Medical Device Hacking Blog Post Week 7

So I came across an article a while ago discussing something that I never even thought could happen in my wildest dreams. Medical devices being hacked. In this particular case it was heart devices that were being hacked. “St. Jude’s devices treat dangerous irregular heart rhythms that can cause cardiac failure or arrest. Implanted under the skin of the chest, the devices electronically pace heartbeats and shock the heart back to its normal rhythm when dangerous pumping patterns are detected.” (Abdollah, T. & Perrone, M., 2017).  With technology becoming more advanced and creeping into the health system there are more vulnerabilities than ever. In this case live medical information about a patient that a hacker can actively hack. They could turn off the device, shock a patient when not needed, and drain the battery life. All of which can have deadly impacts. In this case there was no evidence of this happening. St. Jude’s provided the patches to the system to keep this from happening.

However, this is not the only case. According to James Niccolai (2015), “Thousands of medical devices, including MRI scanners, x-ray machines and drug infusion pumps, are vulnerable to hacking, creating significant health risks for patients”. This was also shown when Jay Radcliffe, a diabetic and security expert, was able to hack his own insulin pump. (Leitner, T. & Capitanini, L., 2014). According to Darlene Storm (2015), a deception-based company, TrapX, found compromises to X-ray equipment, photo archives, communications systems, and blood gas analyzers. This personally worries me. As someone could hack a system and change my medicine dosage without my notice. I would hope the pharmacist would catch something like that. However, think about how many times you have been to the hospital to get an X-ray or any medical procedure where the device itself is connected directly to the network.

The worst part of this example is we as patients can do nothing about it. Even if you prevent the doctor sharing your information electronically, the equipment itself is still a source to be hacked. Hopefully, medical device manufacturers pay more attention to the security of their products as they become more and more advanced.

References:

Abdollah, T. & Perrone, M. (2017, January 10). US warns of unusual cybersecurity flaw in heart devices. Retrieved from: http://bigstory.ap.org/article/dc914628d99140a391b8050e571aae05/us-warns-unusual-cybersecurity-flaw-heart-devices

Leitner, T. & Capitanini, L. (2014). Medical Devices Vulnerable to Hack Attacks. Retrieved from: http://www.nbcchicago.com/investigations/Medical-Devices-Vulnerable-to-Hack-Attacks-277538441.html

Niccolai, J. (2015). Thousands of medical devices are vulnerable to hacking, security researchers say. PCWorld. Retrieved from: http://www.pcworld.com/article/2987813/thousands-of-medical-devices-are-vulnerable-to-hacking-security-researchers-say.html

Storm, D. (2015). MEDJACK: Hackers hijacking medical devices to create backdoors in hospital networks. Retrieved from ComputerWorld: http://www.computerworld.com/article/2932371/cybercrime-hacking/medjack-hackers-hijacking-medical-devices-to-create-backdoors-in-hospital-networks.html

Organ Procurement Organizations with Regard to HIPAA Week #6 Blog

This blog is going to contain much more of my opinion than previous blog posts. I was looking for something to write about, and came across a story about HIPAA with regards to Organ Procurement Organizations (OPO). (Healthitsecurity). An ex-employee, Patrick McHahon, claimed that the New York Organ Donor Network, Inc. had removed patient organs before the patients were clinically dead. He claimed he was fired because he "blew the whistle". The company claimed he was fired due to poor performance. Part of Mr. McMahon's evidence he claimed were evident in the patient's case files which showed the patients were still alive. He was requesting the release of the records to prove his case to which the OPO stated due to confidentiality they could not release the records. They also stated that though the organizations are not covered by HIPAA, they need to maintain the patients' confidentiality since they signed memorandums of understanding (MUO) with the hospitals so they can retrieve pertinent information to help the organ donor process. If they released the records "it would defeat the purpose of HIPAA if it were required to comply with plaintiff's request" (McHahon V. New York Organ Donor Network, Inc. 2016). In this case the plaintiff won the case with the court stating that since it is not a HIPAA covered entity it must turn over the records.

This led to me thinking as to why they are not HIPAA protected. First, how can a hospital release records to an entity not covered under HIPAA? This is a little easier to understand. In order for an organ donor group to do its job, it needs vital information about a patient to make sure that the organ goes into a viable recipient. Having to wait for an authorization from a family member would waste valuable time since some organs are only vital for so long. This part makes sense and I completely agree with this. I think this is why you annotate you are on organ donor on your ID. This lets hospitals know they already have your approval.

So why aren't organ donors covered under HIPAA then? This isn't covered too well. From what I have read basically it comes down with the need for them to know the information to do their job. They can also share information with the donor family such as the age, health, gender, and sex of the recipient. With HIPAA they might not be able to provide that information to the donor. This can help the donors feel a little better knowing general info about who is being helped. It could also cause issues though if the OPO started discussing non health pertinent information as it may make the family more reluctant to donate if the recipient were a different religion for example. This is where I am conflicted myself. For myself, I am an organ donor, so I authorize anyone to use my organs. However, someone who may have to decide for another family member may feel reassured it is going to someone who needs it. By making an OPO a protected entity they could not give that information without the recipient family's allowance which may make the family doing the donation more reluctant to donate. Also by having to wait for the recipient's approval you are adding more delay to the process. For example, if the recipient has to say yes then the information is provided to the donor, who then says no, valuable time was just wasted.

With all that being said I agree with the court's ruling that the medical records should be allowed. A health care provider may use or disclose information if and as required by law (42 CFR § 482.45). I believe in a matter of law no information should be kept private, if it is strictly used for purpose of the case and only parts that are required. I.e. in this case only the pertinent info at the time of the patient's death.

References:

Condition of Participation: Organ, Tissue, and Eye Procurement. (2013). 42 CFR § 482.45.

Health IT Security (2017). Judge Says HIPAA Regulations Do Not Apply in Organ Donor Case. Retrieved from: http://healthitsecurity.com/news/judge-says-hipaa-regulations-do-not-apply-in-organ-donor-case

McMahon v. New York Organ Donor Network, Inc. (2016). New York Supreme Court Op 32707. Retrieved from: http://nycourts.gov/reporter/pdfs/2016/2016_32707.pdf

HIPAA with Regards to Health Applications Week #5

                So lately I have been using the MyFitnessPal app to track my diet. I am using it more for the fact that I need to monitor my protein intake since I have been running so much. This got me thinking, I see so many healthcare apps and see doctors using apps on iPads, notebooks, or other electronic devices while they are assisting patients. These apps obviously make it easier for doctors/nurses/techs to do their jobs. Yet they also can lead to HIPAA violations. Companies must take a lot into account when building an app. “It is important to consider the legal implications early on in the design stage...”(Savage, L. & Caton-Peters, 2016). In fact, the Office of the National Coordinator for Health Information Technology (ONC) collaborated with the Federal Trade Commission (FTC), the Food and Drug Administration (FDA) and the HHS Office for Civil Rights (OCR) created a site for app developers to figure out which laws may apply to them: https://www.healthit.gov/buzz-blog/privacy-and-security-of-ehrs/educating-health-app-developers-regulatory-requirements/. “This interactive tool helps guide developers through a short assessment of their app with a series of questions about the nature of the app, including its function, the data it collects, and the services it provides to its users” (Savage L. 2017).

                This is a valuable tool for app developers. It will provide guidance and instruction as to what they can and cannot do with apps. This also can improve security as developers will be much more hesitant to include certain data types knowing the implications they could be facing. At the same time, users must be cautious of what they put on the apps. I have seen several people post their personal health information online. That data is not HIPAA protected since you are providing the information. Users must be just as responsible when using health apps. Make sure you read the small print, knowing what info could/could not be shared.

References:

Savage, L. & Caton-Peters, H. (2016). Educating Health App Developers about Regulatory Requirements. Retrieved from: https://www.healthit.gov/buzz-blog/privacy-and-security-of-ehrs/educating-health-app-developers-regulatory-requirements/

Health IT Security. (2017). Mobile Security Strategies for Common Provider Concerns. Retrieved from: http://healthitsecurity.com/news/mobile-security-strategies-for-common-provider-concerns

HIPAA Compliance Penalties Week #4 Blog

 Last week I discussed HIPAA compliance. This week I wanted to discuss the penalties for not complying with HIPAA. When a data breach occurs it is up to the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). The first thing to know is what constitutes a breach. A Breach means “the acquisition, access, use, or disclosure of unsecured PHI, in a manner not permitted by HIPAA, which poses a significant risk of financial, reputational, or other harm to the affected individual.” (Eisen, J. & Gulick, S., 2012). When looking at an incident some things need to be taken into account. This include person involved including person(s) that disclosed it and received it, type and amount of PHI involved, was the PHI actually viewed or acquired, and determine the extent of mitigation. (Health IT Security). There are some exceptions to this, i.e. if an employee happens to open and view an email sent to them as an accident, if they are cleared to see PHI info, or if there is no way data could be retained long enough to  do any damage.

                So assuming you have a breach, what penalties exist? For most penalties there are fines involved and depending on the severity, this can include jail time. According to the American Medical Association fines can range from $100 to an unknowing offense to $50,000 per violation when there was willful neglect (See image below). Jail time could also be included. If there was a knowingly release you can be imprisoned for up to 1 year, if it is under false pretenses it could be up to 5, and if intending to sell or use for advantage then it can be up to 10 years.

Figure 1 American Medical Association

Think about the monetary aspect alone, if it is an unknowingly breach it is $100 per violation. So if you have 100 violations you are already on the hook for $10,000. You can see how the cost could rack up quickly.  This monetary impact is enough to make sure that hospitals remain HIPAA compliant. I personally don’t know if these penalties the offenders receive is any benefit to me if it is my information that is stolen, except the fact that there would be more care taken (at least I would hope). On top of this, the organization that caused the breach could also face litigation from the people whose information was stolen. Thus there is a major benefit in maintaining compliance.

References:

American Medical Association. HIPAA Violations & Enforcement. Retrieved from: https://www.ama-assn.org/practice-management/hipaa-violations-enforcement

Eisen, J. & Gulick, S. (2012). What is a Breach Under the HITECH Breach Notification Regulations? ABA HEALTH eSOURCE, 8(9). Retrieved from: https://www.americanbar.org/content/newsletter/publications/aba_health_esource_home/aba_health_law_esource_0512_eisen.html