14th AMC Security & Privacy Conference June 12, 2018

Transcription

1 Emerging Security & Privacy Issues Arising From the Proliferation of Devices in the Health Care Workplace 14th AMC Security & Privacy Conference June 12, 2018

2 SPEAKERS 2 Robert C. Van Arnam Partner & Chair, Intellectual Property Section and Co-Chair, Data Protection & Cybersecurity Practice Williams Mullen rvanarnam@williamsmullen.com Karen Pagliaro-Meyer Chief Privacy Officer Columbia University Medical Center kpagliaro@columbia.edu David J. Kuraguntla CEO GraftWorx dave@graftworx.com Dominic P. Madigan Partner, Health Care Section Williams Mullen dmadigan@williamsmullen.com 2

3 AGENDA 1. Overview of the rules pertaining to security and privacy issues for devices in the health care workplace 2. Issues faced by Columbia University Medical Center (CUMC) as an AMC pertaining to security and privacy issues arising from devices 3. Security/privacy issues recognized by GraftWorx, where those issues arise and how GraftWorx addresses those issues 4. Panel discussion 3 Please note: This presentation contains general, condensed summaries of actual legal matters, statutes and opinions for information purposes. It is not meant to be and should not be construed as legal advice. Individuals with particular needs on specific issues should retain the services of competent counsel. 3

4 RULES PERTAINING TO SECURITY AND PRIVACY ISSUES FOR DEVICES IN THE HEALTH CARE WORKPLACE Dominic P. Madigan Williams Mullen 4

5 SCOPE OF DEVICES > Definition of medical devices > The high tech medical devices and products, including: Implants Networked equipment Mobile medical devices Wearables Applications/software as medical device 5 5

6 FOLLOWING THE RULES > Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (HIPAA) > Food and Drug Administration (FDA) oversight/guidance > Federal Trade Commission (FTC) enforcement E.g., FTC and HHS developed website for mobile medical app developers to determine which laws under purview of FDA, FTC, or HHS (HIPAA) apply to them: > State laws and Attorney General enforcement > Employment laws employee monitoring using workplace equipment 6 6

7 HIPAA > Always a concern for covered entities (including providers); sometimes a concern for medical device companies, as business associates > Security Rule Risk analyses Administrative, technical, and physical standards National Institute for Standards and Technology (NIST) > Breach Notification Device company duty to notify covered entity Unless otherwise delegated, covered entity duty to notify individuals, HHS and potentially the media > Enforcement Lahey Hospital settlement 7 7

8 FDA > The FDA has regulatory oversight over medical devices since 1976; guidance published on scope of oversight for newer technology Stand Alone Software as a Medical Device (2016) Mobile Medical Applications (2015) General Wellness: Policy for Low Risk Devices (2015) > Has published numerous guidance documents related to medical devices and cybersecurity Premarket Submissions for Management of Cybersecurity (2013) Postmarket Management of Cybersecurity (2016) Cybersecurity for Medical Devices and Hospital Networks (2013) (safety communication) > Public notifications/recalls due to security flaws Hospira infusion pump warning (2013); Pacemaker recall (2017) 8 8

9 FTC > FTC Act, Section 5 Prohibits unfair or deceptive acts or practices (e.g. false or misleading claims) Enforcement for the failure to have reasonable and appropriate data security practices to protect consumer data Cause or likely to cause substantial injury to consumers that is neither reasonably avoidable nor outweighed by benefits to consumers or competition Accretive (2014); Practice Fusion (2016) > Breach Notification Rule (personal health records) > Office of National Coordinator at HHS (in coordination with FTC) Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA (2016) 9 9

10 STATE LAWS > State laws leading to Attorney General enforcement Data breach notification almost all states Most not healthcare specific Require at least notification; some require security measures Consumer protection laws Often intersect with data breaches and notification requirements Similar to FTC Act authority Example: Beth Israel Deaconess Medical Center (MA) (data breach); NY AG enforcement against 3 mobile health app developers (efficacy claims/privacy practices) 10 10

11 EMPLOYMENT ISSUES > Employee monitoring on workplace devices Computer/device usage Telephone/voic / Video surveillance/gps surveillance Future sociometric monitoring and microchipping > Federal and state laws impact employer and employee rights and responsibilities > Primary legal authorities: Electronic Communications Privacy Act of 1986 (ECPA) - 18 U.S.C et seq. Computer Fraud and Abuse Act 18 U.S. Code 1030 State Wiretapping and Privacy Laws State Computer Trespass Laws National Labor Relations Act 11 11

12 ISSUES FACED BY CUMC AS AN AMC PERTAINING TO SECURITY AND PRIVACY ISSUES ARISING FROM DEVICES Karen Pagliaro-Meyer Columbia University Medical Center 12

13 13 13

14 RESEARCH STUDIES AND WEARABLE DEVICES 14 > Research Subject Consent form is key document What information will be collected? Subjects provided with device for research purpose? Subjects personal device or research subject ID used for device? Where will the data be stored and how will it be used? What will happen to the data at the end of the research? Downside of fitness trackers and health apps is loss of privacy 14

15 PERSONAL DEVICES > Create, receive maintain or transmit PHI on personal devices Text messages, photos, person accounts Policies must agree to security policies to access PHI Education Mobile Device Management Sanctions > Departing workforce members > Social Media - Personal photos, audio and video recording in the workplace 15 15

16 OTHER ISSUES > New Devices When to Engage Information Security > Terms and conditions / Privacy / electronic agreements > Business Associate Agreements > Information Security Evaluations / Risk Assessments 16 16

17 OCR CYBERSECURITY NEWSLETTER OCTOBER 2017 > OCR also listed the following tips for ensuring mobile device security: Use a privacy screen to prevent people close by from reading information on your screen Use only secure Wi-Fi connections Use a secure Virtual Private Network (VPN) Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ephi from apps, and verifying that apps only have the minimum necessary permissions required 17 17

18 OCR CYBERSECURITY NEWSLETTER OCTOBER 2017 > OCR also listed the following tips for ensuring mobile device security (continued): Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device Covered entities and their business associates can greatly benefit from using mobile devices. However, organizations must also understand that potential risk factors will arise along with the convenience of quickly accessing data from anywhere. Implementing necessary and applicable policies and procedures for mobile device security, and then instilling those policies and procedures into regular workforce training will be essential for maintaining ephi security

19 SECURITY/PRIVACY ISSUES RECOGNIZED BY GRAFTWORX, WHERE THOSE ISSUES ARISE AND HOW GRAFTWORX ADDRESSES THOSE ISSUES David J. Kuraguntla GraftWorx 19

20 GRAFTWORX S VISION 20 20

21 GRAFTWORX S PLATFORM SCALABLE HARDWARE 21 21

22 CLINICALLY ACTIONABLE DATA FOR THE FUTURE 22 22

23 REMOTE MONITORING CREATES IMMENSE VALUE IN DIALYSIS 23 23

24 PRINCIPLES OF IOT SECURITY IN HEALTHCARE 24 24

25 GRAFTWORX SECURITY IMPLEMENTATION 25 25

26 PANEL DISCUSSION & QUESTIONS 26