How to Manage Data Privacy for Connected Medical Devices
Cloud connectivity brings with it several benefits but issues around data privacy and security are big barriers for medical device companies who have not yet connected their medical devices to the cloud.
Data privacy and security are intertwined, but both can be managed. What do medical device manufacturers need to consider when looking at connecting their devices?
A data privacy program starts with the culture of your business. Let’s take a look at a few steps for managing privacy for connected medical devices:
#1. Have a data management guideline
It’s important to have a set of company policies and guidelines to manage data privacy. It is also important to periodically train your team members on these. If you are a medical device manufacturer with ISO 13485:2016 certification, then you are required to do this to some degree already.
The guidelines you come up with should be consistent with your federal, state or local guidelines, along with any patient expectations. Two of the most cited healthcare privacy regulations are Health Insurance Portability and Accounting Act (HIPAA) in the U.S. and the General Data Protection Regulation (GDPR) in the European Union. Both of these regulations have a set of requirements that must be followed by various stakeholders that store, collect or process the data.
These are a good place to start in order to understand what controls should be included in a medical device solution. Also, they are good to use to understand things you might need to cover with the training of your own team members, or even end users of the device.
Have company data privacy guidelines that meet regulations and patient expectations Share on X#2. Conduct a risk assessment
As with anything to do with medical devices, start with a thorough risk assessment that focuses on data privacy. This can seem to be a burdensome task, but fortunately, there are tools available to help. Take a look at HealthIT.gov’s Security Risk Assessment tool.
You need to assess what happens when a piece of data is altered, stolen, deleted or accessed in an unauthorized manner. Determine what the harm could be to the patient, the operator and of course, your business.
On the other side of that, what happens when you don’t store or process data? Could there be risks for your company or the patient? For example, consider the opportunities that may be lost if you’re not able to make use of vital data in ways that can help the patient.
Identify which data elements are collected or stored. Of those data points, consider which ones fall under the definition of “protected” data. Under HIPAA, this includes any data that can be reasonably used to identify a person or a small group of persons. The word “reasonably” is the key. Data such as average age, weight or height aren’t protected because you can’t use them to identify a person. However, data such as social security numbers or the name of clinicians are protected because you can definitely narrow down to a person or small group of people with that data.
Similarly, if there are multiple data points that can be used in conjunction to identify a person, these will be considered protected. For example, if a record contains information about patient age, height, weight, the name of doctors and appointment schedules, this could lead someone to reasonably guess who the information is about. Some laws are much more stringent than others concerning what is considered to be protected.
#3. Manage patient consent
For protected health data, you need to ensure that there is consent either directly from the patient or from a third party such as a hospital or clinic. If you’re working with the hospital or clinic, you need to make sure you have a case under HIPAA that gives you a business associate agreement, allowing you to access patient data for business use. This also puts some responsibility on you for that data privacy.
Another important point here is to ensure that consent records are stored securely.
#4. Manage data access
You need to make sure that private data is protected from general disclosure. This means that you need to ensure that only those who are authorized are accessing it. You also need to train those people to make sure they don’t accidentally disclose any data that they shouldn’t be. Accidental disclosure is more common than most people realize.
For electronic systems, users should be allocated a unique identifier, such as a login or email address. They should have some form of “secret” such as a password that only they know to enter the system. This allows it to accurately keep track of who has accessed the system, when and from where. It’s important to keep a record of this.
Passwords are the most common form of a “secret” but they’re not necessarily the most secure method. People have a tendency to use the same password across different systems, to write them down, or to store them somewhere so that they remember them.
It’s important to have minimum length and complexity requirement, to have an expiration for passwords and to have rules around usage. Along with this, ensure that staff members are trained in password best practices. You could also consider additional security through physical items, such as USB keys or smart cards, or app-based one-time passwords.
Systems should be designed so that each individual only has access to the data that they really need. This access should also be reviewed periodically, especially as people may leave or their roles change.
Systems should also be designed to accurately capture any changes made to data. For example, they should show who accessed the data, what change was made and when. You need to have this “audit log” then review that log periodically as well, to ensure there has been no breach and that proper access controls are still in place.
#5. Manage data integrity
It’s important to use the appropriate level of encryption for storage and transfer of data. This can be a big risk issue for patients, either due to theft or alteration of data. Generally, the higher the risk the the higher the level of encryption you need to use.
You also need to put controls in place to ensure the integrity of your data. One key requirement that can help with this is to have reliable data backups that you store separately and securely. Backups should be stored on an off-site location and be encrypted.
Furthermore, you need procedures for emergency access to data in case data is altered or removed.
Final thoughts
Clinicians and other specialists often need access to good quality data from medical devices in order to provide the best level of care possible. Managing the privacy of that data requires a combination of robust security strategies, security solutions and in many cases, sufficient resources in the form of IT personnel to manage it.
The security and privacy side of connected medical devices is certainly not a trivial thing. It is important to ensure that you comply with regulations and prevent any harm to the patient or your business.