The rapid explosion of mobile platforms and adoption of smart devices have provided greater flexibility and opportunity for physicians and other staff at hospitals to deliver real-time information at the Point of care. Mobile Healthcare, or what is more commonly called as mHealth, has created a channel to facilitate, communicate and deliver healthcare services via mobile communication devices.
Over the last few months, increasing number of mHealth apps have gained traction, that help physicians and other healthcare providers to keep track of reference drugs, monitor patient health records and status, and manage schedules. While this provides a plethora of opportunities and possibilities for healthcare organizations to reduce costs and improve efficiency, this increased mobility trend has created new challenges towards healthcare IT
This paper is a guide for healthcare organizations and their IT department, to assess and identify basic requirements, help healthcare organizations reduce risk, improve operational efficiencies and achieve compliance goals to enable them to provide a higher quality of patient care. The whitepaper combines industry’s best practices along with RapidValue’s experience in implementing solutions for many customers.
The influx and usage of mobile devices have threatened the traditional policies and processes towards security. The mode of data transmission over the last few years through client/server approach and fixed-line infrastructures have become obsolete due to invention of mobile and internet technologies. Mobile devices provide access to corporate resources and applications from anywhere, through cloud services and remote mobile desktops.
As more sensitive information is being fed into mobile applications and into the network cloud in general, the complete security, privacy and regulatory compliance of such information must be assured. Since security breaches are not uncommon in any industry, the healthcare industry has mandated a few regulations and compliances to ensure patient information is safe.
One of the key steps in defining the security compliance strategy for your mobile app is to determine whether the application requires FDA approval.
FDA clearance is typically required for apps that are involved in diagnosis, treatment, cure or mitigation of a device. A few examples are given below:
FDA clearance – Yes, requires assessment for exemption
On the other hand, applications that are informational and reference-only do not require FDA approvals.
So how do we know, if the app you developed will be subjected to FDA approval or not? Based on research and years of experience, we at RapidValue suggest you to consider the below listed questions to help you evaluate, if your app is not to be subjected to FDA approval.
|#||Brainstorm and evaluate||Possible considerations for app not being subject to FDA approval|
|1||How is the data going to be entered into the app?||Make sure the data to the app is
– Entered manually
– Not connected to external device/machine through which it receives data
– Does not require physical contact with the patient specimen
|2||What is the output of the app?||The output
– Should not connect to any other device and guide with any instruction
|3||Does the app provide real-time updates of a patient?||The app should not
– Monitor the patient in real-time
Apps that do not need approval
– Wellness related app like track/log/record food habits, physical fitness exercise
Apps that need approval
– PACS apps (Picture Archiving and Communication Systems) that display radiological images for diagnosis is classified under class II PACS like X-rays scan reports
For any healthcare application, security and compliance go hand in hand and it is absolutely essential to adopt all healthcare compliances and regulations including HIPAA, HITECH, ITRF Regulation or PCI/PHI compliances governing the Healthcare sector.
While a technical architect or product manager takes the decision of whether an application is subjected to FDA regulation, compliances and security need to be incorporated by the development team building the application.
Below are the key steps in ensuring a design that addresses compliance and regulation requirements.
Unlike applications that run on desktop environments where majority of systems run on a single platform/operating system, the market share of mobile platforms is pretty fragmented.
|1||What is the type of user-group that will access the application?||– Is the application going to be accessed by consumers?
– Is it an enterprise application, which will be accessed only by employees of the organization?
|2||Mobile platforms||– On what platforms does the mobile application need to be supported?
– iOS (Apple), Android, Blackberry, Windows or All?
|3||Server requirements||– Is the application a standalone app or does it communicate with backend server for data synchronization?
– What will be the application usage at most times? Will the application be utilized by a large user base? The bandwidth which the server can handle needs to be evaluated
Assessing information on the above questions will help the IT team to strategize and tailor unique security policies on corporate servers constantly which are accessed by wireless devices.
Over the very few years of inception, smartphones have got smarter and powerful by the year with the capabilities of communicating through multiple channels combined with significant processing power and large storage capabilities. Hence these devices have become the easiest threat to data vulnerability and security compared to laptops.
The Center for Medicare and Medicaid Services (CMS), which oversees HIPAA security rule enforcement, has published a ‘HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information’ to help organizations determine the best way to protect ePHI available to mobile device users.
Our framework of implementing a secure mobile application is based around the CMS guidance with recommendations from a development and implementation perspective.
Make sure the mHealth application requires a set of unique credentials (username and password) to access the application.
Risk scenario: Login credentials are lost/stolen, which could potentially result in unauthorized access to view/modify ePHI.
2. Secure Your data
Make sure the data sent to the mobile application is secure on the device as well as during transmission.
Risk scenario: Hacking the network or a mobile device from unprotected access points (like hotel business center, airport) is a growing concern and can potentially result in loss of ePHI data
Once the development team implements the application with the compliances discussed above, the next step is in assessing how to deploy the application and manage them over subsequent releases and upgrades.
For applications that are not going to be used by consumers but rather within the organization employees, we recommend rolling out using the enterprise distribution model, through which users have access to and download the recommended enterprise apps, receive them in a secure way over-the-air (OTA), and are alerted to and download updates when available. Moreover organizations can leverage this feature to keep an accurate inventory of the mobile apps that are installed at any given time, and be able to monitor them by device and user groups.
While there is a significant concern about application vulnerability, integrity and user privacy in Apple app store and Android market, we believe that implementing some of the below security measures will strengthen the compliance policies significantly.
When considering the trends towards adoption of different digital technologies, today’s healthcare organizations are facing enormous challenges in compliance and regulation. As we have witnessed more recently, personal information theft have proven to be costly for organizations, resulting in loosing their credibility and being forced out of business.
With robust auditing required for HIPAA security compliance, IT groups can no longer ignore mobile devices in their security policy implementation. Companies looking to develop mHealth solutions should consider leveraging their existing IT infrastructure, policies, and services and ensure that newer technologies are seamlessly integrated. This will add significant value to the organization by providing quality care for their patients.
This white paper brings out the evaluation criteria of mobile health apps related to FDA and HIPAA compliance aspects based on our research, analysis and understanding. Any architectural assessment and/or design decisions related to the above policies should not be implemented based solely on the recommendations in the document. RapidValue shall have no liability for any direct, incidental, or consequential damages suffered by any third party as a result of decisions/actions taken, or not taken, based on this document