Cybersecurity Guidance Applies to BA Data Breaches

October 16, 2014

Confidentiality, integrity, and encryption are all items that need to be addressed within a medical practice's data security policy for business associates.

Recently, two items emerged that all healthcare professionals should be aware of -third and fourth party data breaches and FDA final guidance on cybersecurity in medical devices. Third and fourth party data breaches occur down the line when entities with no direct contact with patients or entities that provide outsourced services have not been properly vetted - in sum, no due diligence.

"The risk of sending data to a third-party has never been greater. The Ponemon Institute has published many articles and white papers on the subject. Recently, the Ponemon Institute, LLC, published its Fourth Annual Benchmark Study on Patient Privacy & Data Security where it noted healthcare organizations don't trust their third-party or business associates with sensitive patient information. Only 30 percent of those surveyed are very confident or confident that their business associates are appropriately safeguarding patient data as required under the Final Rule." If there is a "break in the chain of trust" then what is an organization doing to protect itself from provisions in a Business Associate Agreement?

*In light of escalating security breaches like the latest data breach at JP Morgan, we are interested in finding out how practices are securing their patient data. Click this link to take a brief survey on medical practice cyber security measures. - See more at: http://www.physicianspractice.com/blog/ebola-misdiagnosis-raises-liability-concerns#sthash.tNjHwm08.dpuf*In light of escalating security breaches like the latest data breach at JP Morgan, we are interested in finding out how practices are securing their patient data. Click this link to take a brief survey on medical practice cyber security measures. - See more at: http://www.physicianspractice.com/blog/ebola-misdiagnosis-raises-liability-concerns#sthash.tNjHwm08.dpuf

*In light of escalating security breaches like the latest data breach at JP Morgan, we are interested in finding out how practices are securing their patient data.

Click this link

to take a brief survey on medical practice cyber security measures.

Those items that meet the classification of "software that is a medical device" need to meet certain standards when being submitted as a Premarket Notification (510(k)), De novo submission, Premarket Approval Applications (PMA), Product Development Protocols (PDP) and Humanitarian Device Exemptions. The FDA encourages manufacturers to consider cybersecurity measures when designing medical devices to help mitigate patient risk. The FDA suggests these measures:

• Identification of assets, threats, and vulnerabilities;

• Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients;

• Assessment of the likelihood of a threat and of a vulnerability being exploited;

• Determination of risk levels and suitable mitigation strategies; and

• Assessment of residual risk and risk acceptance criteria.

Confidentiality, integrity, cybersecurity, and encryption are all items that need to be addressed within the suggested procedural step. This is in keeping with the requisite risk analysis and software validation pursuant to 21 CFR 820.30(g).

In sum, considering the environment, the FDA application requirements, as well as HIPAA requirements, can mitigate risk. Incorporating these findings into discussions with direct and indirect business associates could provide peace of mind and reduce the risk of financial and reputational harm in the event of a breach, reporting of a technical violation, or HHS audit.