whitepaper July - 2012 RapidValue Solutions
8/22/2019 Regulations and Compliace for Enterprise Mobile Health Applications - A Whitepaper by RapidValue Solutions
9/13RapidValueEnabling Mobility07
Make sure the mHealth application requires a set of unique credentials (username and password) to access
the application.
Risk scenario: Login credentials are lost/stolen, which could potentially result in unauthorized access to
view/modify ePHI.
Solution:
a) Implement a two-factor authentication for granting remote access to systems that contain ePHI. Other
than username and password,
Create a security question like 'Which city you were born
Create a four-digit security code that will always be requested when the application has been inactive
for a specific period of time
The four-digit security code can be used for logging into the application when device is in offlinemode
b) Enable access to application using a VPN client connection through 'Cisco anytime connect' or
'RSA secure ID'.
c) Set password protection rules such as 6 character pin, expirations, failure thresholds, data wipe after
failure.
d) Implement a technical process for creating unique user names and performing authentication whengranting remote access to a workforce member.
e) Set up devices to automatically lock after a specified period of inactivity.
f) Whenever a device is stolen, the IT helpdesk should be notified on the same and a user interface
should be provided on the backend system for the representative to de-register the username.
1. Secure your device
A RapidValue Solutions Whitepaper July - 2012 RapidValue Solutions
8/22/2019 Regulations and Compliace for Enterprise Mobile Health Applications - A Whitepaper by RapidValue Solutions
10/13RapidValueEnabling Mobility08
Make sure the data sent to the mobile application is secure on the device as well as during transmission.
Risk scenario: Hacking the network or a mobile device from unprotected access points (like hotel business
center, airport) is a growing concern and can potentially result in loss of ePHI data
Solution:
a) Prevent downloading and storing of ePHI data on the device whenever possible. Ensure the data when
downloaded is operationally justifiable.
b) Minimize caching of data on browsers for web-based applications.
c) Implement strong encryption solutions (validated encryption AES256 & Triple DES) for transmission of
ePHI using SSL (Secure Socket Layer) as the minimum requirement for mHealth applications.
d) Create policies to prevent use of and/or encrypt SD cards and other removable media on mobile devices.
e) Ensure that the server to which all web-services request are sent/received from the mobile devices is
firewall protected.
f) Ability to perform 'Remote wipe-off' from the server to delete ePHI data from the device. Remote wipe-off
can be designed in any of the following ways
Monitor the application 'Agent' continuously during online/offline activities and perform remote
wipe-off from the server for suspicious activities.
Monitor application 'Agent' during online activities and perform remote wipe-off from the server. If
Agent' cannot be tracked during offline mode, the data on the device should be deleted for inactive
activity of application for about five days.
2. Secure your data
FACILITYFIREWALL
DATABASE 128 bit encrypted pipeline
Authentication + SSL
SERVER MOBILE DEVICES
Data (text and
pictures) sent over the
SSL pipeline is
encrypted and cannot
be deciphered
Unique username and
password authenticated
against device on every
login
A RapidValue Solutions Whitepaper July - 2012 RapidValue Solutions
8/22/2019 Regulations and Compliace for Enterprise Mobile Health Applications - A Whitepaper by RapidValue Solutions
11/13RapidValueEnabling Mobility09
Once the development team implements the application with the compliances discussed above, the next
step is in assessing how to deploy the application and manage them over subsequent releases and
upgrades.
For applications that are not going to be used by consumers but rather within the organization employees,
we recommend rolling out using the enterprise distribution model, through which users have access to and
download the recommended enterprise apps, receive them in a secure way over-the-air (OTA), and are
alerted to and download updates when available. Moreover organizations can leverage this feature to keep
an accurate inventory of the mobile apps that are installed at any given time, and be able to monitor them
by device and user groups.
While there is a significant concern about application vulnerability, integrity and user privacy in Apple app
store and Android market, we believe that implementing some of the below security measures will
strengthen the compliance policies significantly.
Develop processes to ensure backup of all ePHI data sent/received by the mobile are preformed on
the server side regularly.
For enterprise controlled apps/devices, apply Over-the-Air (OTA) provisioning and management of
smartphones.
Scan for suspicious activities and malware on server network platform regularly.
Ensure workforce is appropriately trained on policies and also on the application usage that require
accessing any ePHI data. Recommend users to search for and delete any files intentionally or
unintentionally saved to external devices.
Perform regular internal HIPAA audits when an application is planned for an upgrade to include new
enhancements/bug fixes.
C. Deploy and manage
A RapidValue Solutions Whitepaper July - 2012 RapidValue Solutions
8/22/2019 Regulations and Compliace for Enterprise Mobile Health Applications - A Whitepaper by RapidValue Solutions
12/13
ConclusionWhen considering the trends towards adoption of different digital technologies, today's healthcare
organizations are facing enormous challenges in compliance and regulation. As we have witnessed more
recently, personal information theft have proven to be costly for organizations, resulting in loosing their
credibility and being forced out of business.
With robust auditing required for HIPAA security compliance, IT groups can no longer ignore mobile devices
in their security policy implementation. Companies looking to develop mHealth solutions should consider
leveraging their existing IT infrastructure, policies, and services and ensure that newer technologies are
seamlessly integrated. This will add significant value to the organization by providing quality care for their
patients.
DisclaimerThis white paper brings out the evaluation criteria of mobile health apps related to FDA and HIPAA
compliance aspects based on our research, analysis and understanding. Any architectural assessment and/or
design decisions related to the above policies should not be implemented based solely on the
recommendations in the document. RapidValue shall have no liability for any direct, incidental, or
consequential damages suffered by any third party as a result of decisions/actions taken, or not taken,
based on this document.
RapidValueEnabling Mobility10A RapidValue Solutions Whitepaper July - 2012
RapidValue Solutions
8/22/2019 Regulations and Compliace for Enterprise Mobile Health Applications - A Whitepaper by RapidValue Solutions
13/13
RapidValueEnabling Mobil
About RapidValue
RapidValue is a leading provider of mobility solutions to enterprises worldwide. Armed with a team of 175+
experts in mobility consulting and application development, along with experience delivering over 200
mobility projects, we offer a range of mobility services across industry verticals. RapidValue delivers its
services to the worlds top brands and Fortune 1000 companies, and has offices in the United States and
India.
www.rapidvaluesolutions.com www.rapidvaluesolutions.com/blog
+1 877.690.4844 [email protected]