MassDevice

The Medical Device Business Journal — Medical Device News & Articles | MassDevice

Home » Six ways to implement privacy and security measures

Six ways to implement privacy and security measures

By

Arnell Golden GregoryBy Kevin Coy & Andrew Flake

The increasing amounts of health information being generated, stored and collected have heightened the special risks medical device manufacturers have long faced. In addition to the nexus to patient health and safety, if a manufacturer does not address data privacy and security, it could face a wide range of regulatory consequences from multiple agencies. Hacks are a major risk, as is intellectual property theft. So what should a medical device manufacturer take into account when it comes to privacy and security safeguards? This article offers some best practices and insights for the medical device manufacture who is handling health information.

  1. Begin from day one. Privacy and security should be incorporated from the outset — what FTC has referred to as privacy and security by design. Addressing privacy and security should begin from the first design conversations around a connected medical device or mobile application. What constitutes appropriate privacy and security controls will depend on a number of factors, including the kind of data being collected and used; the sensitivity of that information; what the purpose of the device or application is; and the nature of the end user.. For example, mobile medical apps (MMAs) can be designed for sale directly to consumers for health and wellness purposes or they can be directed at provider customers as a means of helping providers improve the quality of patient care or of the care experience. The data being collected in each instance and the privacy and security needs associated may be different and impact the potential risks to privacy and security identified during a risk assessment. In terms of documentation, FDA’s quality systems regulation, including good manufacturing practices (GMP), also have implications for device security. Those requirements include design validation, including procedures appropriate to the intended use and to the user and patient. The FDA requirements also include validating and documenting the software used and a documented system of correction and preventions for any quality problems, which would include security inadequacies.
  2. Regularly review and update privacy and security protocols. The privacy and security of health information and other types of personal information is not limited to the design process, it continues throughout the lifecycle of the device or application. In addition to conducting an initial privacy and security review, make sure it is updated periodically to account for new potential risks as well as any changes made to the device or the manner in which it is marketed and used in the marketplace. Conduct testing to identify any lingering vulnerabilities, such as “backdoors” inadvertently left by developers. If you are using third-party code or modules, investigate and address potential third-party security vulnerabilities. For MMAs, FDA requires investigation into, and documentation of, the quality assurance systems of suppliers and consultants, but all medical device manufacturers and application developers should make sure to conduct due diligence on their privacy and security controls. Any potential vulnerabilities found or recommendations made during the review process should be evaluated and either implemented, or if they cannot be implemented for some reason, mitigating controls should be implemented to reduce potential privacy or security risks.
  3. Be aware of, and plan for, data collection. Consistent with the idea that one size does not fit all, decide what data will be collected by the application or device, why it will be collected (i.e., what is the business need?), who will the information be disclosed to, and how the information will be safeguarded. Depending upon the circumstances, the application or device could be subject to a range of privacy and data security laws and regulations. For example, where the device or application will be collecting patient protected health information or warehousing it, does your organization have a program in place to comply with the HIPAA privacy and security rules? Minimizing what data is collected and retained is a key means of minimizing potential risk. In fact, the FTC encourages data minimization as a means of mitigating threats particular to data. Those include a breach or compromise of stored data; correlation of data as a means of re-identifying patients; unauthorized secondary use of data; disclosure or identification; and unauthorized surveillance or monitoring. Collecting only the minimum amount of information necessary also is consistent with the HIPAA privacy rule’s “minimum necessary” principles. Exposure also can be reduced by only retaining identifiable information as long as necessary to satisfy legal obligations or the reasons for which the information originally was collected.
  4. Stay informed about and current with best practices. Stay abreast of industry privacy security resources and tools, from guidance from FDA, HHS, the FTC and other regulators to information concerning known vulnerabilities and threats, to standard-setting organizations and what are considered best practices. Encryption is an important potential means of safeguarding the privacy and security of health information, as well as a means of minimizing the potential for a data breach in the event that an unauthorized third party compromises your organization’s systems. Techniques such as rate limiting to prevent brute force Internet attacks also should be considered as another example of best practice. Password protection by itself is rarely going to be enough. Especially for sensitive health data of the sort often collected by medical devices and applications, look at encrypting that information and the use of multi-factor authentication as opposed to a static password. Nor is one mode of security sufficient or simply addressing security vulnerabilities one time at the design phase. Good security is multi-level, and the prudent medical device manufacturer will evaluate security risks and make adjustments and updates as necessary on an ongoing basis.A special word is warranted about Internet connectivity. Protection against the use of remote Internet-based access to medical device controls is essential. The FTC has warned of the potential problems here, having reported specifically on risks associated with the Internet of Things. Those include threats to patient safety and using an Internet-connected devices as a springboard to launch attacks on other systems. One need only consider examples like unauthorized remote access to an insulin pump or heart rate monitor to appreciate the seriousness and multiplicity of possible threats.
  5. Create a culture of privacy and security. An understanding about, and emphasis on, data privacy and security should be woven into the entire fabric of the organization. Training on privacy and security and the importance of implementing internal controls — addressing the human factor and the possibility of human error or bad intention — remains critical. A successful training program will go a long way not only to prevent incidents, or at least minimize the chances of a security breach, but also help establish that your company’s privacy and security procedures for the health information that your organization collects through its medical devices or applications are reasonable. Not to be forgotten are recent examples of data breaches arising from something as simple, and as harmful, as a lost or stolen laptop or other data-bearing device. If there is any regulatory audit or investigation, training will also help in establishing that the company implemented reasonable precautions.In one well-publicized case that resulted in a long-term and expensive set of requirements for mobile device manufacturer HTC America, the FTC charged the company with the failure to employ reasonable and appropriate security measures. Among the failings were lack of security training for the engineering staff, no review or testing of software for security vulnerabilities, failure to follow secure coding practices, and failure to implement a third-party reporting mechanism.
  6. Incorporate security responsibilities into your contracts. Don’t forget about your service providers and your customers. Especially for medical device manufacturers in the complex and multi-actor continuum of care, it is important to make sure that there is clear contractual allocation of responsibility for safeguarding personal information and also procedures for who handles privacy and security problems when they arise. This means both looking at both your agreements with your vendors/service providers as well as your agreements with your direct customers or end users. It includes notifications about data breaches. What do you tell someone or your customer when there is a breach? And you need to address security updates. What time limits are in place concerning when patches and updates need to be provided? It can be risky to leave that undetermined and open-ended. Finally, be sensitive to what representations you may be making, directly or indirectly, about the security of your products and their privacy protections.

Remember that privacy and security is an ongoing and evolving process, where regular maintenance and attention is the goal. This is hard work, but the attention is well-warranted.

 

Kevin Coy is a partner in the Privacy and Consumer Regulatory Practice at Arnall Golden Gregory LLP in Washington, D.C., 202-677-4034, kevin.coy@agg.com

 

Andrew Flake is a partner in the Litigation Practice and co-leader of the Health IT Practice at Arnall Golden Gregory in Atlanta, 404-873-7026, andrew.flake@agg.com

 

In case you missed it

RSS From Medical Design & Outsourcing

  • Philips updates on testing results for recalled ventilators
    Royal Philips (NYSE:PHG) says only a small portion of returned respiratory devices displayed the sound abatement foam degradation that sparked a massive recall. Repeated ozone cleaning may have made the problem worse. Those were some of the major takeaways from an update Philips provided today on a comprehensive test and research program it implemented after its… […]
  • ResMed names Lucile Blaise as new Sleep & Respiratory Care leader
    Lucile Blaise will be the new president of ResMed’s Sleep & Respiratory Care business starting July 1, ResMed (NYSE: RMD) said today. She replaces Jim Hollingshead, who became president and CEO of Insulet (Nasdaq:PODD) on June 1. ResMed President and COO Rob Douglas is serving as interim president of the Sleep & Respiratory Care during… […]
  • Cardinal Health starts Zipline drone deliveries of drugs and medical supplies
    Cardinal Health (NYSE: CAH) today started air delivery of pharmaceutical products and medical supplies via Zipline drone in North Carolina. San Francisco-based Zipline won FAA Part 135 air carrier certification for the long-range flights earlier this month. The company flew its first commercial deliveries on June 22 with an initial 16-nautical-mile flight. The flights starting… […]
  • How medical device companies are responding to abortion bans
    Days after the U.S. Supreme Court’s decision to overturn Roe v. Wade’s protection of abortion rights, medical device companies are among those reassuring workers about healthcare access. Corporate communications to employees and the public at large come as trigger laws in nearly half of the states outlaw abortion immediately. Some medtech companies are not using… […]
  • Boston Centerless opens manufacturing plant in Indiana
    Boston Centerless announced today that it opened a second manufacturing plant in Fort Wayne, Indiana. Woburn, Massachusetts-based Boston Centerless said in a news release that the latest expansion for the supplier of precision ground bar materials for close tolerance CNC Swiss machining applications represents continued robust growth in key market segments in the Midwest and… […]
  • Dymax strikes new partnership with Quantum Systems
    Rapid curing materials and equipment manufacturer Dymax today announced a new sales partnership with Quantum Systems. Torrington, Connecticut-based Dymax said in a news release that Quantum, with its offices in Arizona as well as Sonora and Baja, Mexico, will focus its efforts on promoting and supporting the sales of Dymax light-curing solutions to the medical,… […]
  • Researchers develop wearable robotic exomuscle system
    ETH Zurich researchers have redefined the muscle shirt. Marie Georgarakis, a former doctoral student at ETH Zurich’s Sensory Motor Systems Lab, is the creator of the Myoshirt, a wearable, textile robotic device that helps users lift their arms and reach. A motorized cable works like an artificial tendon, directed by sensors and an algorithm to… […]
  • They said it at DeviceTalks Boston
    Medtech insiders convened at DeviceTalks Boston 2022 in May to discuss device design, innovation and trends shaping the industry now and in the years and decades ahead. Here are some of the most quotable insights from panelists and speakers at our live event. And make sure to save the date — and save your seat… […]
  • Summer health technology program brings diverse group of interns to Silicon Valley
    Diversity by Doing HealthTech (DxD) is holding a Summer Innovation and Exploration Series for college student interns from underrepresented groups. The series is on its second day today at Fogarty Innovation and Stanford Byers Center for Biodesign — the two organizations that jointly formed and support DxD. The event debuted last year in an online… […]
  • Clippard releases new series of isolation valves
    Clippard (Cincinnati) has Its Clippard NIV Series media isolation valve — a solenoid-operated device using a flexible diaphragm to isolate the actuation mechanism from the fluid path. Media isolation valves find everyday use in a wide variety of applications. Think uses that require precise, repeatable dispensing of media for analytical instrumentation. Clippard says media isolation… […]
  • Another Medtronic HVAD recall is serious
    A year after Medtronic ceded the LVAD market to Abbott, it has yet another Class I recall involving HeartWare Ventricular Assist Device pumps still implanted in patients. The FDA today designated a Medtronic recall involving the HVADs as Class I, the most serious level. It’s the second Class I recall designation for the HVADs this… […]