Blog Tag: hipaa

An example provided in InfoArmor's July 2016 report regarding the type of data hackers were able to obtain

Hackers Steal 600K Records from Health Care Firms – Could Your Wearable Device Be Next?

Security firm InfoArmor published a report in late July 2016 stating that a group of attackers infiltrated American health care institutions, stole at least 600,000 patient records and attempted to sell more than 3 terabytes of that associated data.  In an interview with eWeek, chief intelligence officer Andrew Komarov noted that the hackers he investigated were able to compromise different health care institutions such as private clinics, vendors of medical equipment, and suppliers.  Once inside the compromised systems, the hackers were able to take personally identifiable information and medical data, including imaging data (as shown to the right).

Komarov’s research should come as no surprise in view of a report issued by the Brookings Institute in May 2016 reporting that 23% of all data breaches occur in the healthcare industry.  In fact, nearly 90% of healthcare organizations had some sort of data breach between 2013 and 2015, costing the healthcare industry nearly $6.2 billion.

According to a report done by Bloomberg BNA, while a number of legal mandates exist (e.g. the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology Certification Program, and the Food and Drug Administration’s (FDA) premarket review), the existing guidelines are limited.  Furthermore, medical devices face certain unique cybersecurity pitfalls.  For example, while HIPAA applies to protect health information regardless of where it’s stored, protected health information that exists on disposed of or nonfunctional medical devices can be overlooked.

Connected medical devices (i.e., medical devices that can transmit information through the internet or a networked system) also pose unexpected risks and challenges.  For example, the ability for hackers to remotely access connected medical devices can hypothetically result in significant threats to patient health and safety.  A 2012 episode of the television show Homeland featured a character hacking into and manipulating the pacemaker of the fictional vice president.  While such situations seem far-fetched, in an interview on “60 Minutes,” it was revealed that Vice President Dick Cheney’s doctor had actually disabled the wireless functionality of his heart implant, fearing that it might be hacked in an assassination attempt.

While such fears may seem fueled by paranoia, recent studies have shown that such security threats may be a real concern.  Bloomberg Businessweek reported in November 2015 that the Mayo Clinic engaged a number of high-profile “white hat” hackers to conduct a study of cybersecurity vulnerabilities in their medical devices.  These “white hat” hackers worked on a number of different medical devices, including things such as cardiac monitors, infusion pumps, and hospital beds. In one alarming example, one hacker was able to gain control of an infusion pump – the Hospira Symbiq Infusion System – and was able to remotely cause it to deliver a potentially lethal dose of medication.  Shortly thereafter, the FDA issued a safety notice recommending a recall and the stopped usage of the aforementioned pump.

With increasing concerns about cybersecurity, as discussed on this blog previously, the FDA is currently seeking comment on proposed guidelines that outline when software changes to medical devices would require manufacturers to submit a premarket notification.

FDA Issues Draft Guidance on Dissemination of Patient-Specific Information from Devices

On June 10, 2016, the U.S. Food and Drug Administration (FDA) issued draft guidance advising manufacturers on appropriate and responsible dissemination of patient-specific information from medical devices.

The draft guidance defines patient-specific information as “any information unique to an individual patient or unique to that patient’s treatment or diagnosis that, consistent with the intended use of a medical device, may be recorded, stored, processed, retrieved, and/or derived from that medical device.”  According to the guideline, patient-specific information include recorded patient data, device usage/output statistics (e.g., pulse oximetry data, heart electrical activity, and rhythms as monitored by a pacemaker), healthcare provider inputs, incidence of alarms, and/or records of device malfunctions or failures.  Patients may contact their healthcare providers or manufacturers to obtain access to patient-specific information.

According to the draft guideline, manufacturers may share patient-specific information with a patient at the patient’s request without obtaining additional premarket review.  The Health Insurance Portability and Accountability Act (HIPAA) and the associated HIPAA Privacy Rule intend to prevent manufacturers from sharing individually identifiable health information with covered entities (e.g., health plans, healthcare clearinghouses, and healthcare providers that electronically transmit health information) without the patient’s consent.  However, the draft guideline opines that HIPAA and the HIPAA Privacy Rule are not intended to prevent a medical device manufacturer from sharing patient-specific information with the affected patient.

1. Considerations When Sharing Patient-Specific Information

In the draft guideline, FDA recommends that device manufacturers should take certain considerations into account when sharing patient-specific information.  These considerations relate to the content of information provided, the context in which patient information from medical devices should be understood, and the need for access to additional, follow-up information from the manufacturer or a healthcare provider.

  • Content

FDA recommends that a manufacturer take appropriate measures 1) to ensure that the information provided is interpretable and useful to the patient and 2) to prevent the disclosure of confusing or unclear information that could be misinterpreted.  For example, the manufacturer may provide supplementary instructions, materials, or references to aid patient understanding.  Patient-specific information provided to patients should be comprehensive and contemporary.

  • Context

When providing patient-specific information to the affected patient, it may be appropriate for the device manufacturer to include relevant context in order to avoid circumstances where this information may be misinterpreted, thus leading to incorrect or invalid conclusions.  Informing patients about how parameters were measured and recorded by the medical device is a good example of providing relevant context.

  • Access to follow-up information

Manufacturers should consider what, if any, information they should include about whom to contact for follow-up information.  The FDA recommends, at a minimum, that such manufacturers advise patients to contact their healthcare providers if the patients have any questions about their patient-specific information.  Moreover, FDA suggests that manufacturers provide their contact information to answer questions from patients about the device at issue.

Comments and suggestions for the draft guideline are open for 60 days from its publication.

2. Implications on the Medical Device Industry

FDA opined in its draft guidance that device manufacturers’ disclosure of patient-specific information with the affected patient would be subject neither to additional premarket review by FDA nor to the HIPPA and the associated Privacy Rule.