EC Event - 2017 Counterintelligence Symposium

On April 26th, 2017, the Sonoran Chapter of the Society of Industrial Security Professionals held the Counterintelligence Symposium at the downtown Tucson Fire Station.  There were a variety of state and federal agents representing agencies including the FBI and Bureau of Industry & Security (BIS).  Speakers discussed different topics in regards to information security, industrial security and intellectual property (IP).

Special Agent Huerta from the BIS' Phoenix field office went into great depth on case studies and 'red flags' concerning the US Department of Commerce Office of Export Enforcement (OEE).  This was an important presentation because he discussed the regulations that are designed to prevent American exports from being used in efforts to compromise US national security.  The OEE targets WMD development, terrorist groups and unauthorized military end-use.  When American corporations do not adhere to the OEE's export regulations, their technologies and information systems become vulnerable to these third parties.

OEE agents collaborate with the private sect to foster compliance.  This is important in preventing security and information breaches.  For example, an American company that produces triggered spark gaps to test for kidney stones in a medical setting were illegally exported to South Africa because they do not require a license.  These spark gaps were then transported to Pakistan which were used as detonators for WMDs.  If this company had followed the BIS' protocol, this issue would have never occurred.  And this is why BIS enforcement is important.  We do not want American parts being used in foreign nuclear weapon development.  This was only one of 47 administrative cases that were conducted by the BIS in 2017.

In the end, the symposium emphasized the importance of security professionals doing their 'due diligence' in applying OEE regulations to their company's export operation.  Although the BIS' federal funding was cut by 15% since last year, the department's role in maintaining national security is becoming increasingly more important with the advancement of information systems and technologies.

Final Blog Post

Introduction

Our project’s main purpose is to address the question: How can new, mHealth-specific HIPAA regulations improve the overall care experience including quality, access and reliability?  Our research focused on mobile devices, electronic health records (EHRs), wearable devices and data collected from wearable devices.  The research analyzes these four fields to determine appropriate HIPAA regulations that both improve the patient experience and address various ethical concerns.  Important areas of research included HIPAA Title II rules, data compromisation and compliant standardization.  

We hope to learn what components need to be considered when establishing regulations that ensure privacy, security, compliance and consistency among health data.  To answer this, we begin by identifying key players, potential areas of development for mobile health technology, and current issues followed by the necessary requirements and how to implement them.  

Summary

mHealth Industry Overview

As a growing industry, mHealth encompasses mobile, medical applications and programs developed for both patients and providers.  In order to establish proper HIPAA standards, policymakers need to understand the differing roles played by federal and state departments. Mark Silberman and Lisa Clark explain the political context surrounding the industry. Medical devices, as well as certain mobile applications, need to be FDA-approved.  However, this rigorous approval process does not extend to a variety of medical devices and apps including wearable technology, fitness apps, etc.. The inconsistency of privacy laws and funding from state-to-state present a number of ‘holes’ in mobile health regulations.  

Source: https://www.duanemorris.com/articles/static/silberman_clark_mpm_0912.pdf

Potential for mHealth

According to a report published by Research2Guidance, 80% of doctors are currently using their mobile devices and tablets for mHealth applications.  Additionally, the Pew Research Center found that 62% of smartphone owners use their mobile devices to look up information about a health condition.  Market data makes it evident that their is a growing demand for regulatory action.

Sources: https://getreferralmd.com/2015/08/mobile-healthcare-technology-statistics/ , http://www.pewinternet.org/2015/04/01/us-smartphone-use-in-2015/

Current Issue

The current issue with mHealth technologies is the growing number of health-related applications that are not regulated. The NCBI released a study that found most health apps use unsecured internet communications and third party servers; practices that do not comply with HIPAA. This is problematic because these mHealth apps process large amounts of personal health data.  As the demand for these products continues to grow, so does the demand for standards.  

Source: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4419898/

Privacy & Security Requirements

On the slides, we briefly discussed the dangers of trust issues concerning breaches and surveillance. To break it down even further, there are seven major concerns for mHealth:

1. Surveillance - observing and collecting information from an individual through either overt or secret means
2. Insecurity - problem related to the way information is protected
3. Identification - the connecting of information to individuals
4. Secondary use - the use of information for a purpose not known and unauthorized by the provider of information
5. Exclusion - the problem of preventing individuals from accessing/changing information maintained by government agencies and businesses.
6. Aggregation - compiling small bits of information to reveal a portrait bigger than original parts
7. Disclosure - the public release of sensitive information

All seven major security concerns regarding mHealth are driven by the ever-evolving technology of mobile phones and information-processing wearables. The current legal framework in which developers are creating hundreds of mHealth applications is just a patchwork of hastily-written federal and state laws, mostly in response to individual cases. Although HIPAA and Obama’s HITECH Acts have both been passed, neither of them have proven to be sufficient to address the patient’s concerns about the security and health of their data.

Source: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2465131

***This link directs to the pdf of the primary policy analysis our research was based on

How to address it

To improve the overall care experience including quality, access and reliability, the only way is through specific mHealth regulations. Currently, there are not any politicians with any written platforms in favor of HIPAA reform. This is one of the more shocking realizations we encountered during the research period, especially in spite of the Snowden whistleblowing.  We both thought the legal gaps in the privacy and security of Protected Health Information would be a major concern for patients nationwide. There are advocacy groups such as the Patient Privacy Rights Foundation https://patientprivacyrights.org/   , who advocate for HIPAA reform in both the mHealth sect as well as in privacy and security.

Future of mHealth Regulations & Policy

The future of mHealth regulations & policy looks very bleak. As stated earlier, no current congressman or legislator has any written platform in favor of HIPAA reform. The Department of Health and Human Services is the agency responsible for the enforcement of HIPAA violations. This past March, President Trump outlined his first budget blueprint where he plans an HHS budget cut of $15.1 billion.

Source: http://www.latimes.com/politics/washington/la-na-essential-washington-updates-trump-budget-envisions-big-cuts-for-1489664310-htmlstory.html

This is nearly an 18% cut to an already-underfunded department. Even with HHS’ current funding, the Inspector General published a report in November 2013 titled, “The Office for Civil Rights Did Not Meet All Federal Requirements in its Oversight and Enforcement of the Health Insurance Portability and Accountability Act.” This report found that HHS had not established priorities, or implemented controls for its HITECH requirement to provide periodic audits of covered entities to ensure their compliance with the security rule requirements. Since the Department of Health and Human Services is most likely losing funding in the next three years, patients are going to be forced to utilize consumer protection laws as the primary means for enforcing privacy protections for mobile apps. Consumer protection laws do not offer any standardization for mHealth-specific applications which can’t ensure easy access to EHRs.  The best we can do is lobby and support advocacy groups such as Patient Privacy Rights Foundation.

Scary news for HIPPA enforcement

http://www.latimes.com/politics/washington/la-na-essential-washington-updates-trump-budget-envisions-big-cuts-for-1489664310-htmlstory.html

2017 Counterintelligence Symposium

Found this cool event about information security and privacy.  This should provide a lot of contextual research regarding the security implications in mobile healthcare policies and standards.

https://www.blogger.com/blogger.g?blogID=8691754965303487363#editor/target=post;postID=7960673576386952553

Research Proposal II

Statement of investigation

Our research seeks to prove that new, mHealth-specific HIPAA regulations can improve the overall care experience including quality, access and reliability.

Readings on research topics

Helm, Anne Marie, and Daniel Georgatos. "Privacy and mHealth: How Mobile Health'Apps' Fit into a Privacy Framework Not Limited to HIPAA." (2014).

This research paper done by the University of California Hastings School of Law examines how the privacy problems relevant to mHealth have been and continue to be addressed. The federal health privacy statute is very central to the mHealth privacy analysis, but this article highlights the legal landscape that consists of a gaps in privacy protections, some health-sector-specifc and some not. This research paper offers privacy analysis on a wide variety of mobile health technologies while also offering commentary on what the future holds for mHealth’s privacy law protections. This paper will be critical to our examination of a need for evolving HIPPA laws to accommodate new technologies in the field of mHealth.

Luxton, David D., Robert A. Kayl, and Matthew C. Mishkind. "mHealth data security: The need for HIPAA-compliant standardization." Telemedicine and e-Health 18.4 (2012): 284-288.

This research paper deals with the new concerns for data security and integrity for medical devices and the networks that enable their use. The authors make a case for the need of standardized HIPPA regulations in compliance with electronic data security. The lack of standardized data security regulations presents a barrier to patient care and accessibility. This article will provide us with the necessary research to make a case for better medical record accessibility with the standardization of HIPPA regulations.

He, Dongjing, et al. "Security concerns in Android mHealth apps." AMIA Annual Symposium Proceedings. Vol. 2014. American Medical Informatics Association, 2014.

Many Android and iOs applications related mHealth lie outside of HIPPA regulatory protections. An increasing number of applications are handling sensitive data for both the medical professionals and the patients. This research paper focuses on a three different studies of mHealth applications in the Google play store to show the widespread use of unsecured Internet communications and third party servers in the mHealth field. This paper focuses more on what the tech companies need to do to fix their applications rather than a critique of the HIPPA laws in place. This research will give us a differing perspective on what tech companies need to do to make sure the bare minimum is met while also showing compliance gaps in current mHealth applications.

Avancha, S., Baxi, A., & Kotz, D. (2012). Privacy in mobile technology for personal healthcare. ACM Computing Surveys (CSUR), 45(1), 3.

This article examined privacy requirements for mobile healthcare technologies, the privacy framework for mHealth systems, necessary privacy properties, and supportive technologies for these systems.  Privacy-related threats within the mHealth system can be categorized into three main groups: misuse of patient identities (identity threat), unauthorized access to PHI/PHR (access threat), and unauthorized access to PII/PHI(disclosure threat).  However, authentication technologies can be used to combat some of these issues.  For example, a simple two-step username/password verification process can reduce the probability of an access or disclosure threat.  This is just an example.  There are many factors to consider when combating security issues, and this report examines them in depth.

Estrin, D., & Sim, I. (2010). Open mHealth architecture: an engine for healthcare innovation. Science, 330(6005), 759-760.

The article discusses an approach involving the integration of mobile devices and internet data, known as mHealth. mHealth applications have the potential to improve disease prevention but also lacks a proper structure. There are several potential solutions for mHealth to improve their model. Open architecture mHealth apps combined with an update mechanism can lead to advancements in clinical care research innovation.  

Silberman, M. J., & CIark, L. (2012). M-health: the union of technology and healthcare regulations. The Journal of medical practice management: MPM, 28(2), 118.

Mobile Health (mHealth) refers to the application of mobile devices for health monitoring purpose. This article examines the increasing prevalence of mHealth technologies as well as the increasing potential for government regulations. To better understand the relationship between mHealth development and government regulations, an examination of a state role versus a federal role.  

Prasad, A., & Kotz, D. (2010, August). Can I access your data? Privacy management in mHealth. In Proceedings of the USENIX Workshop on Health Security and Privacy.

Security among mHealth devices and mechanisms is a high-priority concern for mobile health application development.  An efficient framework is necessary for managing the input of data from wearable technologies.  However, there are several challenges including when to collect data, what data is appropriate for doctors versus patients, and standards for usability requirements. In order for patients to support mHealth technologies, they need to be reassured of their privacy through a user-friendly and effective interface.

Questions, interviews and surveys

To gather evidence supporting our thesis, our interviewing phase will consist of both patient feedback and provider feedback.  By examining patient feedback, we can determine specific requirements and features that need to be taken into consideration when developing solutions.  By examining provider feedback, we can gain a more thorough understanding of the potential for mHealth to improve patient monitoring.  Patient-related feedback will be gathered through focus groups and surveys that will examine how patients feel in regards to mHealth privacy and security standards.  Provider-related feedback will be gathered through the conduction of interviews with individuals who work within the industry.  Potential interviewees include a health-insurance provider, clinical nurse, data analyst and healthcare executive.  To insure an accurate collection of data, surveys will seek more specific responses while interview questions will seek more open-ended responses.

Examples survey questions for patients:

1. Rate on a scale of 1 to 10 what you think your chance of having compromised health data, with 1 being the lowest chance and 10 being the highest chance?

2. Rate on a scale of 1 to 10 how comfortable you feel with your health data being wirelessly transferred to third parties via a mobile device, with 1 being the least comfortable and 10 being the most comfortable.

3. Rate on a scale of 1 to 10, with full knowledge of mHealth’s benefits, how interested you would be in purchasing wearable technology, with 1 being the least interested and 10 being the most interested.

4. Rate on a scale of 1 to 10, how likely you would be to engage in mHealth applications if you discovered that a third-party had gain access to health data, with 1 being the least likely and 10 being the most likely.

5. Rate on a scale of 1 to 10, how important privacy and security are to you in regards to mHealth technologies, with 1 being the least important and 10 being the most important

6. Have you or anyone you know been the victim of data-hacking (i.e. identity fraud, credit card fraud, internet viruses, etc.)?

7. Do you believe that your doctor should have full discretion, restricted access, or no access to health-data obtained from wearable technologies?

8. Do you think that HIPAA and mHealth regulations should be decided on a federal level or state level?

9. Do you think current HIPAA regulations adequately maintain the security and privacy of individual medical data.

Interview questions for providers:

1. What do you believe is the most important component to address when designing and implementing standards and regulations?

2. Do you believe that standardization of HIPAA regulations will lead to improved medical record accessibility?

3. What privacy properties need to be considered when developing supportive applications?

4. Do you agree that an open architecture design is the most efficient design approach for mobile health applications?

5. Rate on a scale of 1 to 10, how important is a user-centric design for mHealth applications, with 1 being the least important and 10 being the most important.

6. Rate on a scale of 1 to 10, how important usability standards are to the success of an mHealth-based application, with 1 being the least important and 10 being the most important.

7. Do you think current HIPAA regulations adequately maintain the security and privacy of individual medical data.

Professionals and experts

Below is a list of professionals from within the industry that we hope to interview and why they can be beneficial to our research:

• Suzanne Keye: Health insurance provider with more than 20 years of experience
• Provide insight into state and federal regulations on healthcare

• Paula Rutt: a clinical nurse with more than 15 years of experience
• Provide insight regarding the real-world application of mHealth mechanisms in a clinical setting

• Eric McCune: Principal Application Systems Analyst & Developer for CESL
• Provide insight regarding effective data architectures

• Martha Brumfield: CEO & President of C-Path
• Provide insight into the modern challenges for healthcare analytics and

mHealth and HIPPA Compliance

Overview

After switching topics for the second time, we have finally settled on researching privacy in the age of mobile health. The field of mHealth includes technology ranging from a fitbit to a physicians’ medical device application. Since this technology is used by physicians and other healthcare professionals, the technology is legally required to follow all health-specific laws and regulations. The Health Insurance Portability and Accountability Act of 1996, widely known as HIPPA was signed into law by President Clinton and requires standards for processing electronic healthcare transactions as well as privacy compliance regulations. For the most part, mHealth primarily deals with whether or not an application meets HIPPA requirements. We want to research the overall effects mHealth has on HIPPA and vice versa.

Research Questions:

What are the ethical implications behind privacy regulations in HIPPA?

Can the overall health of a population be improved through standardized HIPPA requirements?

As technology rapidly evolves, will HIPPA be forced to evolve as well?