EC Event - 2017 Counterintelligence Symposium

On April 26th, 2017, the Sonoran Chapter of the Society of Industrial Security Professionals held the Counterintelligence Symposium at the downtown Tucson Fire Station.  There were a variety of state and federal agents representing agencies including the FBI and Bureau of Industry & Security (BIS).  Speakers discussed different topics in regards to information security, industrial security and intellectual property (IP).

Special Agent Huerta from the BIS' Phoenix field office went into great depth on case studies and 'red flags' concerning the US Department of Commerce Office of Export Enforcement (OEE).  This was an important presentation because he discussed the regulations that are designed to prevent American exports from being used in efforts to compromise US national security.  The OEE targets WMD development, terrorist groups and unauthorized military end-use.  When American corporations do not adhere to the OEE's export regulations, their technologies and information systems become vulnerable to these third parties.

OEE agents collaborate with the private sect to foster compliance.  This is important in preventing security and information breaches.  For example, an American company that produces triggered spark gaps to test for kidney stones in a medical setting were illegally exported to South Africa because they do not require a license.  These spark gaps were then transported to Pakistan which were used as detonators for WMDs.  If this company had followed the BIS' protocol, this issue would have never occurred.  And this is why BIS enforcement is important.  We do not want American parts being used in foreign nuclear weapon development.  This was only one of 47 administrative cases that were conducted by the BIS in 2017.

In the end, the symposium emphasized the importance of security professionals doing their 'due diligence' in applying OEE regulations to their company's export operation.  Although the BIS' federal funding was cut by 15% since last year, the department's role in maintaining national security is becoming increasingly more important with the advancement of information systems and technologies.

Final Blog Post

Introduction

Our project’s main purpose is to address the question: How can new, mHealth-specific HIPAA regulations improve the overall care experience including quality, access and reliability?  Our research focused on mobile devices, electronic health records (EHRs), wearable devices and data collected from wearable devices.  The research analyzes these four fields to determine appropriate HIPAA regulations that both improve the patient experience and address various ethical concerns.  Important areas of research included HIPAA Title II rules, data compromisation and compliant standardization.  

We hope to learn what components need to be considered when establishing regulations that ensure privacy, security, compliance and consistency among health data.  To answer this, we begin by identifying key players, potential areas of development for mobile health technology, and current issues followed by the necessary requirements and how to implement them.  

Summary

mHealth Industry Overview

As a growing industry, mHealth encompasses mobile, medical applications and programs developed for both patients and providers.  In order to establish proper HIPAA standards, policymakers need to understand the differing roles played by federal and state departments. Mark Silberman and Lisa Clark explain the political context surrounding the industry. Medical devices, as well as certain mobile applications, need to be FDA-approved.  However, this rigorous approval process does not extend to a variety of medical devices and apps including wearable technology, fitness apps, etc.. The inconsistency of privacy laws and funding from state-to-state present a number of ‘holes’ in mobile health regulations.  

Source: https://www.duanemorris.com/articles/static/silberman_clark_mpm_0912.pdf

Potential for mHealth

According to a report published by Research2Guidance, 80% of doctors are currently using their mobile devices and tablets for mHealth applications.  Additionally, the Pew Research Center found that 62% of smartphone owners use their mobile devices to look up information about a health condition.  Market data makes it evident that their is a growing demand for regulatory action.

Sources: https://getreferralmd.com/2015/08/mobile-healthcare-technology-statistics/ , http://www.pewinternet.org/2015/04/01/us-smartphone-use-in-2015/

Current Issue

The current issue with mHealth technologies is the growing number of health-related applications that are not regulated. The NCBI released a study that found most health apps use unsecured internet communications and third party servers; practices that do not comply with HIPAA. This is problematic because these mHealth apps process large amounts of personal health data.  As the demand for these products continues to grow, so does the demand for standards.  

Source: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4419898/

Privacy & Security Requirements

On the slides, we briefly discussed the dangers of trust issues concerning breaches and surveillance. To break it down even further, there are seven major concerns for mHealth:

1. Surveillance - observing and collecting information from an individual through either overt or secret means
2. Insecurity - problem related to the way information is protected
3. Identification - the connecting of information to individuals
4. Secondary use - the use of information for a purpose not known and unauthorized by the provider of information
5. Exclusion - the problem of preventing individuals from accessing/changing information maintained by government agencies and businesses.
6. Aggregation - compiling small bits of information to reveal a portrait bigger than original parts
7. Disclosure - the public release of sensitive information

All seven major security concerns regarding mHealth are driven by the ever-evolving technology of mobile phones and information-processing wearables. The current legal framework in which developers are creating hundreds of mHealth applications is just a patchwork of hastily-written federal and state laws, mostly in response to individual cases. Although HIPAA and Obama’s HITECH Acts have both been passed, neither of them have proven to be sufficient to address the patient’s concerns about the security and health of their data.

Source: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2465131

***This link directs to the pdf of the primary policy analysis our research was based on

How to address it

To improve the overall care experience including quality, access and reliability, the only way is through specific mHealth regulations. Currently, there are not any politicians with any written platforms in favor of HIPAA reform. This is one of the more shocking realizations we encountered during the research period, especially in spite of the Snowden whistleblowing.  We both thought the legal gaps in the privacy and security of Protected Health Information would be a major concern for patients nationwide. There are advocacy groups such as the Patient Privacy Rights Foundation https://patientprivacyrights.org/   , who advocate for HIPAA reform in both the mHealth sect as well as in privacy and security.

Future of mHealth Regulations & Policy

The future of mHealth regulations & policy looks very bleak. As stated earlier, no current congressman or legislator has any written platform in favor of HIPAA reform. The Department of Health and Human Services is the agency responsible for the enforcement of HIPAA violations. This past March, President Trump outlined his first budget blueprint where he plans an HHS budget cut of $15.1 billion.

Source: http://www.latimes.com/politics/washington/la-na-essential-washington-updates-trump-budget-envisions-big-cuts-for-1489664310-htmlstory.html

This is nearly an 18% cut to an already-underfunded department. Even with HHS’ current funding, the Inspector General published a report in November 2013 titled, “The Office for Civil Rights Did Not Meet All Federal Requirements in its Oversight and Enforcement of the Health Insurance Portability and Accountability Act.” This report found that HHS had not established priorities, or implemented controls for its HITECH requirement to provide periodic audits of covered entities to ensure their compliance with the security rule requirements. Since the Department of Health and Human Services is most likely losing funding in the next three years, patients are going to be forced to utilize consumer protection laws as the primary means for enforcing privacy protections for mobile apps. Consumer protection laws do not offer any standardization for mHealth-specific applications which can’t ensure easy access to EHRs.  The best we can do is lobby and support advocacy groups such as Patient Privacy Rights Foundation.