What other information should the health care provider obtain from the patient?

Step 1

For many practices and hospitals, the first step is usually the hardest because reshaping the workplace culture is challenging, especially in medicine, which is conservative and often resistant to change. Promoting a culture that truly sees the value of protecting patient privacy and security can also prove difficult for another reason: Making PHI more secure often means making it harder not just for unauthorized persons to get to the information but harder for clinicians as well. Tightening up policies on passwords, for instance, or locking out authorized users to an electronic health record 5 min after they walk away from the workstation can be inconvenient, especially in an ER, where the nature of the work requires clinicians to move around a lot. We will go into a more detailed discussion about creating a security conscious culture in chapter 8: Educating Medical and Administrative Staff.

Step 1 also involves the establishment of a team that has oversight of the risk analysis, as well as other aspects of your security initiative. ONC also recommends choosing a security officer, discussing your security needs with the EHR vendor, reading up on the HIPAA rules, and perhaps bringing in a qualified professional to help conduct the risk analysis—if there is no one on your team capable of handling the responsibility. If you decide to bring in a third party, be certain that consultant has the right credentials. Both the Healthcare Information and Management Systems Society (HIMSS) and the American Health Information Management Association (AHIMA) have certification systems in place to help you determine who is and is not right for the job.

AHIMA bestows a stamp of approval referred to as CHPS, indicating that the person is Certified in Healthcare Privacy and Security. In addition to passing an exam, it also requires IT professionals to have a college degree and several years’ experience working in the specialty. HIMSS offers the CPHIMS credentials, which means the person is a Certified Professional in Healthcare Information and Management Systems. HIMSS requires CPHIMS specialists to either have a bachelor’s degree and at least 3 years of experience in healthcare IT or a graduate degree and two years in healthcare IT.

Step 2

Ask any healthcare attorney about documentation, and they will agree that it is essential in almost every aspect of patient care. No less so in managing security risks. In step 2, ONC suggests setting up a master folder in your computer system that contains all your security findings, decisions, and actions, along with a copy of the risk analysis itself.

Step 3

This step in the ONC approach is the risk analysis itself. ONC suggests the use of the SRA tool, which will help small to middle size practices and which is discussed in more detail below. As you prepare this analysis, keep in mind that the risks of exposing PHI will differ in an office-based EHR versus and internet-hosted EHR. Fig. 4.1 illustrates some of the differences in security risks between the two types of EHRs.

Also keep in mind that government auditors will expect you to not only protect PHI in an EHR but in every other component of your record keeping systems. That means the practice management program, revenue cycle management system, as well as in any data in motion, for example, any emails, text messages, and files sent to Dropbox or other file sharing application. It also means protecting paper files, including their disposal. More than one healthcare organization has been fined for not following common sense precautions when discarding paper patient records.

Step 4

In this step, the action plan should be designed to mitigate the problems identified in the risk analysis, says ONC. Chapter 5: Reducing the Risk of a Data Breach will go into more depth on preventive strategies to mitigate the risk of a HIPAA violation or data breach, but ONC offers a helpful list of low-cost, highly effective measures that will get the action plan off the ground:

Say “no” to staff requests to take home laptops containing unencrypted ePHI. (Some security specialists believe, however, that it is best to never say “no” but to say “Let’s find a secure way to do what you want to do.”)

Remove hard drives from old computers before you get rid of them.

Do not email ePHI unless you know the data is encrypted.

Make sure your server is in a room accessible only to authorized staff, and keep the door locked.

Make sure the entire office understands that passwords should not be shared or easy to guess.

Notify your office staff that you are required to monitor their access randomly.

Maintain a working fire extinguisher in case of fire.

Check your EHR server often for viruses and malware.

As you put together your action plan, also consider some basic questions such as:

Who has the keys to your practice? It may be necessary to change the physical locks and computer passwords when employees or contractors leave your practice if they still have access to patient information.

Where, when, and how often do you back up? Do you have at least one backup kept offsite? Can your data be recovered from the backups? Remember, losing patient records will not only cripple your day-to-day functioning, it will also deprive patients of their information, which they are entitled to by law.

What is your contingency/disaster plan when/if your server crashes and you cannot directly recover data?

The last item on the ONC list is especially important, namely: monitoring, auditing, and updating security on an ongoing basis. Some healthcare organizations have made the mistake of doing a detailed security risk analysis, tucking it away in their computer system and never giving it another thought for years. The HIPAA rule is very specific, however, in insisting that risk analysis must be an ongoing process. As new technology is incorporated into a practice or hospital, the potential for PHI to be compromised increases, requiring more advanced safeguards in some cases.

The Office of the National Coordinator for Health Information Technology is not the only group encouraging healthcare decision makers to replace their compliance mentality with a risk management approach. Gartner, one of the world’s largest IT research and advisory companies, has been urging C-suite executives to make the switch as well. In its view, compliance is part of a much larger risk management program that balances the need to adhere to security regulations with the needs of the business as a whole. Two of Gartner’s key recommendations are the following:

“Create a formal and defensible program of controls based on the specific situation and risks unique to each organization.

Build a formal program that can adapt to the changing landscape of regulatory requirements that also protects you from reasonably anticipated risks” [7].

Gartner point outs that the HIPAA regulations themselves encourage this shift from a compliance point of view to a broader risk management approach by instructing healthcare organizations to do a risk analysis and to put reasonable controls in place that take into account reasonably anticipated risks. A simple security checklist is not enough to make that paradigm shift. The IT research firm goes on to outline a detailed roadmap to help businesses move from reactive old school thinking about security through a 5-phase evolution that eventually arrives at a more sophisticated “adaptive” model. Said roadmap is illustrated on their web site [7].

A Perfect Example of Myth #1 at Work!

PCI DSS is not about storing cardholder data; it is about those who accept payment cards or capture, store, transmit, or process such card data. Want to guess whether most health care providers accept cards? Didn’t think so – the number is probably close to 100.00%, as most US readers can attest from their experiences. Indeed, the paper mentioned earlier [1] confirms: “In 2009, virtually all health care providers take credit cards—and virtually none of them are PCI compliant.” Now in 2014, the situation has barely changed. While HIPAA enforcement seems to have increased across health care providers, PCI DSS still remains “a big black hole” for many of them. Additionally, most such health care providers do not run a compliance program that can accommodate the needs of multiple regulations. They deal solely with HIPAA and adjusting the controls and practices to another regulation becomes fairly hard for them.

Note

Question: If I only accept cards from June to August each year and I only use a dial-up terminal, I am “safe from PCI,” right?

Answer: Wrong. Even though your scope of PCI DSS validation is very, very small, you are definitely subject to its rules because you – surprise! – accept payment cards. PCI DSS applies to those who “accept, capture, store, transmit, or process credit and debit card data.” If you do, it applies to you – end of the story. No myths can change that.

Interestingly enough, one of the data elements required to be protected under HIPAA is customer payment information, which often means “credit card data.” This means that HIPAA technically preceded PCI DSS when it comes to cardholder data security! However, this doesn’t stop health care providers from ignoring both regulations in one fell swoop.

Note

Question: If I use external tokenization and cardholder information never enters my environment, am I “PCI OK?”

Answer: Possibly! If your merchant agreement does not mention PCI DSS, none of your employees can see the data, and it is not handled anywhere on your systems, your PCI responsibility might be nonexistent.

The reality, as we mentioned earlier is pretty simple: PCI DSS does apply to your organization if you accept payment cards or capture, store, process, or transmit any sensitive payment card data (such as Primary Account Number (PAN)) with no exceptions. If the data touches your systems, they are in scope for PCI DSS assessment and, obviously, your organization has PCI DSS responsibilities. Whether you cure, educate, rent, offer, sell, or provide services doesn’t matter – what matters is whether you charge! If you do, PCI DSS does apply. Hopefully, if you picked up this book while being unsure whether PCI DSS applies to your organization, reading this book convinced you that becoming compliant and secure is indeed in your future if you deal with payment cards.

Admittedly, different things need to happen at your organization if you have absolutely no electronic processing or storage of digital cardholder data compared to having an Internet-connected payment application system. The scope of compliance validation will be much more limited in the former case and so your PCI project will be much, much simpler. For example, if a small merchant “does not store, process, or transmit any cardholder data on merchant premises but relies entirely on third-party service providers to handle these functions” he is only responsible for validating a small part of PCI DSS. Specifically, he would be responsible for the parts of “Requirement 9: Restrict physical access to cardholder data” as well as a small part of “Requirement 12: Maintain a policy that addresses information security for employees and contractors” via a small self-assessment questionnaire (SAQ) Type A.

Let’s explore this example in more detail. As we covered in Chapter 3 payment card brands such as Visa and MasterCard label merchants that process fewer than 20,000 e-commerce transactions a year or fewer than 1 million card present transactions as “Level 4.” As you now know, such merchants currently are recommended to validate their PCI compliance using an SAQ.

In addition, as described in PCI DSS standards, if a merchant matches the criteria below, he is considered to be “validation type 1” and needs to fill the SAQ Type A (the shortest). The criteria are as follows:

Merchant accepts ONLY card-not-present (i.e., eCommerce) transactions.

Merchant does not store, process, or transmit any cardholder data on merchant premises but relies entirely on third-party service providers to handle these functions.

The third-party service providers handling storage, processing, or transmission of cardholder data is confirmed to be PCI DSS compliant.

Merchant retains only paper reports or receipts with cardholder data, and such documents are not received electronically.

Merchant does not store any cardholder data in electronic format.

Explained simply, the aforementioned criteria describe a situation where a merchant accepts credit cards as payment, but does not have any electronic storage, processing, or transmission of cardholder data. Think about it for a moment! PCI DSS doesn’t apply if you do not store, process, or transmit any card data on your premises (or your systems located off your premises such as outsourced, hosted or shared cloud systems) at all! This example highlights that fact that card acceptance is sufficient to make the merchant to fall under PCI.

The exact scope of its validation as covered by SAQ Type A, which can be obtained from www.pcisecuritystandards.org.

The merchant needs to validate part of Requirement 9 and part of Requirement 12. Specifically, sections of Requirement 9 cover the storage of physical media (printouts, receipts, etc.) that has cardholder data. For example, quoting from PCI DSS SAQ Type A [2]:

9.5 Are all paper and electronic media that contain cardholder data physically secure?

9.6 Is strict control maintained over the internal or external distribution of any kind of media that contains cardholder data?

9.6.3 Are processes and procedures in place to ensure management approval is obtained prior to moving any and all media containing cardholder data from a secured area (especially when media is distributed to individuals)?

9.7 Is strict control maintained over the storage and accessibility of media that contains cardholder data?

9.8 Is media containing cardholder data destroyed when it is no longer needed for business or legal reasons?

All of the above deal with the physical media such as printouts that may contain card data. The merchant is also subject to one section of Requirement 12, which covers the merchant’s relationship with service providers that actually handle data (again, see PCI DSS SAQ Type A [2]):

12.8 If cardholder data is shared with service providers, are policies and procedures maintained and implemented to manage service providers, and do the policies and procedures include the following?

12.8.1 A list of service providers is maintained.

12.8.2 A written agreement is maintained that includes an acknowledgment that the service providers are responsible for the security of cardholder data the service providers possess.

12.8.3 There is an established process for engaging service providers, including proper due diligence prior to engagement.

12.8.4 A program is maintained to monitor service providers’ PCI DSS compliance status [2].

12.8.5 Information maintained about which PCI DSS requirements are managed by each provider and which are managed by you.

All of the above deal with the responsibilities of the third party that handles processing, storage, and transmission of data.

Overall, the choice is pretty simple: either you comprehend PCI DSS now and start working on security and PCI requirements or your acquirer will make it clear to you at some point when you won’t have much room to maneuver.

A subtle point brought to life by an increasing use of EMV Technologies needs to be clarified: payment card brands may relax some of the PCI DSS validation requirements if the merchant uses new (and presumably more secure) payment methods; however, merchants will still be required to maintain PCI compliance at all times. Now in 2014, many merchants dread the coming “liability shift” of 2015 (officially known as “Global Point of Sale Counterfeit Liability Shift”) when merchants not installing EMV systems may become liable for fake cards transactions.

6.2.1 Who Must Comply

Protection of privacy is mostly the responsibility of the healthcare provider [43]; unless you are in the business of providing software that directly handles patient records for reporting or billing, compliance to the provisions of the HIPAA is usually indirect. The healthcare provider will be doing the heavy lifting, but the security provisions may impose requirements on the software that you are creating for their use. (Or it may provide market opportunities for devices useful for protecting medical data or authenticating users.)

The security aspects of the HIPAA are known as the security rule. The Department of Health and Human Services (HHS) under the U.S. government has published a series of introductory papers discussing the security rule on the website, www.cms.hhs.gov/SecurityStandard/. Quoting from the web page, “[the] rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to ensure the confidentiality of electronic protected health information.”

The “covered entities” that the rule applies to are “any provider of medical or other health care services or supplies who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard” [44]. The “transactions for which HHS has adopted a standard” is a reference to the Electronic Data Interchange (EDI) definitions having to do with health care that HHS has enumerated.

In fact, there is some ambiguity about to whom the security rule applies. There is an exemption for researchers, for example, provided they are not actually part of the covered entity's workforce. Insofar as a researcher is a covered entity and deals with Electronic Protected Health Information (EPHI), they would have to comply. Hence, companies researching whether their products are safe and effective in clinical trials would also have to comply if they access EPHI.

This also applies to vendors who have access to EPHI during “testing, development, and repair” [45]. In this circumstance, the vendor is operating as “business associate,” and must implement appropriate security protections. The methods for doing so are flexible, however, so it ought to be possible for the covered entity and the business associate to come up with reasonable methods.

One simple method to achieve compliance with the security rule for vendors or researchers is to “de-identify” the data. “If electronic protected health information [EPHI] is de-identified (as truly anonymous information would be), it is not covered by this rule because it is no longer electronic protected health information” [45]. By making the data anonymous, it is no longer technically electronic protected health information, and thus not subject to the regulations.

Not everything is EPHI anyway. If the data are not in electronic form, they are not covered by the security rule, which does, after all, only apply to electronic protected health information. “Electronic” in this sense are data stored in a computer which itself can be programmed. The issue is the accessibility of the computer, not so much the physical format of the data. Therefore, personal phone calls or faxes are exempt; whereas a system that returned a fax in response to a phone menu system would be EPHI and subject to the rule [45].

Patients themselves are not covered entities and thus are not subject to the rule [45]. It is nice to know that you are allowed to see your own health data, and discuss it with your doctor.

So even though your data may not be subject to the security rule, you would nevertheless want to make reasonable efforts to protect its data against loss, damage, or unauthorized access, if only to prevent competitors from seeing it. But you would not be required to maintain a complete security process including security risk assessment and a security management plan.

The provisions of the security rule may not be directly applicable to a medical device manufacturer. Nevertheless, they will be important to your customers. It may be necessary to provide the technical security solutions so that your customer can implement the required administrative policies. On the other hand, if the purpose of your software is to provide EPHI data handling, you will find that your customer is required to obtain satisfactory written assurances from your business that you will safeguard EPHI. You will need to follow the full set of regulations in the security rule including security risk assessment and a security management plan. If your hardware or software has access to EPHI, the healthcare provider will have to assess whether you also need to comply [46].

6.2.2 Recommended Security Practices

We have established some guidelines for determining the extent to which the security rule may impact your business. We next turn to a discussion of the type of issues that might be important.

Malicious Software. One aspect that may affect anyone providing software into the medical environment is the requirement for the “covered entity [to] implement: ‘Procedures for guarding against, detecting, and reporting malicious software.’ Malicious software can be thought of as any program that harms information systems, such as viruses, Trojan horses or worms” [46]. The reasoning is that malicious software could damage, destroy, or reveal EPHI data. This means that your customers will require of you assurances that your software is not an open door to malicious code that could harm the provider computer network or other devices. You may be required by the customer to provide assurances that your installation software is protected from viruses.

If your device is connected to the Internet, it may be necessary to provide anti-virus software along with regular updates to prevent just such an occurrence. It is probably insufficient to trust the healthcare provider employees to always engage in appropriate safe computing—you might want to consider using an input device special to your device or somehow protected from general use lest it acquire a virus and infect your system. For example, rather than using a standard USB thumb drive, you could use a device that does the same thing but with a custom connector, so that it could not be plugged into an unknown computer that may be infected with a virus.

Malicious software is a more significant issue for software written to run on general-purpose computers. It is less an issue for many embedded systems whose programs execute from read-only memory and hence are difficult or impossible to infect.

Administrative Support. While monitoring log-ins and manage passwords is generally the responsibility of the healthcare provider, device makers sometimes want to limit the access to functionality in the device (i.e., information relevant to engineering or system diagnostics). If the engineering mode provided access to EPHI, a single password to your device that could not be changed would not be an adequate security safeguard.

The administrative policies of covered entities may also require regular reviews of information system activities for internal audits. To do this, they may need your device or software to provide records of log-ins, file accesses, and security accesses [45].

Physical Security. You must have the ability to back up the data or restore it in the event of a disaster, that is, somehow get the data out of the device and into a secure facility if the data are part of health information. For example, if your device contains “electronic medical records, health maintenance and case management information, digital recordings of diagnostic images, [or] electronic test results,” [46] the healthcare provider would need to be able to archive this information. It is also important to provide for obliterating EPHI data from your device at end of use or disposal.

As for physical safeguards, you would want to avoid doing anything that would make it impossible for an organization to impose some standards. For example, you wouldn't want to broadcast EPHI or make it available on a web page or some other method such that restricting it to only the people who need to know it becomes impossible.

This extends to physical media that might be used to store EPHI. The provider has to establish rules about how the media goes into or out of the facility, how it is re-used, and how it is disposed of so that protected data are not revealed to unauthorized personnel. In the case of re-use, “it is important to remove all EPHI previously stored on the media to prevent unauthorized access to the information” [47]. If you are making a storage device, the provider may want to be able to identify each device individually so that they can track them.

Risk Analysis. As is the case with risk analysis for the safety of the software or the device, depending on how close you are to the EPHI data, you may need to carry out a formal risk assessment, wherein you evaluate the potential threats and vulnerabilities to those threats and develop a risk management plan in response [48].

Threat is twofold: unauthorized access or loss of data. Both must be guarded against. CMS has a good discussion and example of risk analysis as applied to security concerns. Interestingly enough, many of the same issues and analytical practices are relevant to device risk analysis. The example has good hints for both. The document HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information, available at www.cms.hhs.gov/SecurityStandard/ is a useful specific discussion of remote vulnerabilities and possible risk management strategies.

The security rule is enforced by the Office for Civil Rights; violation may bring down civil monetary penalties, not to mention possible tort awards. Moreover, there is something of an ethical obligation for healthcare providers and others in the medical industry to exercise due care with private information.

While security is often not a direct concern to the manufacturers of medical devices, as information technology evolves and the desire to share information from individual diagnostic devices increases, it will become increasingly important. In addition, there are best practices for protecting data—such as guarding against viruses, unauthorized access, or data corruption—that are the sorts of things we should be doing anyway. We want our medical devices to be of the highest quality and serve customer needs; some measure of data integrity ought to be a given.

2.1.1 COVID-19 monitoring

The ongoing COVID-19 outbreak has prompted IoT healthcare providers to rapidly find solutions to meet the rising demand for high-quality virus protection devices. The rapid spread of COVID-19 has taken over the entire health ecosystem including pharmaceutical companies, drug makers, COVID-19 vaccine developers, health insurers, and hospitals. Applications such as telemedicine include remote patient monitoring, and interactive medicine is expected to gain traction during this time, along with inpatient monitoring. Further, digital contact tracing came to public attention during the COVID-19 pandemic, which is a form of contact tracing that depends on tracking systems, most often based on mobile devices, to establish the connection between the infected patient and the user. Such accomplishments have demonstrated the efficacy and exciting future of IoT in healthcare systems. Despite the obvious successes, there is also ambiguity, and there is still a technical challenge in the question of how to set up smart IoT-based healthcare systems quickly and systematically.

Artificial intelligence (AI) along with the IoT has successfully contributed to the battle against COVID-19. Since there is no specific treatment for coronaviruses, global monitoring of COVID-19-infected humans is desperately required. The IoT serves as a platform for public-health organizations to access data for the monitoring of the COVID-19 pandemic, such as the “Worldometer.” It gives a real-time report on the total number of people reported to have COVID-19 across the world. These smart disease monitoring systems may provide for continuous reporting and surveillance, end-to-end communication, tracking, and alerts. IoT and telemedicine will help provide not only affordable healthcare, but also help in collecting of data on the monitoring of drugs and vaccines that are currently being tested worldwide.

A lot of work has recently been published on COVID-19. Recently, the deep convolutional neural network-based COVID-Net was proposed for the detection of COVID-19 cases from chest X-ray (CXR) images [11]. The authors explored how COVID-Net makes predictions in an effort to gain a deeper insight into the crucial factors associated with COVID cases, which can help clinicians improve screening, as well as enhance confidence and consistency while using COVID-Net for rapid computer-aided screening. Ghoshal et al. [12] introduced a Bayesian Convolutional Neural Network for estimating the uncertainty of diagnosis in COVID-19 prediction, using patient X-ray images with COVID-19, acquired from an online COVID-19 dataset [13], and non-COVID-19 images, acquired from Kaggle's Chest X-Ray Images (Pneumonia). The experiment revealed that Bayesian inference enhanced the detection accuracy of the standard VGG16 model from 85.7% to 92.9%. The authors also generated saliency maps to demonstrate the locations of the deep network, improve the understanding of deep learning outcomes, and facilitate a more informed decision-making process. Recently, the authors in [14] introduced a schematic of an app for COVID-19 contact tracing, as shown in Fig. 4. In this app, contacts between Person A and all persons using the application are traced by Bluetooth with low-energy connections with other app users. Person A requests the SARS-CoV-2 test with the application, which causes immediate notification of those in close contact with each other of the positive test result of that person. The application recommends isolation for Person A and quarantine of the individual's contacts.

2.1.2 Cancer monitoring

As computers and tools become smarter when interacting with each other, AI systems, such as IBM's Watson, as well as robotic surgeons, can support doctors from diagnosis to treatment for cancer. In general, the earlier a doctor can recognize symptoms, the faster they can reach a diagnosis and start treatment. A number of early cancer signs are unclear and unrecognizable, so it is understandable that cancers can go undiagnosed in the first instance. The argument lies therein: AI and IoT will boost care for cancer, but they will function together. A patient monitoring system work flow on IoT is shown in Fig. 5.

Recently, the researchers have also been investigating the integrated framework of IoT, fog computing, CI, and cancer diagnosis. An IoT-based fog computing model for cancer detection and monitoring is proposed in [15] in which they used a mobile application interface to capture the symptoms of the patient and further applied a neutrosophic multicriteria decision-making approach for examining and forecasting of disease based on the reported symptoms. Similarly, in another work, the author also proposed an IoT-based healthcare framework for cancer care services along with the treatment options [16]. Further, authors also worked to monitor cancer patients in a secure home environment for which a multisensory IoT framework was proposed. Using an intelligent IoT sensor, the patient's physiological as well as mental status data were collected and shared with physicians for visualization and better understanding of current patient status for real-time decision-making. To ensure the secure transmission of private data, a blockchain and off-chain-based framework was adopted [17].

2.1.3 Depression monitoring

Depression and anxiety are two common psychological conditions that arise as a consequence of excessive tension and distress experienced every day by individuals. It is difficult to avoid the down periods of life and their consequences, but people respond to them in many different ways. The potential source of depression and anxiety may be a variation of psychological, biological, and social causes. Depression is one of the prevalent causes of major depressive disorder (MDD), which can lead to thoughts of death or suicide if not treated in a timely manner. Many studies have come up with a number of speculations linked to the occurrence, treatment, and control of depression and anxiety in individuals.

Recent research suggests that MDD can be monitored by a smartwatch device that patients use every day to monitor their moods and emotions. Wearable technology has a significant capacity for doing more than tracking steps; in this scenario, it may be used to measure the symptoms of depression in real time. Like other IoT wellness devices, a depression app might provide more insight into the condition for patients and healthcare providers. A fear induction task for 20 s was demonstrated in [19], using a wearable sensor on young children using machine learning, which resulted in a high fraction of accuracy that points to this diagnosing approach for children with internalizing disorders. In [20], the authors attempted to design a prototype of a wearable device to assist individuals with MDD by using speech recognition to determine their positive and negative phases by an emotional user interface. Further, a deep regression network known as DepressNet was presented in [21] to assimilate depression representation with a visual explanation, which provides a clinical prediction of the depression severity from facial images.