RapidValue White Paper on Regulations and compliance for enterprise mHealth applications

Regulations and compliance for enterprise mHealth applications

© RapidValue 2012 | www.rapidvaluesolutions.com

Contents

Mobilizing healthcare applications

Security Concerns and Challenges

Defining the application –

'Does your mobile app need FDA approval?

Secure your mobile app – Understanding HIPAA compliances

A.Assess the user base

B.Design a strategy

C.Deploy and Manage

Conclusion

About Us

RapidValue is a leading international professional services firm focused on building and managing

highly scalable mobile and cloud applications for business. RapidValue was founded in 2008 by

senior executives from Deloitte, IBM, Oracle, and Infosys to enable enterprises to deploy

disruptive solutions in consumer and enterprise mobility. RapidValue delivers its services to

companies throughout the world and has offices in United States and India.

RapidValue has deployed numerous mHealth solutions in the healthcare industry for leading

hospitals and software companies in the world. Our industry experts have helped companies take

the big next step in implementing mobility solutions and improve the overall quality of patient

care.

4

5

6

8

13

For more information about RapidValue:

Visit us online at

Visit our blog at

www.rapidvaluesolutions.com

www.rapidvaluesolutions.com/blog

© RapidValue 2012 | www.rapidvaluesolutions.com

Healthcare organizations and software firms looking to make investments in mobile applications

need to assess implications of HIPAA and FDA in order to protect patient health information and

ensure compliances are met. This document outlines some of the key evaluation criteria on

regulations and security considerations in healthcare sector that need to be addressed while

implementing mobility applications.

Mobilizing healthcare applications

The rapid explosion of mobile platforms and adoption of smart devices have provided greater

flexibility and opportunity for physicians and other staff at hospitals to deliver real-time

information at the Point of care. Mobile healthcare, or what is more commonly called as mHealth,

has created 'a channel to facilitate, communicate and deliver healthcare services via mobile

communication devices'.

Over the last few months, increasing number of mHealth apps have gained traction that help

physicians and other healthcare providers to keep track of reference drugs, monitor patient

health records and status, and also manage schedules. While this provides a plethora of

opportunities and possibilities for healthcare organizations to reduce costs and improve

efficiency, this increased mobility has created new challenges towards healthcare IT.

This guide will provide a simple prescription to IT teams to assess and identify basic requirements

and help healthcare organizations reduce risk, improve operational efficiencies and achieve

compliance goals enabling them to provide a higher quality of patient care. The whitepaper

combines industry's best practices along with RapidValue's experience in implementing solutions

for many customers.

4 © RapidValue 2012 | www.rapidvaluesolutions.com

mHealth market 2015: 500m people will be using healthcare smartphone applications

(research2guidance, November 2010 report)

Security concerns and challenges

The influx and usage of mobile devices have threatened the traditional policies and processes

towards security. The mode of data transmission over the last few years through client/server

approaches and fixed-line infrastructures have been obsoleted with mobile devices accessing

corporate resources and applications from anywhere, cloud services, remote mobile desktops

and social networks.

As more sensitive information is being fed into mobile applications and into the network cloud in

general, the complete security, privacy and regulatory compliance of such information must be

assured. Since security breaches are not uncommon in any industry, the healthcare industry has

mandated a few regulations and compliansces to ensure patient information is safe.

HIPAA (Health Insurance Portability and Accountability Act) - HIPAA in correlation with PHI

(Protected Health Information) requires health care organizations ensure that applications

are secure, and that sensitive patient and business data is protected when in use, during

transmission, or when stored in a mobile device.

FDA regulations - Federal Food, Drug, and Cosmetic Act requires that any stand-alone

device or an accessory (software applications) that is directly consumed by the end user is

subjected to regulations and approval by the FDA.

HITECH (Health Information Technology for Economic and Clinical Health) Act - HITECH is

part of the American Recovery and Reinvestment Act of 2009 (ARRA). The HITECH Act is

intended to encourage more effective and efficient healthcare through the use of

technology, like implementing electronic health records (eHR), thereby reducing the

healthcare costs and enabling greater access to the system. It aims to address the privacy

and security concerns associated with the electronic transmission of health information


Defining the application – 'Does your mobile app need FDA approval?’

One of the key steps in defining the security compliance strategy for your mobile app is to

determine whether the application requires FDA approval.

FDA clearance is typically required for apps that are involved in diagnosis, treatment, cure or

mitigation of a device. A few examples are given below:

Standalone device – Device in finished form, perhaps ready to use with accessories with an

intended sale to end-user. Example: iPod touch integrated with an external device to view the

blood pressure of a patient. FDA clearance – Yes, requires assessment for exemption

Accessory – Software/articles within a standalone device intended for use by end-user.

Example: a) An app that is used by a patient to download information from a blood glucose

meter. B) An app focused on helping people with weight loss and everyday management of

diabetes. FDA clearance - Requires assessment for the type of application

On the other hand, applications that are informational and reference-only do not require FDA

approvals.

So how do we really know if the app developed will be subjected to FDA approval or not? Based on

research and experience over the years, we at RapidValue suggest performing an evaluation on

the below set of questions for the app not to be subjected to FDA approval


Brainstorm and evaluate Possible considerations for app not being subject to FDA approval

How is the data going to be input/entered into the app? Entered manually

Not connected to external

device/machine through which it receives data

Does not require physical contact with

the patient specimen

Make sure the data to the app is1


2 What is the output of the app The output Should not connect to any other device and guide with any instruction. Should only interpret the input and provide meaningful data to the patient Should not cure/mitigate/treat the patient.

Does the app provide real-timeupdates of a patient?

3 The app should not Monitor the patient in real-time Notify users on alarms about the physical condition of a patient Patient-specific result using processing algorithms

RapidValue's assessment

Typical Apps that do not need approval

Wellness related app like track/log/record food habits, physical fitness exercise

Medical reference application

Medical EHRs/PHRs

Apps that improve efficiency like mobile hospital management care (mHMC),

workflow management

Practice-management applications like track billing, determine medical

billing codes, remote physician consultation (mPrescribing) and appointments,

Apps that need approval

PACS apps (Picture Archiving and Communication Systems) that display

radiological images for diagnosis is classified under class II PACS like X-rays

scan reports.

Monitor blood pressure of patient, display heartbeat

of a patient, attachments of ECG reports , device connected to patient

to monitor sleep pattern

4

Secure your mobile app - Understanding HIPAA compliances

For any healthcare application, security and compliance go hand in hand and it is absolutely

essential to adopt all healthcare compliances and regulations including HIPAA, HITECH, ITRF

Regulation or PCI/PHI compliances governing the Healthcare sector. While a technical architect or product manager takes the decision of whether an application is

subjected to FDA regulation, compliances and security need to be incorporated by the

development team building the application.

Below are the key steps in ensuring a design that addresses compliance and regulation

requirements.

A. Assess the user baseUnlike applications that run on desktop environments where majority of systems run on a single

platform/operating system, the market share of mobile platforms is pretty fragmented and


Brainstorm Diagnose

What is the type of user-groupthat will access the application?

Is the application going to be accessed

by consumers?

Is it an enterprise-application, which

will be accessed only by employees

of the organization?

Mobile platforms On what platforms does the mobile

application need to be supported?

iOS (Apple), Android, Blackberry,

Windows or All?

Server requirements Is the application a stand-alone app

or does it communicate with backend

server for data synchronization?

What will be the application usage at

most times? Will the application be

accessed and used by large user base?

We need to ensure bandwidth of the

server handles

1

2

3

Assessing information on the above questions will help the IT team to strategize and tailor unique security policies on corporate servers constantly accessed by wireless devices

B. Design a strategy

Over the very few years of inception, smartphones have got smarter and powerful by the year

with the capabilities of communicating through multiple channels combined with significant

processing power and large storage capabilities. Hence these devices have become the easiest

threat to data vulnerability and security compared to laptops.

The Center for Medicare and Medicaid Services (CMS), which oversees HIPAA security rule

enforcement, has published a 'HIPAA Security Guidance for Remote Use of and Access to

Electronic Protected Health Information' to help organizations determine the best way to protect

ePHI available to mobile device users.

Our framework of implementing a secure mobile application is based around the CMS guidance

with recommendations from a development and implementation perspective.


Primaryrisk

Areas

Exposure of device to Malware

Loss of device

Access to datathrough external

entities(hacking/ theft)

Primaryrisk

Areas

Exposure of device to Malware

Loss of device

Access to datathrough external

entities(hacking/ theft)


1. Secure your device: Make sure the mHealth application requires a set of unique credentials

(username and password) to access the application

Risk scenario: Login credentials are lost/stolen, which could potentially result in unauthorized

access to view/modify ePHI.

Solution. a) Implement a two-factor authentication for granting remote access to systems that contain

ePHI. Other than username and password, Create a security question like 'Which city you were born’ Create a four-digit security code that will always be requested when the application has

The four-digit security code can be used for logging into the application when device i in offline mode.

2. Secure your data: Make sure the data sent to the mobile application is secure on the device

as well as during transmission. Risk scenario: Hacking the network or a mobile device from unprotected access points (like

hotel business center, airport) is a growing concern and can potentially result in loss of ePHI

dataSolution: a) Prevent downloading and storing of ePHI data on the device whenever possible. Ensure the

data when downloaded is operationally justifiable.b) Minimize caching of data on browsers for web-based applications.c) Implement strong encryption solutions (validated encryption AES256 & Triple DES), for

transmission of ePHI using SSL (Secure Socket Layer) as the minimum requirement for mHealth

applications. d) Create policies to prevent use of and/or encrypt SD cards and other removable media on

mobile devices.a) Ensure that the server to which all web-services request are sent/received from the mobile

devices is firewall protected.

been inactive for a specific period of time.

10

a) Access to application using a VPN client connection through 'Cisco anytime connect' or 'RSA secure ID'. b) Password protection rules such as 6 character pin, expirations, failure thresholds, data wipe after failure.c) Implement a technical process for creating unique user names and performing authentication when granting remote access to a workforce member. d) Set up devices to automatically lock after a specified period of inactivity.e) Whenever a device is stolen, the 'IT help desk' should be notified on the same and a user-interface should be provided on the backend system for the representative to de-register the username.


f) Ability to perform 'Remote wipe-off' from the server to delete ePHI data from the device.

Remote wipe-off can be designed in any of the following ways.

Monitor the application 'Agent' continuously during online/offline activities and perform

remote wipe-off from the server for suspicious activities.

Monitor application 'Agent' during online activities and perform remote wipe-off from the

server. If 'Agent' cannot be tracked during offline mode, the data on the device should be

deleted for inactive activity of application for about '5' days.

11


C. Deploy and manage

Once the development team implements the application with the compliances discussed

above, the next step is in assessing how to deploy the application and manage them over

subsequent releases and upgrades.

For applications that are not going to be used by consumers but rather within the organization

employees, we recommend rolling out using the enterprise distribution model, through

which users have access to and download the recommended enterprise apps, receive them in

a secure way over-the-air (OTA), and are alerted to and download updates when available.

Moreover organizations can leverage this feature to keep an accurate inventory of the mobile

apps that are installed at any given time, and be able to monitor them by device and user

groups.

While there is a significant concern about application vulnerability, integrity and user privacy

in Apple app store and Android market, we believe that implementing some of the below

security measures will strengthen the compliance policies significantly.

1.Develop processes to ensure backup of all ePHI data sent/received to the mobile are

preform on the server side regularly.

3.Scan for suspicious activities and malware on server network platform regularly.

4.Ensure workforce is appropriately trained on policies and also on the application usage that

require accessing any ePHI data. Recommend users to search for and delete any files

intentionally or unintentionally saved to external devices.

5.Perform regular internal HIPAA audits when an application is planned for an upgrade to

include new enhancements/bug fixes.

2.For enterprise controlled apps/devices, apply Over-the-Air (OTA) provisioning and

management of smartphones.

© RapidValue 2012 | www.rapidvaluesolutions.com12


Conclusion

When considering the trends towards adoption of different digital technologies, today's

healthcare organizations are faced with enormous challenges of compliance and regulation.

As we have witnessed recently over the years, personal information theft have proven to be

costly for organizations, loosing their credibility and being forced out of business.

With robust auditing required for HIPAA security compliance, IT groups can no longer ignore

mobile devices in their security policy implementation. Companies looking to develop

mHealth solutions should look to leverage their existing IT infrastructure, policies, and

services and ensure that newer technologies are seamlessly integrated and add significant

value to the organization by providing quality care for their patients.

Disclaimer

This white paper brings out the evaluation criteria of mobile health apps related to FDA and

HIPAA compliance aspects based on our research, analysis and understanding. Any

architectural assessment and/or design decisions related to the above policies should not be

implemented based solely on the recommendations in the document. RapidValue shall have

no liability for any direct, incidental, or consequential damages suffered by any third party as a

result of decisions/actions taken, or not taken, based on this document.

RapidValue White Paper on Regulations and compliance for enterprise mHealth applications

Health & Medicine

Transcript of RapidValue White Paper on Regulations and compliance for enterprise mHealth applications