mhimss roadmap 6

7/30/2019 mHIMSS Roadmap 6

1/16

6-01mHIMSS Roadmap

New Care ModelsstaNdards aNd

INteroperabIlItyroI payMeNtteChNology legal aNd polICy

Temp le

Park

eP

Te

Blu ch er

Blu

n sark

C h r i s t u s S

p o h

H o s p i t a l - M

e m O l d B a y v i e w

C e m

e t e r y

C

e r y

Bu

rnetSt

et

Loritte

Burne t

St

TwSCa

moSt

LanieerrDr

Colem

anA

BBurnet S

tt

Bluc herSt

c her

16thStSt

t

Ke

ys

rezSt

TreW T

MMa r y

S t

J u J u W

Andr ew

sDr

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t s

G r i s h

a m C t s

anJac

into

g C t

g C

t

N o

g a l e

Elizabeth St

B o l i

Wa

inwrig

M o

n t g

o m e

G u

a d a l u

P re rr

s

H

alsey

LakeSt

BetelS

H a

w t h

or

Go

liad

H o w a r d S

t

H o

Nim

Riggan St

i t t

Waco St

King

TracySyS

Prescott Ste

17thSt

CrewsSts

S t a r r

rescottS t

re

T

H o s p i t a l B l v d

P e o

gg

C C

F r a n

c is

S t

ito

St

SamRanmR

dleySt

ann

anSt

St

NLoweLowe

B e

u n

b a

r St

12thSt

oraSt

7

10thS SS

S19th

St

ElizabethSt

S t

eldel

dBel

Bel

Beld

TTwTT

i

gg

gSt

Laaw

Sch

S

NU

Upperr

B

SStt

NCa

NCul

NCul

NCulT

a r l

t

p

ankinS

t tttttttttttt

par

ar

aar

ar

ar

ar

arrr

aar

arrrr

arrrrr

arr

aaar

arr

ardd

SdddS

ddddS

dStttt

rrr

ar

ar

arrr

arr

arr

arr

ar

arrr

Privacy and

Security

Privacyand Security 6contentSIntroduction 6-02Overview o Current State 6-02

Medical Device Regulations 6-04

Telehealth 6-04

Health and Wellness Services / Applications 6-05

Bring Your Own Device (BYOD) 6-05

Benchmarking and Potential Goals or Privacy and Security 6-06

Future or Proposed State o Privacy and Security or mHealth 6-06

Current State o Organizational Readiness 6-07

Use Cases, Emerging and Best Practices 6-07

Medical Apps: Denition 6-08

Consumer Sites 6-09

Patient-reported Data: The Integration o Consumer Data into EMR 6-09

Medical Devices 6-09

Telehealth and Monitoring 6-10

Policy Challenges 6-10

Breach Reporting 6-11

Legal Policies and Regulations 6-11

Best Practices/Resources 6-12

mHIMSS Privacy and Security Best Practices 6-12

Other Resources or Best Practices 6-13

Policy, Mandates, and Regulations 6-13

Proposed Future State 6-14

Strategies, Priorities, and Recommendations or Action 6-14

Future Considerations 6-15

Risks and Mitigation Strategies 6-15

Measuring & Benchmarking 6-15

Authors 6-16

Reerences 6-16
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-


2/16

6-02mHIMSS Roadmap



Temp le

Park

eP

Te

Blu ch er

Blu

n sark

C h r i s t u s S

p o h

H o s p i t a l - M


C e m

e t e r y

C

e r y

Bu

rnetSt

et

Loritte

Burne t

St

TwSCa

moSt

LanieerrDr

Colem

anA

BBurnet S

tt

Bluc herSt

c her

16thStSt

t

Ke

ys

rezSt

TreW T

MMa r y

S t

J u J u W

Andr ew

sDr

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t s

G r i s h

a m C t s

anJac

into

g C t

g C

t

N o

g a l e

Elizabeth St

B o l i

Wa

inwrig

M o

n t g

o m e

G u

a d a l u

P re rr

s

H

alsey

LakeSt

BetelS

H a

w t h

or

Go

liad

H o w a r d S

t

H o

Nim

Riggan St

i t t

Waco St

King

TracySyS

Prescott Ste

17thSt

CrewsSts

S t a r r

rescottS t

re

T


P e o

gg

C C

F r a n

c is

S t

ito

St

SamRanmR

dleySt

ann

anSt

St

NLoweLowe

B e

u n

b a

r St

12thSt

oraSt

7

10thS SS

S19th

St

ElizabethSt

S t

eldel

dBel

Bel

Beld

TTwTT

i

gg

gSt

Laaw

Sch

S

NU

Upperr

B

SStt

NCa

NCul

NCul

NCulT

a r l

t

p

ankinS

t tttttttttttt

par

ar

aar

ar

ar

ar

arrr

aar

arrrr

arrrrr

arr

aaar

arr

ardd

SdddS

ddddS

dStttt

rrr

ar

ar

arrr

arr

arr

arr

ar

arrr

Privacy and

Security

Overview o Current StateThe terms mobile and wireless are used

interchangeably when reerring to devices, even thoughtheir ormal denitions are dierent Mobile reers to

the ability to provide untethered unctionality A mobile

device is anything that can be used on the move and

unwired, ranging rom WIFI-enabled laptops and mobile

phones, to wireless devices that can communication via

Federal Communications Commission (FCC)- allocated

requency I the location o the connected device is not

xed, it is consideredmobile

When voice and data are transmitted over radio

waves it is considered wireless A mobile device in xed

locations can access the wireless network That is, aphysical connection to the network is not required or

connectivity Wireless devices include anything that

uses a wireless network to either send or receive data

Wireless is a subset o mobile, but in many cases, an

application can be mobile without being wireless The

FCC mHealth Task Force recently dened mHealth:

mHealth traditionally stands or mobile health This

Task Force adopted the term more broadly to reer to

mobile health, wireless health, and e-care technologies

that improve patient care and the eciency o

healthcare delivery1

Mobile smartphone apps (applications) provide many

unctions that require security and privacy (or example,

mobile banking, passwords storage, personal health

records [PHRs], and mobile payments) Legislation,

such as the Sarbanes-Oxley Act, governs corporate

security and privacy The Payment Card Industry Data

Security Standard (PCI DSS) provides guidelines or the

credit card industry The Health Insurance Portability

and Accountability Act (HIPAA) o 1996 and the Health

Inormation Technology or Economic and Clinical Health

Topics covered inthis section o theRoadmap include:

Impact o Medical

Device Regulations

Bring Your Own Device

Concerns

Benchmarking and

Potential Goals

Patient Reported Data

Breach Notifcations

Privacy and securityare the backbone o trust in healthcare. The mHIMSS Road-

map goal is to provide resources to help healthcare organizations and vendors protect

patients privacy and enable a secure environment.

Mobile health (mHealth) data presents a greater challenge to maintain security;

however, it must still comply with HIPAA mandates, Food and Drug Administration

(FDA) regulations, Oce o Civil Rights (OCR)

enorcements, and requirements rom other gov-

erning agencies, as does the non-mobile health

sector. Privacy and security in a mobile environment are, by nature,

more o a challenge than data stored behind rewalls and concrete.

However, many o the same rules apply to mHealth as in the enter-

prise environment. We need to remember that the only dierence or

a personal computer (PC), enterprise server, and a smartphone is size.For the majority o the breaches that are reported today, the thie just

carried the equipment out the door or nabbed the device rom a car seat.

Size plays a very little role in protecting the data.

Privacy and security in healthcare involve a process that must be

navigated to reach our destination o protecting the patient, providers,

organizations, and vendors. The navigation process is complex and ever

changing because o outside infuences, such as legislation, politics,

crime, and technology. The mHIMSS Roadmap is our navigation tool

o goals and the pathway o our organization.


3/16

6-03mHIMSS Roadmap



Temp le

Park

eP

Te

Blu ch er

Blu

n sark

C h r i s t u s S

p o h

H o s p i t a l - M


C e m

e t e r y

C

e r y

Bu

rnetSt

et

Loritte

Burne t

St

TwSCa

moSt

LanieerrDr

Colem

anA

BBurnet S

tt

Bluc herSt

c her

16thStSt

t

Ke

ys

rezSt

TreW T

MMa r y

S t

J u J u W

Andr ew

sDr

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t s

G r i s h

a m C t s

anJac

into

g C t

g C

t

N o

g a l e

Elizabeth St

B o l i

Wa

inwrig

M o

n t g

o m e

G u

a d a l u

P re rr

s

H

alsey

LakeSt

BetelS

H a

w t h

or

Go

liad

H o w a r d S

t

H o

Nim

Riggan St

i t t

Waco St

King

TracySyS

Prescott Ste

17thSt

CrewsSts

S t a r r

rescottS t

re

T


P e o

gg

C C

F r a n

c is

S t

ito

St

SamRanmR

dleySt

ann

anSt

St

NLoweLowe

B e

u n

b a

r St

12thSt

oraSt

7

10thS SS

S19th

St

ElizabethSt

S t

eldel

dBel

Bel

Beld

TTwTT

i

gg

gSt

Laaw

Sch

S

NU

Upperr

B

SStt

NCa

NCul

NCul

NCulT

a r l

t

p

ankinS

t tttttttttttt

par

ar

aar

ar

ar

ar

arrr

aar

arrrr

arrrrr

arr

aaar

arr

ardd

SdddS

ddddS

dStttt

rrr

ar

ar

arrr

arr

arr

arr

ar

arrr

Privacy and

Security

Act (HITECH) provide the governance over healthcare

privacy and security These laws and guidelines cross

the boundaries o healthcare and impact compliance

responsibility

As mobile technology emerges in healthcare, it brings

signicant changes in healthcare delivery, increased

engagement o patients, and the nancial eciencies

o healthcare2 Mobile technology can give providers a

closer to real-time view o patients and their conditions

mHealth provides the opportunity to improve medical

system eciencies and clinical outcomes by engaging

patients in chronic disease management and medication

compliance, and by extending healthcare access to the

underserved (ie, closing the Digital Divide)

Handheld devices (pads, tablets, smartphones, tablet

PCs, and handheld scanners) use an array o messaging

techniques, including short messaging service (SMS/

TXT), general packet radio service (GPRS), the global

positioning system (GPS), short-range Bluetooth, ANT+,

and wider-range third and ourth generation mobile

telecommunications known as 3G and 4G

According to a recent industry study,3 38% o

physicians use health-related mobile apps daily on

smartphones or tablets, and that number is expected

to increase above 50% within the next year A study

rom Manhattan Research ound that 71% o physicianssurveyed already consider a smartphone essential to

their practice The remaining 70% o apps are directly

engaging the consumer; this is also reerred to as

consumer acing, according to GlobalData, a New

York-based market research rm

The growing senior population in the US is driving

advances in remote patient monitoring The senior

segment represented 13% o the US population in

2010 and is expected to reach 207% by 20504 Chronic

disease is more prevalent in our senior population

The point o care is shiting and wireless remote patient

monitoring provides the ability to monitor a patient in

his or her own environment, thus giving healthcare

providers an extended, more inclusive view o the patient

Implementing remote patient monitoring can provide

cost-cutting intervention and many benets, especially

when incorporating remote patient-reported device data

with electronic health records (EHRs)

Advances in remote patient monitoring include new

peripherals, real-time audio and video or ace-to-ace

interaction between clinicians and patients, wireless

communication, systems that sort the vast amount

o data collected in order to put it into the context o a

patients condition, portable and ambulatory monitors,

web-based access to the patient record, systems that

transer data to an electronic medical record (EMR),

and ull-service outsourcing that includes a clinician

to evaluate data and send a report to the attending

physician, according to a summary o remote patient

monitoring by a market research rm5

Wireless Patient Monitoring Equipment

Wireless patient monitoring equipment covers a vast

array o products Wireless can be mobile or stationary

Handheld wireless patient monitoring devices include a

wide range o products that provide to physicians datathat supports diagnosis, consulting, monitoring, and

treatment Mobile administrative apps include products to

streamline healthcare workfow and improve eciency or

better patient care Other products include apps available

on pads/tablets, smartphones, personal digital assistants

(PDAs), and tablet PCs Hardware includes passive

and active radio requency identication (RFID) tag and

readers, scanners, and mBan sensors, to name a ew

Active patient monitoring devices are normally

deemed an FDA Class II Medical Device It is

recommended that companies developing these types

o products contact a medical device advisor and/or

the FDA to determine i their product needs Premarket

Notication 510(k) and Premarket Approval Many

o the FDA requirements concern labeling and this

labeling can be the dierence between a needing a 510k

or not For example, a company develops an app to

monitor consumers hearts I the app is marketed as a

device that could assist a doctor in diagnosing a heart

problem, the app will most likely have to have a 510k

classication I the same app is marketed as a device

or personal use or monitoring ones heart and warnings

are provided that this app is not a medical device or

should not replace a doctor, then the app will most likely

not be classied as a medical device by the FDA Note:

The FDA has tools and guidance on their website to

assist developers with these issues

Healthcare Applications on Mobile Devices

The increased use o smartphones, pads, and tablets

to achieve a physicians daily tasks drives adoption

o mobile devices This adoption o devices impacts

providers medical record choices and selections and

ultimately security choices Mobile unctionality is a higher

priority or early-adopter and tech savvy providers, but is

now moving to the more general population o physiciansPhysicians are now using mobile devices or routine oce

activities such as maintaining schedules and signing-o

on prescriptions However, this is quickly changing: a

survey by EHR vendor Vitera Healthcare shows that nine

o ten doctors would like to be able to access EHRs on

their mobile devices The new non-tethered Cloud EHRs

will become more prevalent in the near uture and most

likely replace many rst-generation EHRs

Some EHR vendors are providing secure products

to notiy patients o laboratory results and changes in
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://www.globaldata.com/http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/HowtoMarketYourDevice/PremarketSubmissions/PremarketNotification510k/default.htmhttp://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/HowtoMarketYourDevice/PremarketSubmissions/PremarketNotification510k/default.htmhttp://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/HowtoMarketYourDevice/PremarketSubmissions/PremarketApprovalPMA/default.htmhttp://www.fda.gov/http://www.fda.gov/http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/HowtoMarketYourDevice/PremarketSubmissions/PremarketApprovalPMA/default.htmhttp://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/HowtoMarketYourDevice/PremarketSubmissions/PremarketNotification510k/default.htmhttp://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/HowtoMarketYourDevice/PremarketSubmissions/PremarketNotification510k/default.htmhttp://www.globaldata.com/http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-


4/16

6-04mHIMSS Roadmap



Temp le

Park

eP

Te

Blu ch er

Blu

n sark

C h r i s t u s S

p o h

H o s p i t a l - M


C e m

e t e r y

C

e r y

Bu

rnetSt

et

Loritte

Burne t

St

TwSCa

moSt

LanieerrDr

Colem

anA

BBurnet S

tt

Bluc herSt

c her

16thStSt

t

Ke

ys

rezSt

TreW T

MMa r y

S t

J u J u W

Andr ew

sDr

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t s

G r i s h

a m C t s

anJac

into

g C t

g C

t

N o

g a l e

Elizabeth St

B o l i

Wa

inwrig

M o

n t g

o m e

G u

a d a l u

P re rr

s

H

alsey

LakeSt

BetelS

H a

w t h

or

Go

liad

H o w a r d S

t

H o

Nim

Riggan St

i t t

Waco St

King

TracySyS

Prescott Ste

17thSt

CrewsSts

S t a r r

rescottS t

re

T


P e o

gg

C C

F r a n

c is

S t

ito

St

SamRanmR

dleySt

ann

anSt

St

NLoweLowe

B e

u n

b a

r St

12thSt

oraSt

7

10thS SS

S19th

St

ElizabethSt

S t

eldel

dBel

Bel

Beld

TTwTT

i

gg

gSt

Laaw

Sch

S

NU

Upperr

B

SStt

NCa

NCul

NCul

NCulT

a r l

t

p

ankinS

t tttttttttttt

par

ar

aar

ar

ar

ar

arrr

aar

arrrr

arrrrr

arr

aaar

arr

ardd

SdddS

ddddS

dStttt

rrr

ar

ar

arrr

arr

arr

arr

ar

arrr

Privacy and

Security

medications via secure email or secure (not telecom

carrier) SMS/TXT sent directly to patients cell phones

One workfow example: patients receive an email or

SMS indicating that a new message or a lab result is

available to view within the providers secure patient

portal A system that utilizes SMS/TXT must not use

standard telecom delivery systems because they are

not secure A HIPAA-compliant system must be sending

these messages SMS/TXT messages are asynchronous

and do not provide a guaranteed delivery Another

issue that needs to be considered is ambient or vicinity

privacy Many times cellphones are not secure and oten

are shared between riends, acquaintances, and amily

members We must consider the content that is being

delivered to the phone and the environment in which the

phone is used to determine i the content is appropriate

or this type o retrieval

Medical Device RegulationsThe mobile medical device market is experiencing an

explosion o sotware solutions, apps (ie, Smartphone

Applications, see below) that potentially oer new

modalities o care, blurring the distinction between a

more traditional provision o clinical care by physicians,

and the sel-administration o care and well-beingMobile medical devices are reaching the next

generation o development The healthcare industry

recognizes a greater need or a regulatory ramework

that will govern development, promotion, and use

Regulations by which healthcare is regulated are

quite dierent than those or commercial industry

To those unamiliar, medical device regulations can

appear complex and burdensome, even a hindrance to

innovation and product development However, patients

health, well-being, and right to privacy mandate these

stringent regulations

Development o mobile medical applications is

opening new and innovative ways or technology to

improve health and healthcare Apps that allow medical

proessionals and patients to access already publicly

available material, or perorm administrative tasks are not

regulated However, regulators are indicating that other

types o mobile medical apps should be regulated FDA-

classied apps should be developed, manuactured, and

supported in compliance with regulations

On July 19, 2011, the FDA announced its proposed

ocial action, including dening mobile medical

applications (MMA) that are subject to FDA action The

FDA denes MMA as a sotware application that can

be executed (run) on a mobile platorm or a web-based

sotware application that is tailored to a mobile platorm but

is executed on a server, where that sotware already meets

the general denition o a medical device as ound in 210(h)

o the Federal Food, Drug, and Cosmetic (FD&C) Act

There are three categories o apps identied:

Apps or the purpose o displaying, storing ,

analyzing, or transmitting patient specic medical

device data, ie, data that originated rom a

classied medical device, a Medical Device Data

System (MDDS), class 1 Apps that transorm or make a mobile platorm into

a regulated medical device [] or [perorms] similar

medical device unctions

Apps that allow the user to input patient-specic

inormation andusing ormulae or a processing

algorithmoutput a patient-specic result, diagnosis,

or treatment recommendation that is used in clinical

practice or to assist in making clinical decisions

For more inormation the legal denitions o MDDS,

see the policy section o the mHIMSS Roadmap

TelehealthTelehealth, as dened by the Department o Health

and Human Services (HHS), is: The use o electronicinormation and telecommunications technologies

to support remote clinical health care, patient and

proessional health-related education, public health and

health administration Telehealth enables collaboration

o healthcare proessionals to provide healthcare services

across a variety o settings and distances

Telemedicine usage ranges rom synchronous video

chat between a patient and a doctor, to conerencing

between doctors, to conerencing between doctors and

allied health proessionals (eg, nutritionists, physical

therapists), to providing live or recorded presentations togroups o patientsall who are geographically separated

But telehealth, currently being used worldwide, still aces

challenges The primary obstacle to widespread adoption

o telemedicine is provider reimbursement Currently,

each episode o care is monetized; the more visits the

higher the cost The accountable care organization (ACO)

model as illustrated in the American Care Act incentivizes

providers to see patients in a number o convenient ways

(eg, in person or via email, SMS, TXT, video chat, or

data transer) Alternative communication methods can

be helpul or both parties in terms o time, convenience,and care access

Telehealth privacy and security are governed by

HIPAA and HITECH Just as patients are protected in

encounters within the walls o a health acility, so they are

in remote telehealth sessions


5/16

6-05mHIMSS Roadmap



Temp le

Park

eP

Te

Blu ch er

Blu

n sark

C h r i s t u s S

p o h

H o s p i t a l - M


C e m

e t e r y

C

e r y

Bu

rnetSt

et

Loritte

Burne t

St

TwSCa

moSt

LanieerrDr

Colem

anA

BBurnet S

tt

Bluc herSt

c her

16thStSt

t

Ke

ys

rezSt

TreW T

MMa r y

S t

J u J u W

Andr ew

sDr

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t s

G r i s h

a m C t s

anJac

into

g C t

g C

t

N o

g a l e

Elizabeth St

B o l i

Wa

inwrig

M o

n t g

o m e

G u

a d a l u

P re rr

s

H

alsey

LakeSt

BetelS

H a

w t h

or

Go

liad

H o w a r d S

t

H o

Nim

Riggan St

i t t

Waco St

King

TracySyS

Prescott Ste

17thSt

CrewsSts

S t a r r

rescottS t

re

T


P e o

gg

C C

F r a n

c is

S t

ito

St

SamRanmR

dleySt

ann

anSt

St

NLoweLowe

B e

u n

b a

r St

12thSt

oraSt

7

10thS SS

S19th

St

ElizabethSt

S t

eldel

dBel

Bel

Beld

TTwTT

i

gg

gSt

Laaw

Sch

S

NU

Upperr

B

SStt

NCa

NCul

NCul

NCulT

a r l

t

p

ankinS

t tttttttttttt

par

ar

aar

ar

ar

ar

arrr

aar

arrrr

arrrrr

arr

aaar

arr

ardd

SdddS

ddddS

dStttt

rrr

ar

ar

arrr

arr

arr

arr

ar

arrr

Privacy and

Security

Health and WellnessServices / ApplicationsCurrently, consumer health and wellness services/

applications are largely based on using mobile phones

as user PCs Historically, the mobile devices processing

power has been slow at the user-interace, producing a

sluggish user experience This is changing with availability

o the aster 3G and 4G communication standards

Smartphones are becoming ubiquitous In January 2012

there were more than 100 million smartphones in the

US alone

The consumer app choices include the ollowing:

Use o mobile platorms (phones, tablets, portable

entertainment devices) to access health and wellness

inormation, track personal health conditions, and

interact with care proessionals and care organizations;

Use o mobile apps and widgets10 or health-related

purposes;

Motivational actors, satisaction, and unmet needs

when consumers use mHealth apps and solutions;

Use o Web 20 tools and mobile social networking

solutions or health-related purposes;

Interest in mobile-based care solutions, services,

and apps, as well as willingness to spend or these

oerings; and

Games are being developed to improve overall health

and well being

These apps are available primarily rom the phone

manuacturers online stores, such as Google Play or

iStore Soon patients will be able to obtain health apps

directly rom their doctors or i nsurance companies via

their own online stores

Bring YourOwn Device (BYOD)Providers and patients initiated the consumerization

o health IT by driving the adoption o consumer

technologies in the healthcare enterprise However,

employees have been bringing devices such as laptops

and mp3 players to the workplace and accessing

company networks or many years The amount and

types o devices are growing at an unprecedented rate

Today there are many dierent types o devices that have

the ability to access the network The volume o guests

requesting access has also changed, rom children with

their own smartphones and electronic game devices,

to retirees with WIFI tablets Bring-your-own-device

(BYOD) is one o the more dramatic results o consumer

preerence, rather than corporate initiative However,

many o these technologies were not developed with

enterprise requirements in mind Currently, health IT sta

may lack the knowledge or experience associated with

enterprise mobile security and privacy The enterprise is

requiring a well-dened risk management strategy with

which to govern devices, application deployment, and

daily management

In recent comments, HHS posted a warning

against employing a BYOD strategy that stated, I IT

administrators dont implement the correct mobile device

or the right job or are slow to integrate [mobile devices]

into the work place, they run the risk that employees may

use their personal mobile devices to perorm their duties

I a healthcare proessional uses a personal device

such as a smart phone, tablet or USB device to access

patient inormation, at risk or thet or accidental loss

o the device is patient inormation on an unencrypted

or protected device that is not password protected

Though this statement is valid, organizations have the

opportunity to preempt security issues with the proactive

approach o enacting policies and procedures to control

access

Organizations BYOD strategy or privacy and security

should include the ollowing:

Device choices: Do you support all devices, and do

you understand the privacy and security implication o

each?

Trust model or risk assessment

Liability

Sustainability

User experience and privacy (eg, agreements,

signature, opt-in)

App design and governance Economics

Internal marketing

Employee (user) training

Cost and budget

Trac and bandwidth considerations

Guest policies

Up-to-date terms and conditions in electronic orm

Priority and preemption

BYOD holds tremendous advantage or organizations

as a way o reducing costs For example, i employees

purchase their own devices and use them at work,

there is saving o capital equipment, support, and

maintenance However, the true value o a well-designed

BYOD program is increasing provider and employee

satisaction, productivity, and rapid adoption o

technology across the enterprise


6/16

6-06mHIMSS Roadmap



Temp le

Park

eP

Te

Blu ch er

Blu

n sark

C h r i s t u s S

p o h

H o s p i t a l - M


C e m

e t e r y

C

e r y

Bu

rnetSt

et

Loritte

Burne t

St

TwSCa

moSt

LanieerrDr

Colem

anA

BBurnet S

tt

Bluc herSt

c her

16thStSt

t

Ke

ys

rezSt

TreW T

MMa r y

S t

J u J u W

Andr ew

sDr

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t s

G r i s h

a m C t s

anJac

into

g C t

g C

t

N o

g a l e

Elizabeth St

B o l i

Wa

inwrig

M o

n t g

o m e

G u

a d a l u

P re rr

s

H

alsey

LakeSt

BetelS

H a

w t h

or

Go

liad

H o w a r d S

t

H o

Nim

Riggan St

i t t

Waco St

King

TracySyS

Prescott Ste

17thSt

CrewsSts

S t a r r

rescottS t

re

T


P e o

gg

C C

F r a n

c is

S t

ito

St

SamRanmR

dleySt

ann

anSt

St

NLoweLowe

B e

u n

b a

r St

12thSt

oraSt

7

10thS SS

S19th

St

ElizabethSt

S t

eldel

dBel

Bel

Beld

TTwTT

i

gg

gSt

Laaw

Sch

S

NU

Upperr

B

SStt

NCa

NCul

NCul

NCulT

a r l

t

p

ankinS

t tttttttttttt

par

ar

aar

ar

ar

ar

arrr

aar

arrrr

arrrrr

arr

aaar

arr

ardd

SdddS

ddddS

dStttt

rrr

ar

ar

arrr

arr

arr

arr

ar

arrr

Privacy and

Security

Benchmarking andPotential Goals orPrivacy and Security

The ultimate goal o privacy and security is to provide as

much eort as needed to protect patients PHI rom a

breach or rom being compromised This is a tall order

to strive or; however, technology and policies make it is

possible and highly probable Patient privacy is based

and protected by HIPAA UC Berkeley summarizes PHI

as any inormation in the medical record or designated

record set that can be used to identiy an individual

and that was created, used, or disclosed in the course

o providing a health care service such as diagnosis or

treatment HIPAA regulations allow researchers to access

and use PHI when necessary to conduct research

However, HIPAA only aects research that uses, creates,

or discloses PHI that will be entered in to the medical

record or will be used or healthcare services, such as

treatment, payment or operations

The benchmark or privacy must be 100% secure PHI

Electronic security restraints are always changing as

computers become aster and have a better capability

o breaking encryption As hackers become more

skilled in nding new vulnerabilities in both sotware and

hardware, a once-secure platorm o protection can

be compromised Testing is an organizations tool to

benchmark and locate vulnerabilities in systems

Recommendations

Develop guidelines or protection o PHI;

Develop guidelines and examples o test plans or

testing PHI This should include sotware and hardware

systems and devices; and

Develop Acceptance and regression testing guidelines

Future or Proposed Stateo Privacy and Securityor mHealth

To envision the uture o security and privacy in mHealth,

ollow the money, politics, and culture Although no one

is a good predictor o the uture, privacy and security

remain the same, whether digi tal or paper, stationary

or mobile, or protecting patients PHI The extent o

protection depends on what individuals and cultures

demand The US, France, and others have stringent

demands concerning security, while other countries

are more lax in their eorts There are many issues that

surround this discrepancyeg, political, paymentsystems, and culture There is also the perception o

security that surrounds how we live Most o us get

into cars, or walk down the sidewalk without a second

thought to security However, perceptions do change

without warning, as do security and privacy needs

The point is that privacy and security are a fuid orce

that must be constantly monitored and scrutinized

During a conversation at the StrataRX Conerence

with John Mattison, CMIO o Kaiser, he mentioned

the possibility o utilizing avatars to provide proxies or

identicationa concept o disassociating a personstrue identity or persona with one or more symbols

(avatars) In the event o a breach, the proxy persona

could be deleted

Overview o Current State

In 2011, nearly all o the 164 respondents participating

in the 1st Annual HIMSS Mobile Technology Survey

indicated that clinicians in their organizations accessed

inormation via a mobile device, with laptop computers

and computers/workstations on wheels (COWs/WOWs)

Use Case: Providing Network

Access or Visiting Caregiver

Problem:

On the rst day o the locum physicians

assignment at a local hospital, she brings her

personal laptop, smartphone, and tablet and

requests access to the network

Policies objectives:

Control access; provide access

when appropriate;

Provide terms and conditions o usage;

Mobile device management (MDM);

Secure control access to patients

personal health inormation (PHI)

Multiple guest devices to support

IT objective:

Control access via technology;

Provide caregivers access to do their job;

Protect network and PHI;

Monitor who and what is on the network

Determine locum physicians network needs

as it relates to her job
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://www.mhimss.org/sites/default/files/resource-media/pdf/HIMSS%20Mobile%20Technology%20Survey%20FINAL%20Revised%20120511%20Cover.pdfhttp://www.mhimss.org/sites/default/files/resource-media/pdf/HIMSS%20Mobile%20Technology%20Survey%20FINAL%20Revised%20120511%20Cover.pdfhttp://-/?-http://-/?-http://-/?-http://-/?-http://-/?-


7/16

6-07mHIMSS Roadmap



Temp le

Park

eP

Te

Blu ch er

Blu

n sark

C h r i s t u s S

p o h

H o s p i t a l - M


C e m

e t e r y

C

e r y

Bu

rnetSt

et

Loritte

Burne t

St

TwSCa

moSt

LanieerrDr

Colem

anA

BBurnet S

tt

Bluc herSt

c her

16thStSt

t

Ke

ys

rezSt

TreW T

MMa r y

S t

J u J u W

Andr ew

sDr

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t s

G r i s h

a m C t s

anJac

into

g C t

g C

t

N o

g a l e

Elizabeth St

B o l i

Wa

inwrig

M o

n t g

o m e

G u

a d a l u

P re rr

s

H

alsey

LakeSt

BetelS

H a

w t h

or

Go

liad

H o w a r d S

t

H o

Nim

Riggan St

i t t

Waco St

King

TracySyS

Prescott Ste

17thSt

CrewsSts

S t a r r

rescottS t

re

T


P e o

gg

C C

F r a n

c is

S t

itoSt

SamRanmR

dleySt

ann

anSt

St

NLoweLowe

B e

u n

b a

r St

12thSt

oraSt

7

10thS SS

S19th

St

ElizabethSt

S t

eldeld

Bel

Bel

Beld

TTwTT

iggg

St

Laaw

Sch

S

NUUppe

rrB

SStt

NCa

NCul

NCul

NCulT

a r l

t

p

ankinS

t ttttttttttttp

ar

ar

aar

ar

ar

ar

arrr

aar

arrrr

arrrrr

arr

aaar

arr

ardd

SdddS

ddddS

dStttt

rrrar

ar

arrr

arr

arr

arr

ar

arrr

Privacy and

Security

Additionally, a wide variety o other proessionals,

including executives and support sta, were using mobile

devices to perorm daily activities

Key results o the survey include:

Respondents believed that the mobile technology

environment was very immature

Tools were needed to secure devices

Policies were very wide in coverage, though many were

planning to update policies

Majority o use o mobile in a clinical environment was

to access non-PHI inormation

Two thirds o the respondents noted that they could

access clinical data o-site with approved security

Inadequate privacy and security was the most

requently identied by survey respondents as a barrier

to the use o mobile technology at their organization

About hal o respondents noted that their organization

supported BYOD or daily work activities

Passwords provided the dominate element o system

security

Current State oOrganizational Readiness

According to an mHIMSS annual mobile survey, only

73% o healthcare acilities use data encryption Only

52% utilized remote wiping capabilities on their mobile

devices These results do not provide a clear view

into the readiness o organizations; however, they do

show a trend towards security Organizations indicated

that passwords are used by 92% to protect devices;

however, passwords provide very little protection or

actually securing data The primary method to protect

PHI is by encrypting the PHI This is a major concern

when there are so many storage devices containing PHIthat just disappear rom healthcare acilities, causing

breaches The key survey results show that there is more

work to be done in the area o mobile security at the

organizational level

Mobile technology connecting to the Cloud is

expected to increase as the need to retrieve app and

sensor data increases. These platforms accelerate the

ease of updating remote client software, increasing

deployment of new features and enhancing security of

PHI by storing data in the Cloud rather than on mobile

devices.

Use Cases, Emergingand Best PracticesTechnology Challenges

The challenge that we ace in healthcare today is

the accelerated rate with which mobile technology is

changing healthcare The movement rom paper records

to digitalized records via the EHR has opened the

door to use patient data as never beore This is not a

phenomenon that is exclusive to the US The challenge

is to keep abreast o the latest trends and momentum in

technology

EncryptionEncryption is essential in protecting patients PHI along

the entire chain o responsibility For example, a physician

accepts patient-reported health data via email and

responds to the patient via email The patient-reported

data is now the responsibility o the provider to secure

as protected (covered) PHI The communication o

the provider to the client is also protected and must

be secure I the physician decides to store the PHI

online, the covered organization should consider using

encryption as a means to protect the data in the event

o a breach Encryption is one o the best tools to secure

PHI; in the event that the media that houses the PHI is

compromised, the encrypted PHI is still sae We must

remember that the need to protect PHI is the same

or mobile or o ther systems Many obstacles such as

on-board storage or processing power, present only a

ew months ago, are no longer issues The latest mobile

devices have 4G transmitters that can receive over

20Mbs and house Quad-core 14Ghz processors with

up to 1 GB RAM and 64GB o storage By the time this

document is posted, this may seem obsolete
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://www.mhimss.org/resource/2012-mhimss-mobile-technology-survey-now-openhttp://www.mhimss.org/resource/2012-mhimss-mobile-technology-survey-now-openhttp://-/?-http://-/?-http://-/?-http://-/?-http://-/?-


8/16

6-08mHIMSS Roadmap



Temp le

Park

eP

Te

Blu ch er

Blu

n sark

C h r i s t u s S

p o h

H o s p i t a l - M


C e m

e t e r y

C

e r y

Bu

rnetSt

et

Loritte

Burne t

St

TwSCa

moSt

LanieerrDr

Colem

anA

BBurnet S

tt

Bluc herSt

c her

16thStSt

t

Ke

ys

rezSt

TreW T

MMa r y

S t

J u J u W

Andr ew

sDr

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t s

G r i s h

a m C t s

anJac

into

g C t

g C

t

N o

g a l e

Elizabeth St

B o l i

Wa

inwrig

M o

n t g

o m e

G u

a d a l u

P re rr

s

H

alsey

LakeSt

BetelS

H a

w t h

or

Go

liad

H o w a r d S

t

H o

Nim

Riggan St

i t t

Waco St

King

TracySyS

Prescott Ste

17thSt

CrewsSts

S t a r r

rescottS t

re

T


P e o

gg

C C

F r a n

c is

S t

itoSt

SamRanmR

dleySt

ann

anSt

St

NLoweLowe

B e

u n

b a

r St

12thSt

oraSt

7

10thS SS

S19th

St

ElizabethSt

S t

eldeld

Bel

Bel

Beld

TTwTT

iggg

St

Laaw

Sch

S

NUUppe

rrB

SStt

NCa

NCul

NCul

NCulT

a r l

t

p

ankinS

t ttttttttttttp

ar

ar

aar

ar

ar

ar

arrr

aar

arrrr

arrrrr

arr

aaar

arr

ardd

SdddS

ddddS

dStttt

rrrar

ar

arrr

arr

arr

arr

ar

arrr

Privacy and

Security

To summarize, the power needed in a mobile device is no

longer an issue that needs to be discussed

Recommendations

Develop a recommendation on the type o encryption

that should be utilized (Advanced Encryption Standard

or AES)

Develop recommendations or transmission o PHI

(secure socket layer, or SSL; virtual private network

or VPN)

Dene PHI to clariy what protection is needed and

when

Develop best practices or encryption use

Develop an international approach to security

Develop export recommendation or US companies

It is a violation o the Department o Commerce to

export products with symmetric algorithms with more

than 64 bits keys

Develop guidelines or documenting procedures and

policies or securing PHI data Note: the majority o

encryption guidelines are the same or both mobile

and non-mobile with one exception: export laws It is

illegal to export sotware rom the US that i s stronger

than 64bit, per the Department o Commerce

Medical Apps: DefnitionThough not a denition o a medical app, the FDA states,

Consumers use mobile medical applications to manage

their own health and wellness which in some instances

includes apps Health care proessionals are using these

applications to improve and acilitate patient care These

applications include a wide range o unctions rom

allowing individuals to monitor their calorie intake or

healthy weight maintenance to allowing doctors to view a

patients x-rays on their mobile communications device

Many media sources have mentioned the ever-

increasing number o medical apps on the market today

Though these numbers seem to be staggering, we must

place these ndings into context Companies like Appleand Google create a lot o buzz by tossing out these

public-relations-based statistics Although the app is

sel-proclaimed by the developer to be a health app,

that is not always refective o the unctionality o the

app Currently, there is no consistent ormal denition o

a health app within the industry The FDA does dene a

medical device However, the majority o manuacturer-

classied health apps are not medical devices and

many have little to do with clinical or even personal

health App developers should be versed on the FDA law

on labeling This is an issue that can lead the developerinto problems with the FDA

Code (Sotware) and Architecture: Who Writes

Sotware and What about Security?

Currently, almost anyone rom anywhere, at almost any

age can write and publish an app onto the Web Apples

developer age limit is 13 years old; however, there have

been younger children submitting apps under their

parents accounts A mother o a 12 year old told me

that she set up a developers account with Apple or her

son, under her name We should not be concerned with

the age o the developer; instead, the concern should be

directed at what is produced and the transparency o the

developer Currently, there are no requirements or skill,

age, knowledge, credentials, and cited documents that

support app development

Recommendations

Develop guidelines or developers, including standards

or acceptance specic to healthcare

Develop peer review standards or apps and sotware

Develop standards or proving ecacy

Security

The majority o apps on the market today provide little

or no security and many o the users are unaware o this

shortcoming Some o the leading apps, which display

users PHI, do not even have a password to secure access

Recommendations

Develop guidelines on securing PHI or sotware and

hardware

Develop guidelines or transmitting and storing PHI

Develop testing requirement guidelines

Develop policies and procedures (most important)

Target Market: Consumers

The mHealth consumer market is predicted to explode,

leading to the marketing o more apps to all healthcare

stakeholders

As with the provider market, it is dicult to provide

an accurate count o true medical apps The denition

o a medical app is ambiguous at best For example,

Epocrates is known to be one o the best provider apps

made However, Epocrates is a content app that displays

data, the same data that could be viewed via a mobil e

browser Should this be classied as a medical app or

online documentation?


9/16

6-09mHIMSS Roadmap



Temp le

Park

eP

Te

Blu ch er

Blu

n sark

C h r i s t u s S

p o h

H o s p i t a l - M


C e m

e t e r y

C

e r y

Bu

rnetSt

et

Loritte

Burne t

St

TwSCa

moSt

LanieerrDr

Colem

anA

BBurnet S

tt

Bluc herSt

c her

16thStSt

t

Ke

ys

rezSt

TreW T

MMa r y

S t

J u J u W

Andr ew

sDr

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t s

G r i s h

a m C t s

anJac

into

g C t

g C

t

N o

g a l e

Elizabeth St

B o l i

Wa

inwrig

M o

n t g

o m e

G u

a d a l u

P re rr

s

H

alsey

LakeSt

BetelS

H a

w t h

or

Go

liad

H o w a r d S

t

H o

Nim

Riggan St

i t t

Waco St

King

TracySyS

Prescott Ste

17thSt

CrewsSts

S t a r r

rescottS t

re

T


P e o

gg

C C

F r a n

c is

S t

itoSt

SamRanmR

dleySt

ann

anSt

St

NLoweLowe

B e

u n

b a

r St

12thSt

oraSt

7

10thS SS

S19th

St

ElizabethSt

S t

eldeld

Bel

Bel

Beld

TTwTT

iggg

St

Laaw

Sch

S

NUUppe

rrB

SStt

NCa

NCul

NCul

NCulT

a r l

t

p

ankinS

t ttttttttttttp

ar

ar

aar

ar

ar

ar

arrr

aar

arrrr

arrrrr

arr

aaar

arr

ardd

SdddS

ddddS

dStttt

rrrar

ar

arrr

arr

arr

arr

ar

arrr

Privacy and

Security

Consumer SitesMedical apps are available rom many sources including

smartphone manuacturer sites such as Apples iTunes,

Google Play, and Windows Phone Android apps, unlike

the other phones, are available on multiple locations

including Google Play, Amazon, and developers

websites Rules and regulations o distribution, which are

provided by these sites, are produced or all apps and

are not clinical in nature Security and ecacy are the

responsibility o the developer, providing little oversight

except unskilled consumer reviews/opinions There is

no oversight o the reviewer, leaving the consumer very

exposed to biased, unqualied opinions

Education and Monitoring

Consumers awareness and knowledge o privacy

and security vary in many ways, and are infuenced by

the abundance o political and corporate rhetoric that

surrounds healthcare privacy and security Education

and awareness campaigns provide an eective way to

assist consumers in understanding and trusting health

privacy and security measures Monitoring these eorts

serves as a barometer o consumers attitudes towards

these issues

Recommendations Develop ecacy plan/guidelines or consumer apps

An ecacy plan is a means to assist developers

in building apps on cited studies A number o

organizations are looking to establish guidelines to

inorm consumers o 1 The review o apps by an

independent body and 2 The guidelines are readily

understandable by the consumer

Patient-reported Data:The Integration oConsumer Data into EMRElectronic patient-reported data is a new rontier in

patient-centric care and very little work has been done

to address associated issues The majority o apps on

the market today do not provide a method to securely

export the app-collected health data A ew o the apps

do provide a eature which allows the user to insecurely

email their data to a provider One reason that providers

are reluctant to except patient-reported data is because

o HIPAA liability and their responsibility to secure patient

data

One o the primary issues with importing patient-

reported data into an EMR is how to identiy the collector

o the data EMRs are designed to store providers

clinical entered data, not patient-reported data The

Health Level 7 (HL7) organization is working on initiatives

to label patient data, to be able to dierentiate the data

HL7 is also working on modern protocols that are more

suited or the mobile environment: Fast Healthcare

Interoperability Resources (FHIR) The ltering and

aggregating o the possible deluge o incoming patient-

reported data is a topic o concern as more sensors

become available or remote monitoring For example:

the patient is an 85-year-old woman with co-morbidi ty;

she utilizes several health smartphone apps and

connected bio-sensors; ECG, CHF, images, and diabetes

monitor The collected data is automatically uploaded to

the physicians EHR

Recommendations

Provide guidelines or patient-reported data or EMR

integration

Medical DevicesThe FDAdenes a medical device as an instrument,

apparatus, implement, machine, contrivance, implant, in

vitro reagent, or other similar or related article, including a

component part, or accessory which is:

Recognized in the ocial National Formulary, or the

United States Pharmacopoeia, or any supplement to

them;

Intended or use in the diagnosis o disease or other

conditions, or in the cure, mitigation, treatment, or

prevention o disease, in man or other animals; or

Intended to aect the structure or any unction o the

body o man or other animals, and which does not

achieve any o its primary intended purposes throughchemical action within or on the body o man or other

animals and which is not dependent upon being

metabolized or the achievement o any o its pr imary

intended purposes

State laws and regulations must also be considered

when developing medical apps State laws can and do

dier rom FDA rulings, as well as rom other states It is

prudent or developers to understand the laws or states

to which they are marketing

Sotware apps as medical devices are new, untested

ground or medical regulations agencies Several ederal

agencies were vying or the responsibility to monitor

and regulate apps until July 9, 2012, when Congress

gave the FDA jurisdiction over apps in the Food and

Drug Administration Saety and Innovation Act (FDASIA)

Medical Device Data Systems (MDDS) is a newly

identied FDA Class 1 Medical Device, which aects

many o the apps on the market today The classication

covers systems that transport medical data rom a

classied medical device (eg, downloading glucose

monitoring data rom a monitoring device) It also covers
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://wiki.hl7.org/index.php?title=FHIRhttp://wiki.hl7.org/index.php?title=FHIRhttp://www.fda.gov/aboutfda/transparency/basics/ucm211822.htmhttp://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/Overview/ClassifyYourDevice/ucm051512.htmhttp://www.fda.gov/RegulatoryInformation/Legislation/FederalFoodDrugandCosmeticActFDCAct/SignificantAmendmentstotheFDCAct/FDASIA/ucm20027187.htmhttp://www.fda.gov/RegulatoryInformation/Legislation/FederalFoodDrugandCosmeticActFDCAct/SignificantAmendmentstotheFDCAct/FDASIA/ucm20027187.htmhttp://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/GeneralHospitalDevicesandSupplies/MedicalDeviceDataSystems/ucm251906.htmhttp://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/GeneralHospitalDevicesandSupplies/MedicalDeviceDataSystems/ucm251906.htmhttp://www.fda.gov/RegulatoryInformation/Legislation/FederalFoodDrugandCosmeticActFDCAct/SignificantAmendmentstotheFDCAct/FDASIA/ucm20027187.htmhttp://www.fda.gov/RegulatoryInformation/Legislation/FederalFoodDrugandCosmeticActFDCAct/SignificantAmendmentstotheFDCAct/FDASIA/ucm20027187.htmhttp://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/Overview/ClassifyYourDevice/ucm051512.htmhttp://www.fda.gov/aboutfda/transparency/basics/ucm211822.htmhttp://wiki.hl7.org/index.php?title=FHIRhttp://wiki.hl7.org/index.php?title=FHIRhttp://-/?-http://-/?-http://-/?-http://-/?-http://-/?-


10/16

6-10mHIMSS Roadmap



Temp le

Park

eP

Te

Blu ch er

Blu

n sark

C h r i s t u s S

p o h

H o s p i t a l - M


C e m

e t e r y

C

e r y

Bu

rnetSt

et

Loritte

Burne t

St

TwSCa

moSt

LanieerrDr

Colem

anA

BBurnet S

tt

Bluc herSt

c her

16thStSt

t

Ke

ys

rezSt

TreW T

MMa r y

S t

J u J u W

Andr ew

sDr

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t s

G r i s h

a m C t s

anJac

into

g C t

g C

t

N o

g a l e

Elizabeth St

B o l i

Wa

inwrig

M o

n t g

o m e

G u

a d a l u

P re rr

s

H

alsey

LakeSt

BetelS

H a

w t h

or

Go

liad

H o w a r d S

t

H o

Nim

Riggan St

i t t

Waco St

King

TracySyS

Prescott Ste

17thSt

CrewsSts

S t a r r

rescottS t

re

T


P e o

gg

C C

F r a n

c is

S t

itoSt

SamRanmR

dleySt

ann

anSt

St

NLoweLowe

B e

u n

b a

r St

12thSt

oraSt

7

10thS SS

S19th

St

ElizabethSt

S t

eldeld

Bel

Bel

Beld

TTwTT

iggg

St

Laaw

Sch

S

NUUppe

rrB

SStt

NCa

NCul

NCul

NCulT

a r l

t

p

ankinS

t ttttttttttttp

ar

ar

aar

ar

ar

ar

arrr

aar

arrrr

arrrrr

arr

aaar

arr

ardd

SdddS

ddddS

dStttt

rrrar

ar

arrr

arr

arr

arr

ar

arrr

Privacy and

Security

apps that display medical data that is collected rom a

classied medical device (eg, Microsot HealthVault is a

classied medical device [Class 1] and by deault, apps

that connect to HealthVault and display data collected by

HealthVault also all under the classication o a Medical

Device Data System, Class 1 medical device) There are

many apps on the market today that are disregarding

this requirement or classication It is only a matter o

time until the FDA begins to enorce this requirement and

issue nes

Note: The reerence to HealthVault was made to

illustrate that the relationship between Classied FDA

medical devices and consumer apps

Recommendations

Dene within the mHIMSS guidelines the FDA

requirements

Set up a subcommittee to monitor FDA activity

as it pertains to mHealth

Telehealth and MonitoringIMS Research orecasts that more than 50 million

wireless health monitoring devices will ship or consumermonitoring applications during the next ve years, with

a smaller number being used in managed telehealth

systems (ie, associated with managed care) Active

patient monitoring requires an FDA Class 2 certication

and 510k clearances Certication is a costly and time-

consuming process

Integration o Patient-reported Data into EMR

Patient-reported datainormation that is not collected

by a physician or a licensed medical provideris an

important part o patient-centric care Several EMRvendors claim to have integrated telehealth data into

their EMR Little is known about the ormats o these

stored les Many EHRs can import les into a patients

electronic records; it is possible to utilize this acility to

store telehealth systems exported les (audio/video)

Recommendations

Follow and report on the standardizing o

A/V les and ormats

Develop a standard or transerring and storing o les

Policy ChallengesBring Your Own Device (BYOD)

BYOD is not a new concept: employees have been

bringing their laptops to their work places or many

years The clear impact to organizations is the number

o devices that require access to the healthcare network

No longer is it just employees demanding access

patients, visitors, and guests are now vying or network

resources As more devices are added to the network,

the more exposure an organization has to intrusion

The challenge is to provide a balanced solution or all

stakeholders BYOD policies need to be crated explicitly

or the acility and its users Smartphone apps usage can

also increase liability, compromise privacy, and add load

to the network

In the soon-to-be-published (March 2013) HIMSS

book on security and protecting organizations, Je Brandt

illustrates the ollowing guidelines or BYOD policies:

Access and authorization:

WhoWho are you allowing on the network?

WhatWhich devices are you allowing on the

network (this will be a moving target as new devices

are introduced)? What apps will have access to the

network?

WhereWhat are the boundaries and ar-reaching

arms o remote networks (eg, can providers reach the

network rom remote sites on their own devices)? How

powerul is the WIFI signal and how ar away rom the

building can it be accessed? Is there video capability in

the operating room or emergency department?

WhenConsider time-o-day usage per user prole

(eg, the human resources department has access

rom 9:00am-6:00pm only) Are visitors allowed access

to the network beyond visiting hours?

How manyConnections have real cost associated

with them, such as support and bandwidth Your plan

needs to consider limiting the number o guest users

on your network at one time, permitted usage

(eg, streaming music, and video)

Recommendation

Develop guidelines and best practices to

support BYOD policies
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://imsresearch.com/press-release/Consumers_Not_Telehealth_Patients_to_Drive_Adoption_of_Wireless_Technology_in_Medical_Devices&cat_id=175&type=LatestResearchhttp://imsresearch.com/press-release/Consumers_Not_Telehealth_Patients_to_Drive_Adoption_of_Wireless_Technology_in_Medical_Devices&cat_id=175&type=LatestResearchhttp://-/?-http://-/?-http://-/?-http://-/?-http://-/?-


11/16

6-11mHIMSS Roadmap



Temp le

Park

eP

Te

Blu ch er

Blu

n sark

C h r i s t u s S

p o h

H o s p i t a l - M


C e m

e t e r y

C

e r y

Bu

rnetSt

et

Loritte

Burne t

St

TwSCa

moSt

LanieerrDr

Colem

anA

BBurnet S

tt

Bluc herSt

c her

16thStSt

t

Ke

ys

rezSt

TreW T

MMa r y

S t

J u J u W

Andr ew

sDr

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t s

G r i s h

a m C t s

anJac

into

g C t

g C

t

N o

g a l e

Elizabeth St

B o l i

Wa

inwrig

M o

n t g

o m e

G u

a d a l u

P re rr

s

H

alsey

LakeSt

BetelS

H a

w t h

or

Go

liad

H o w a r d S

t

H o

Nim

Riggan St

i t t

Waco St

King

TracySyS

Prescott Ste

17thSt

CrewsSts

S t a r r

rescottS t

re

T


P e o

gg

C C

F r a n

c is

S t

itoSt

SamRanmR

dleySt

ann

anSt

St

NLoweLowe

B e

u n

b a

r St

12thSt

oraSt

7

10thS SS

S19th

St

ElizabethSt

S t

eldeld

Bel

Bel

Beld

TTwTT

iggg

St

Laaw

Sch

S

NUUppe

rrB

SStt

NCa

NCul

NCul

NCulT

a r l

t

p

ankinS

t ttttttttttttp

ar

ar

aar

ar

ar

ar

arrr

aar

arrrr

arrrrr

arr

aaar

arr

ardd

SdddS

ddddS

dStttt

rrrar

ar

arrr

arr

arr

arr

ar

arrr

Privacy and

Security

Medical Apps Policy Challenges

Medical apps, and apps in general, have the opportunity

to expose protected data and compromise anorganization Since smartphones are employees

property and many times their only telecommunications

device, the phones present an ongoing challenge in

the workplace Currently, smartphones have storage

capability up to 64GB, providing the opportunity to

quickly upload a signicant amount o inormation Many

organizations limit what an employee can download onto

company-owned devices Organizations may want to

consider developing a white list o apps that have been

declared sae or use

Storage o PHI

Secure storage o PHI is the legal mandate that

patients and their amilies have entrusted to healthcare

organizations It is the duty o developer, vendors,

and organizations to extend this trust relationship and

guarantee that patients health data is not compromised

The process o securing PHI goes lockstep with strong

policies and procedures, as well enorcement The

second part o securing PHI is the use o technical

barriers and security solutions such as encryption, the

best and only way to ensure that PHI is sae

Recommendations

PHI should be encrypted utilizing AES128

PHI should remain encrypted at all times (except when

in use), regardless i it is on a device or not

Breach ReportingThe Breach Notication Rule is covered by the HITECH

Act (see below) The regulations and notication

instruction can be ound on the HHS website

Legal Policiesand Regulations

This section o the Roadmap covers laws and regulations

as they pertain to the privacy and security o healthcare

IT Though not an extensive list, we are ocusing on

highlighting the recent ederal drated legislations

Individual state policies, regulation, and legislation are

beyond the scope o this document

HIPAA

HHS states: The Oce or Civil Rights enorces the

HIPAA Privacy Rule, which protects the privacy o

individually identiable health inormation; the HIPAA

Security Rule, which sets national standards or the

security o electronic protected health inormation; and

the condentiality provisions o the Patient Saety Rule,

which protect identiable inormation being used to

analyze patient saety events and improve patient saety

There is a lot o conusion around HIPAA guidelines

and who has to abide by them The HIPAA Privacy and

Security Rules apply only to covered entities These

entities include healthcare providers (doctors, clinics,

etc), health plans, and healthcare clearing houses

(processors o non-standard health data) I an entity is

not a covered entity, it does not have to comply with the

Privacy Rule or the Security Rule

The University o Miami Miller School o Medicine

states that HIPAA has two main goals, as its name

implies:

Portability: ensuring that health insurance is portable

when persons change employers; and

Accountability: making the healthcare system more

accountable or coststrying especially to reduce

waste and raud (ie, save money)

HIPAA states: To amend the Internal Revenue Code

o 1986 to improve portability and continuity o health

insurance coverage in the group and individual markets,

to combat waste, raud, and abuse in health insurance

and health care delivery, to promote the use o medical

savings accounts, to improve access to long-term care

services and coverage, to simpliy the administration o

health insurance, and or other purposes Be it enacted

by the Senate and House o Representatives o the

United States o America in Congress assembled

It is the purpose o this subtitle to improve the

Medicare program under title XVIII o the Social Security

Act, the Medicaid program under title XIX o such

Act, and the eciency and eectiveness o the health

care system, by encouraging the development o a

health inormation system through the establishmento standards and requirements or the electronic

transmission o certain health inormation

HITECH

The HITECH Act, enacted as part o the American

Recovery and Reinvestment Act o 2009 (ARRA), was

signed into law on February 17, 2009, to promote the

adoption and meaningul use o health inormation

technology Subtitle D o the HITECH Act addresses

the privacy and security concerns associated with the

electronic transmission o health inormation, in part,through several provisions that strengthen the civil and

criminal enorcement o the HIPAA rules:

Consent (inormed)

HIPAA Consent ruling

Standards or Privacy o Individually Identiable Health

Inormation [45 CFR Parts 160 and 164]

International standards
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.htmlhttp://privacy.med.miami.edu/glossary/xd_consent.htmhttp://aspe.hhs.gov/admnsimp/final/pvcguide1.htmhttp://aspe.hhs.gov/admnsimp/final/pvcguide1.htmhttp://aspe.hhs.gov/admnsimp/final/pvcguide1.htmhttp://aspe.hhs.gov/admnsimp/final/pvcguide1.htmhttp://privacy.med.miami.edu/glossary/xd_consent.htmhttp://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.htmlhttp://-/?-http://-/?-http://-/?-http://-/?-http://-/?-


12/16

6-12mHIMSS Roadmap



Temp le

Park

eP

Te

Blu ch er

Blu

n sark

C h r i s t u s S

p o h

H o s p i t a l - M


C e m

e t e r y

C

e r y

Bu

rnetSt

et

Loritte

Burne t

St

TwSCa

moSt

LanieerrDr

Colem

anA

BBurnet S

tt

Bluc herSt

c her

16thStSt

t

Ke

ys

rezSt

TreW T

MMa r y

S t

J u J u W

Andr ew

sDr

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t

G r i s h

a m C t s

G r i s h

a m C t s

anJac

into

g C t

g C

t

N o

g a l e

Elizabeth St

B o l i

Wa

inwrig

M o

n t g

o m e

G u

a d a l u

P re rr

s

H

alsey

LakeSt

BetelS

H a

w t h

or

Go

liad

H o w a r d S

t

H o

Nim

Riggan St

i t t

Waco St

King

TracySyS

Prescott Ste

17thSt

CrewsSts

S t a r r

rescottS t

re

T


P e o

gg

C C

F r a n

c is

S t

itoSt

SamRanmR

dleySt

ann

anSt

St

NLoweLowe

B e

u n

b a

r St

12thSt

oraSt

7

10thS SS

S19th

St

ElizabethSt

S t

eldeld

Bel

Bel

Beld

TTwTT

iggg

St

Laaw

Sch

S

NUUppe

rrB

SStt

NCa

NCul

NCul

NCulT

a r l

t

p

ankinS

t ttttttttttttp

ar

ar

aar

ar

ar

ar

arrr

aar

arrrr

arrrrr

arr

aaar

arr

ardd

SdddS

ddddS

dStttt

rrrar

ar

arrr

arr

arr

arr

ar

arrr

Privacy and

Security

Laws that govern providers worldwide may dier in

many ways International organizations set uniormed

guidelines or providers One example is consent Ater

World War II, the Nuremberg Code o 1947 set guidelines

on inormed consent ollowed by the Declarations o

Helsinki

Breach Notifcation Rule

The Federal Trade Commissions (FTC) Breach

Notication Rule on improper access o PHI has been

extended to EHR and PHR vendors and services that

connect to PHRs in their nal rule PHR vendors or

connected vendors are required to notiy the FTC and all

individuals whose inormation is the subject o a breach

no later than 60 days ater discovery There are alsoadditional obligations or PHR vendors (see Final Rule)

Recommendation

Develop a subcommittee to track international health

laws and guidelines as they pertain to mHealth

Best Practices/ResourcesHealthcare best practices provide consistently well

perorming guidelines and methods that can serve astrusted benchmarks to develop and evaluate systems

HIMSS Mobile Toolkit

The HIMSS Mobile Security Toolkit assists healthcare

organizations and security practitioners in managing

the security o their mobile co

mhimss roadmap 6

Documents