Continue to Site

MassDevice

The Medical Device Business Journal — Medical Device News & Articles | MassDevice

Home » Six ways to implement privacy and security measures

Six ways to implement privacy and security measures

By

Arnell Golden GregoryBy Kevin Coy & Andrew Flake

The increasing amounts of health information being generated, stored and collected have heightened the special risks medical device manufacturers have long faced. In addition to the nexus to patient health and safety, if a manufacturer does not address data privacy and security, it could face a wide range of regulatory consequences from multiple agencies. Hacks are a major risk, as is intellectual property theft. So what should a medical device manufacturer take into account when it comes to privacy and security safeguards? This article offers some best practices and insights for the medical device manufacture who is handling health information.

  1. Begin from day one. Privacy and security should be incorporated from the outset — what FTC has referred to as privacy and security by design. Addressing privacy and security should begin from the first design conversations around a connected medical device or mobile application. What constitutes appropriate privacy and security controls will depend on a number of factors, including the kind of data being collected and used; the sensitivity of that information; what the purpose of the device or application is; and the nature of the end user.. For example, mobile medical apps (MMAs) can be designed for sale directly to consumers for health and wellness purposes or they can be directed at provider customers as a means of helping providers improve the quality of patient care or of the care experience. The data being collected in each instance and the privacy and security needs associated may be different and impact the potential risks to privacy and security identified during a risk assessment. In terms of documentation, FDA’s quality systems regulation, including good manufacturing practices (GMP), also have implications for device security. Those requirements include design validation, including procedures appropriate to the intended use and to the user and patient. The FDA requirements also include validating and documenting the software used and a documented system of correction and preventions for any quality problems, which would include security inadequacies.
  2. Regularly review and update privacy and security protocols. The privacy and security of health information and other types of personal information is not limited to the design process, it continues throughout the lifecycle of the device or application. In addition to conducting an initial privacy and security review, make sure it is updated periodically to account for new potential risks as well as any changes made to the device or the manner in which it is marketed and used in the marketplace. Conduct testing to identify any lingering vulnerabilities, such as “backdoors” inadvertently left by developers. If you are using third-party code or modules, investigate and address potential third-party security vulnerabilities. For MMAs, FDA requires investigation into, and documentation of, the quality assurance systems of suppliers and consultants, but all medical device manufacturers and application developers should make sure to conduct due diligence on their privacy and security controls. Any potential vulnerabilities found or recommendations made during the review process should be evaluated and either implemented, or if they cannot be implemented for some reason, mitigating controls should be implemented to reduce potential privacy or security risks.
  3. Be aware of, and plan for, data collection. Consistent with the idea that one size does not fit all, decide what data will be collected by the application or device, why it will be collected (i.e., what is the business need?), who will the information be disclosed to, and how the information will be safeguarded. Depending upon the circumstances, the application or device could be subject to a range of privacy and data security laws and regulations. For example, where the device or application will be collecting patient protected health information or warehousing it, does your organization have a program in place to comply with the HIPAA privacy and security rules? Minimizing what data is collected and retained is a key means of minimizing potential risk. In fact, the FTC encourages data minimization as a means of mitigating threats particular to data. Those include a breach or compromise of stored data; correlation of data as a means of re-identifying patients; unauthorized secondary use of data; disclosure or identification; and unauthorized surveillance or monitoring. Collecting only the minimum amount of information necessary also is consistent with the HIPAA privacy rule’s “minimum necessary” principles. Exposure also can be reduced by only retaining identifiable information as long as necessary to satisfy legal obligations or the reasons for which the information originally was collected.
  4. Stay informed about and current with best practices. Stay abreast of industry privacy security resources and tools, from guidance from FDA, HHS, the FTC and other regulators to information concerning known vulnerabilities and threats, to standard-setting organizations and what are considered best practices. Encryption is an important potential means of safeguarding the privacy and security of health information, as well as a means of minimizing the potential for a data breach in the event that an unauthorized third party compromises your organization’s systems. Techniques such as rate limiting to prevent brute force Internet attacks also should be considered as another example of best practice. Password protection by itself is rarely going to be enough. Especially for sensitive health data of the sort often collected by medical devices and applications, look at encrypting that information and the use of multi-factor authentication as opposed to a static password. Nor is one mode of security sufficient or simply addressing security vulnerabilities one time at the design phase. Good security is multi-level, and the prudent medical device manufacturer will evaluate security risks and make adjustments and updates as necessary on an ongoing basis.A special word is warranted about Internet connectivity. Protection against the use of remote Internet-based access to medical device controls is essential. The FTC has warned of the potential problems here, having reported specifically on risks associated with the Internet of Things. Those include threats to patient safety and using an Internet-connected devices as a springboard to launch attacks on other systems. One need only consider examples like unauthorized remote access to an insulin pump or heart rate monitor to appreciate the seriousness and multiplicity of possible threats.
  5. Create a culture of privacy and security. An understanding about, and emphasis on, data privacy and security should be woven into the entire fabric of the organization. Training on privacy and security and the importance of implementing internal controls — addressing the human factor and the possibility of human error or bad intention — remains critical. A successful training program will go a long way not only to prevent incidents, or at least minimize the chances of a security breach, but also help establish that your company’s privacy and security procedures for the health information that your organization collects through its medical devices or applications are reasonable. Not to be forgotten are recent examples of data breaches arising from something as simple, and as harmful, as a lost or stolen laptop or other data-bearing device. If there is any regulatory audit or investigation, training will also help in establishing that the company implemented reasonable precautions.In one well-publicized case that resulted in a long-term and expensive set of requirements for mobile device manufacturer HTC America, the FTC charged the company with the failure to employ reasonable and appropriate security measures. Among the failings were lack of security training for the engineering staff, no review or testing of software for security vulnerabilities, failure to follow secure coding practices, and failure to implement a third-party reporting mechanism.
  6. Incorporate security responsibilities into your contracts. Don’t forget about your service providers and your customers. Especially for medical device manufacturers in the complex and multi-actor continuum of care, it is important to make sure that there is clear contractual allocation of responsibility for safeguarding personal information and also procedures for who handles privacy and security problems when they arise. This means both looking at both your agreements with your vendors/service providers as well as your agreements with your direct customers or end users. It includes notifications about data breaches. What do you tell someone or your customer when there is a breach? And you need to address security updates. What time limits are in place concerning when patches and updates need to be provided? It can be risky to leave that undetermined and open-ended. Finally, be sensitive to what representations you may be making, directly or indirectly, about the security of your products and their privacy protections.

Remember that privacy and security is an ongoing and evolving process, where regular maintenance and attention is the goal. This is hard work, but the attention is well-warranted.

 

Kevin Coy is a partner in the Privacy and Consumer Regulatory Practice at Arnall Golden Gregory LLP in Washington, D.C., 202-677-4034, kevin.coy@agg.com

 

Andrew Flake is a partner in the Litigation Practice and co-leader of the Health IT Practice at Arnall Golden Gregory in Atlanta, 404-873-7026, andrew.flake@agg.com

 

In case you missed it

RSS From Medical Design & Outsourcing

  • New results detail J&J Embotrap design’s first-pass performance in stroke patients
    Johnson & Johnson (NYSE:JNJ) has released results for its Embotrap stent retrievers showing the next-generation design’s success in removing blood clots from ischemic stroke patients. Johnson & Johnson MedTech’s Cerenovus subsidiary tracked outcomes for 1,000 ischemic stroke patients who underwent mechanical thrombectomy procedures with Embotrap devices as a first-line therapy. “The positive preliminary findings of… […]
  • Cardinal Health expands single-use device reprocessing facility
    Cardinal Health (NYSE:CAH) recently opened its expanded Sustainable Technologies facility in Riverview, Florida. The facility is now twice as large as before, at 100,000 square feet, said Dublin, Ohio-based Cardinal Health. The medical device manufacturer and distributor launched Sustainable Technologies in 2015 to collect, reprocess and recycle single-use devices in the U.S. Sustainable Technologies now… […]
  • A new mechanically active adhesive fights muscle atrophy
    Harvard bioengineers have created a mechanically active adhesive that can prevent muscle wasting and support atrophy recovery. They call it MAGENTA, an acronym for mechanically active gel–elastomer–nitinol tissue adhesive. Researchers from the Wyss Institute for Biologically Inspired Engineering at Harvard University and the Harvard John A. Paulson School of Engineering and Applied Sciences successfully tested… […]
  • November 2022 Issue: 2022 Medical Device Handbook
      Medtronic, Abbott and ResMed see healthcare improving through ecosystems DermaSensor aims to expand access to accurate skin cancer detection How J&J’s Embotrap stent retriever thrombectomy treats ischemic strokes Design challenges to overcome when developing cardiac ablation devices How Medtronic designed the next generation of GI bleeding treatment Innovate together Medical devices have never been… […]
  • Could minimally invasive neuromod tackle the opioid epidemic?
    Officials at Spark Biomedical and AcuityMD think their partnership could accelerate the commercialization of Spark’s potentially game-changing platform. Spark Biomedical develops a topical, minimally invasive medical device for alleviating opioid withdrawal symptoms. AcuityMD has a platform for helping medical device companies accelerate commercial access to their products. Together, they seek to provide a pathway to… […]
  • BMP Medical appoints Michael Carignan as programs and engineering manager
    BMP Medical announced that it appointed Michael Carignan as its new programs and engineering manager. Carignan joins BMP Medical at its Sterling, Massachusetts plastic manufacturing hub facility. He brings with him more than 33 years of experience in the plastic manufacturing industry. Before BMP Medical, Carignan served as president of Wachusett Precision Tool for more… […]
  • PTI Engineered Plastics receives MedAccred plastics accreditation
    PTI Engineered Plastics recently announced that MedAccred has recognized it for its commitment to continual improvement in medical device quality. The Macomb, Michigan–based company’s MedAccred accreditation follows a successful audit. MedAccred found that the medical device contract manufacturer demonstrated an ongoing commitment to quality by satisfying customer requirements and industry specifications. The nonprofit Performance Review… […]
  • Millstone Medical Outsourcing buys MycoScience
    Millstone Medical Outsourcing has purchased MycoScience, the companies said today. Fall River, Massachusetts-based Millstone said it closed the deal on Nov. 14. Terms were not disclosed. Willington, Connecticut-based MycoScience is an ISO 13485 certified contract manufacturing organization operating out of an FDA-registered facility. The company has more than three decades of experience in medical device… […]
  • These 14 medical device inventions are the best, Time magazine says
    Fourteen medical devices ranging from patient monitoring to surgical robotics recently made it into Time magazine’s Best Inventions of 2022. For over 20 years, Time magazine has highlighted the 100 most impactful devices and ideas around the world. The list is compiled through nominations from the publication’s editors and global correspondents, with special attention to… […]
  • Why Affera’s cardiac ablation technology is worth $1B to Medtronic
    Affera started in 2014 with a simple goal that paid off when Medtronic (NYSE:MDT) bought the company for up to $1 billion this year. Achieving that goal, however, took some unconventional and sometimes difficult design choices, Affera founder and CEO Doron Harlev said. Newton, Massachusetts–based Affera’s system diagnoses, maps and treats heart arrhythmias with ablation.… […]
  • Viant expands Design & Development West Center of Excellence in California
    Viant today said it has completed the expansion of its Design & Development West Center of Excellence in Fremont, California. The facility’s footprint is now 67% larger, totaling 25,000 sf² across two buildings co-located with the company’s complex molding and assembly facility. The expansion triples the amount of ISO 8 and ISO 7 cleanroom space… […]

Copyright © 2022 · WTWH Media LLC and its licensors. All rights reserved.
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of WTWH Media.

Advertise | Privacy Policy