Patient Data Security in the US & EU

For the video presentation of this paper, click here.

Intro

This paper discusses how to protect patient data in the US and EU/UK by overviewing the basics of HIPAA and GDPR, the differences between the two, and how medical device companies can follow them and other resources to protect patient data.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the US Congress in 1996. It is governed by the Health & Human Services Department (HHS) and is enforced by the Office for Civil Rights (OCR). Main tenets of HIPAA include the Privacy Rule, Security Rule, and Breach Notification Rule. This paper discusses the first two rules because they are more software technical and most appropriate to this discussion.

What is the Privacy Rule?

The Privacy Rule requires appropriate safeguards to protect the privacy of Protected Health Information (PHI) and sets limits and conditions on the use and disclosure of data without the patient’s consent.

What is Protected Health Information?

  • An individual’s past, present, or future physical or mental health or condition
  • The provision of health care to the individual
  • Past, present, or future payment for the provision of health care to the individual

What is the Security Rule?

The Security Rule protects a subset of information covered by the Privacy Rule – individually identifiable health information maintained and transmitted in electronic form (e-PHI). It is essential how digital security is implemented. These are the tenets of the Security Rule:

  • Ensure confidentiality, integrity, and availability of all e-PHI created, received, maintained, or transmitted. Identifiers (discussed below) are HIPAA-protected e-PHI.
  • Identify and protect against reasonably anticipated threats to the security of the data.
  • Prevent reasonably anticipated, impermissible uses or disclosures.
  • Ensure compliance in the workforce.

The following are Technical Safeguards to secure data according to the Security Rule:

  • Access Controls
  • Audit Controls - Log everything, and pull up those logs to see who does what with the data.
  • Integrity Controls - Maintain data integrity by knowing where it starts, where it’s stored, and how it’s used.
  • Transmission Security

What is an Identifier?

An identifier is anything that can trace data back to a person. Identifiers include:

  • Names
  • Addresses - Geographic subdivisions smaller than a State
  • Telephone/Fax Numbers
  • Emails
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Vehicle identifiers, serial numbers, license plate numbers
  • URLS/IP addresses
  • Biometric identifiers, (finger and voice prints, retinal scans, EKGs)
  • Photographs
  • Any other identifying numbers, characteristics, or codes

There are no restrictions on the use of de-identified health information. If one completely anonymizes the data, they can use it however they would like under HIPAA.

How else does the United States govern patient data security?

HIPAA is not cybersecurity-specific, so there are some supplements. The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 expanded responsibilities of business associates by making them directly liable for their own HIPAA compliance. There is also the FDA Cybersecurity draft guidance, the most recent of which was issued in April 2022. Since the FDA does not deal directly with medical privacy, it does not enforce HIPAA directly. But both HIPAA and the FDA refer to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, so there is some overlap.

GDPR

The General Data Protection Regulation (GDPR) covers health information (as a subset of personal data) in the EU and UK. Enforced by the European Data Protection Board, its focus is on privacy in general, with health naturally falling under its umbrella.

The GDPR applies if:

  • A company processes personal data and is based in the EU or UK, regardless of where the actual data processing takes place.
  • A company processes personal data for people in the EU, regardless of where the actual data processing takes place.
  • A company is established outside the EU but processes personal data in relation to the offering of goods or services to individuals in the EU.

What are the Key Principles of the GDPR?

The following are the key principles of the GDPR:

  • Lawfulness, transparency, and fairness
  • Purpose limitation (What you collect has to be for the purpose you declare.)
  • Data minimization
  • Data accuracy
  • Storage limitation (Don’t keep data around forever.)
  • Integrity and confidentiality
  • Accountability (Whoever is managing the data is accountable for protecting the data.)

How else does the EU govern patient data security?

The European Union Medical Device Regulation (EU MDR) identifies and sets standards for medical devices that are produced in or supplied to countries in the EU. In Vitro Diagnostics Regulation (IVDR) applies specifically to in vitro diagnostic medical devices manufactured and sold in the EU. Medical Device Coordination Group (MDCG) released their Guidance on Cybersecurity in 2019 and references standards ISO/IEC 27001 and IEC 60601-4-5.

How is GDPR different from HIPAA?

Sharing Data

Unlike with HIPAA, there is no free pass for de-identified data. With the GDPR, it is forbidden to share ANY health and genetic data unless:

  • A patient gives explicit and unambiguous consent.
  • It is in the patients’ vital interest (ex: medical emergency).
  • It is for healthcare purposes (ex: specialist notifies general practitioner).
  • It is in the interest of public health, ex. to protect the population in a pandemic, to ensure high quality standards and safeguards of medicinal products or medical devices.

Patient Rights

Patients have the following rights under GDPR (source: European Patients Forum):

  • The right to object to processing their data, even if processing it is in the public interest or legitimate purpose of the controller
  • The right to rectification of data in the case of inaccurate data (ex. in medical record) or an incomplete record
  • The right to erasure (right to be forgotten)
  • Note: This makes navigating data back-ups a bit tricky. According to CNIL (Commission Nationale de l'Informatique et des Libertes - French Data Protection Authority) one doesn’t need to delete a backup set in order to remove an individual from it. A solution may be to create/amend data retention policies or devise a way to remove an individual from backups (ex. separate by patient or delete the encryption key).
  • The right of transparency/to be informed of the purpose of processing the identity of the person
  • Exemptions to patient rights in research (ex: blind trial)

Moving Data

The map below measures countries’ adequacy, a standard decided by the EU Commission that determines how closely a country’s protection level abides with theirs. In order for a company in the EU to transfer data to an “inadequate” country, it must adhere to a set of data protection policies called the Binding Corporate Rules. Note that the US does not ensure adequacy. Thus, the Privacy Shield is an agreement between the US and the EU that allows US companies to apply and prove that they are adequately protecting the data.

View and interact with this map here

How to Secure Patient Data

What are some practical ways to respond to these guidelines and effectively protect patient data?

Implement Access Control

  • Authenticate users and devices - Use strong passwords and MFA (Multi-Factor Authentication) for privileged access.
  • Assign roles - Incorporate the principle of least privilege (in one’s role, they only see what they need to see) and separation of duties (users, administrators, technicians, etc. granting higher authentication to more privileged roles).
  • Keep audit records - Be able to tell who did what.

Ensure Data Security

  • Protect data at rest with methods like strong encryption with securely managed keys.
  • Protect data in transit using Transport Layer Security (TLS) and securing Bluetooth Low Energy (BLE, level 3 or 4).
  • Protect against data leaks with methods like siloing data with encryption or by network or account.
  • Check integrity by authenticating the source and target (ex. code and data signatures).

Perform Continuous Security Monitoring and Intrusion Prevention

  • Use available tools to detect and prevent intrusion such as a network firewall and application firewall, etc.
  • Monitor networks for potential cybersecurity events.
  • Establish Alert thresholds.
  • Scan national databases for known vulnerabilities and apply appropriate patches and upgrades.

Create and Follow Compliant Processes and Procedures

  • Maintain processes and procedures to manage protection of data.
  • Implement breach detection and response activities and processes.
  • Implement data recovery procedures.
  • Get certified. It’s not just for marketing; it is invaluably helpful and informative.

Address Web Application Security Risks

A great cybersecurity resource is the Open Web Application Security Project (OWASP). They are not medical device specific, but they release their Top 10 Web Application Security Risks every few years with examples and ways to fix the problems.

OWASP 2021 Top 10 Web Application Security Risks:

  1. Broken Access Control
  2. Cryptographic Failure
  3. Injection
  4. Insecure Design
  5. Security Misconfiguration
  6. Vulnerable and Outdated Components
  7. Identification and Authentication Failures
  8. Software and Data Integrity Failures
  9. Security Logging and Monitoring Failures
  10. Server-side Request Forgery

Address Mobile App Security

OWASP also provides information on how to protect mobile apps with their Mobile Application Security (MAS) project. The following are security protections to protect mobile apps:

  • In-app rooted/jailbreak detection
  • Code tampering protection
  • Code obfuscation
  • Data encryption
  • Secure BLE communications (They can’t just be encrypted - they must be secure.)

Conclusion – Handling Patient Data

To protect patient data, it must be secured and encrypted with established risk management processes, continual monitoring for and resolution of known vulnerabilities, and awareness of responsibilities under privacy regulations.

CEO of Promenade Software Frances Cohen
Frances is President of Promenade Software and a leading expert on Software for Medical Devices.
frances@promenadesoftware.com
https://www.linkedin.com/in/francescohen
SUBSCRIBE TO
NEWSLETTER
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
ABOUT
PROMENADE SOFTWARE

Promenade Software, Inc. specializes in software development for medical devices and other safety-critical applications.
Promenade is ISO 13485, and CypherMed Cloud is SOC2 Type II certified.

© 2022 Promenade Software, Inc.
Text Link