The Era of Wearable Medical Devices and mHealth: Protecting Patients and Providers

Establishing administrative safeguards can include developing policies and procedures. These policies and procedures may include a determination of what data to collect, how the data will be stored, and who will have access to the data. The technical safeguards can then be implemented to comply with the policies and procedures. For example, it is important to limit access to protected health information because insider threats are prevalent and often go unnoticed at most organizations.⁵ Patient health information, particularly information on terminal patients, is valuable on the black market.⁵ Carnegie Mellon University published “Best Practices Against Insider Threats in All Nations” based on its analysis of more than 700 case studies and recommended 19 best practices for preventing, detecting, and responding to harm from threats from “insiders”⁵ starting with risk assessments, new hire screening, physical and security controls, audits, and monitoring.⁵ These best practices include the following.

1. Consider threats from insiders and business partners in enterprise-wide risk assessments.
2. Clearly document and consistently enforce policies and controls. 
3. Incorporate insider threat awareness into periodic security training for all employees. 
4. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
5. Anticipate and manage negative issues in the work environment.
6. Know your assets. 
7. Implement strict password and account management policies and practices. 
8. Enforce separation of duties and least privilege. 
9. Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities. 
10. Institute stringent access controls and monitoring policies on privileged users. 
11. Institutionalize system change controls.
12. Use a log correlation engine or Security Event and Information Management system to log, monitor, and audit employee actions. 
13. Monitor and control remote access from all end points, including mobile devices.
14. Develop a comprehensive employee termination procedure.
15. Implement secure backup and recovery processes. 
16. Develop a formalized insider threat program.
17. Establish a baseline of normal network device behavior.
18. Be especially vigilant regarding social media. 
19. Close the doors to unauthorized data exfiltration.

Providers may be able to avoid liability and prevent patient data from being accessed by encrypting portable devices. An appeals court, for example, found that a hospital was not liable under California’s Confidentiality of Medical Information Act because the class action plaintiffs did not allege or prove that the “confidential nature of the plaintiff’s medical information was breached as a result of the health care provider’s negligence.”¹³ In that lawsuit, an encrypted external hard drive containing personally identifiable medical information was stolen in a robbery. The plaintiffs alleged the hospital failed to have reasonable systems and controls in place to prevent the removal of protected health information from the hospital premises, and as a result, it negligently lost possession of the hard drive and encryption passwords.¹³ The court interpreted the Confidentiality of Medical Information Act to mean that a health care provider may be liable if they negligently maintained confidential medical information and thereby allowed it to be accessed by an unauthorized third person — that is, they permitted it to escape or spread from its normal place of storage.¹³ The hard drive was encrypted, so although it went missing, plaintiffs did not prove that the health data on the hard drive were accessed.