MedCity Influencers, Devices & Diagnostics

How to manage patient data security and privacy demands in the digital health era

Digitization is transforming the healthcare industry. The proper risk mitigation framework will ensure continued progress without delays from unfortunate, and potentially preventable, security and privacy breaches.

Digital health is ushering in an exciting time for medicine with digital therapeutics offering new approaches to treating numerous ailments. While this is happening, health data breaches are rising globally, creating challenges for biopharma and medtech companies. These organizations hold more sensitive data today than historically, with higher potential risk. At stake are product advancements, company reputations and, potentially, patient outcomes.

As with many emerging industries, regional, state and national governments globally are developing new and sometimes conflicting privacy policies that empower patients with data access rights and create additional compliance responsibilities for biopharma and medical device companies. As companies consider building cloud-based platforms to manage data coming from new digital products and services, it is important to recognize the heightened security risk of collecting patients’ medical data, even if much of it is de-identified.

Here are the top challenges in protecting health data and how to solve them:

Managing the Data Firehose
In the next ten years, as many as 50 billion medical devices will send data to healthcare providers, patients and each other. The velocity, volume and variety of data is rapidly increasing. Clinical trials have leveraged health apps and connected health devices, with biopharma and medtech companies now beginning to collect information on a population-level. Data flow is exploding from hundreds of patients in a controlled setting to thousands or more in a commercial environment. Real-time data streams are also flowing from wearables, like heart rate monitors and blood pressure devices.

Rapidly increasing amounts of patient data held by biopharma and medtech companies increase their exposure to health data breaches. As healthcare moves beyond traditional, controlled settings, and into more homes with remote patient monitoring, that risk is compounded.

Beyond an increase in volume, the variety of data being captured needs consideration. Heart rate, blood pressure, A1c levels, audio and video are all currently being captured, with more on the horizon, each requiring different security considerations.

sponsored content

A Deep-dive Into Specialty Pharma

A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.

Healthcare can be a Security Minefield
The average cost of a health data breach globally is $406 per record, the highest of any industry. Further, the number of patient records exposed in the United States nearly tripled between 2017 and 2018 to 15 million patient records. Just over halfway through 2019, that figure has skyrocketed to around 25 million patient records breached. Keeping personal health information (PHI) safe becomes more challenging as device settings expand to connected health devices in homes, workplaces and public spaces.

When most people think of security breaches, they picture outside ransomware attacks like the WannaCry attacks that have hit around 40% of healthcare delivery organizations in the past six months, according to Armis. Security, however, is not just protecting against the external hacker: 28% of breaches start internally. Medtech company Zoll, for instance, notified more than 270,000 patients that their PHI was exposed after an error occurred during a server migration. Understanding current workflows and developing internal processes to address potential leaks is critically important.

A recent CHIME-KLAS survey of CIOs, CTOs and CISOs at healthcare provider organizations found that 18 percent had medical devices that were impacted by malware or ransomware during the previous 18 months. Overall, 96 percent of respondents pointed to medical device manufacturer-related factors as a root cause of the medical device security issues.

Since 2015, the FDA has issued public warnings about cybersecurity vulnerabilities in medical devices that “allow unauthorized users to remotely access, control, and issue commands to compromised devices,” which could lead to “severe patient harm.” A joint alert by the FDA and Department of Homeland Security in March 2019 addressed a critical vulnerability found in thousands of defibrillators that could allow a hacker to remotely control the implanted devices. This illustrates this potential harm at stake from data breaches.

While medical device manufacturers are responsible for assessing product vulnerabilities and implementing appropriate risk mitigation measures, regulators continue to issue new cybersecurity guidance as medical devices increasingly leverage connectivity and analytics. Changing technologies and regulations make it difficult for companies to stay current.

Building Safe and Scalable Strategies
Digital technology has helped healthcare become a larger part of our daily routine. With this expansion, a blend of the right knowledge, processes, and tools needs to be in place to protect sensitive data. These include:

  • Establishing proper internal procedures and training to close any internal gap that could permit the 28% of data breaches mentioned earlier.
  • Ensuring systems, products and teams are all compliant with evolving regulations. The creation of the HITRUST Common Security Framework helps as it harmonizes various international standards and regulations into one set of baseline security controls. This framework is becoming the standard certification for companies responsible for PHI.
  • Building a technical foundation devoted to complying with evolving privacy laws and security threats to avoid the potential patient harm, financial penalties, not to mention bad publicity that can result from a breach.
  • Placing all Patient Identifiable Information (PII) in a separate cloud environment from the cloud environment that hosts de-identified PHI data where operations are executed for medtech and biopharma products. Additionally, it ensures no multi-tenancy across product cloud environments.
  • Delivering continuous training across the organization and ensuring monitoring by a team of privacy and security experts.

Maintaining a homegrown digital health platform that fits these requirements demands significant investment. Like other business areas where outside expertise is more feasible than acquiring everything in-house, such as ERP systems, the heavy-lift involved in creating a properly secured platform will lead some companies to leverage a technology partner that can manage their end-to-end digital health needs. This frees up key resources to focus on the core business of creating more effective devices and therapies.

Digitization is transforming the healthcare industry. The proper risk mitigation framework will ensure continued progress without delays from unfortunate, and potentially preventable, security and privacy breaches.

Picture: David Tran, Getty Images

Kal Patel, MD, is CEO and Co-founder of BrightInsight. He has over 20 years of experience in pharma, medtech and regulated digital health. He currently serves as CEO and Co-Founder at BrightInsight, the leading global platform for biopharma and medtech regulated digital health solutions. BrightInsight has raised $166M in financing from world-renowned venture capital firms including General Catalyst, Insight Partners, New Leaf Venture Partners, and Eclipse Ventures, and attracted some of the world’s top biopharma and medtech companies as customers including Sanofi, Novo Nordisk, Roche, AstraZeneca, UCB and CSL Behring, among others.

Prior to founding BrightInsight he was Chief Commercial Officer for Doctor on Demand, now one of the nation’s largest video-medicine provider, with backing from Andreessen Horowitz, Venrock, Google Ventures, and Qualcomm. Kal founded and built Amgen’s Digital Health business unit where he had end-to-end responsibility for developing and commercializing a portfolio of regulated digital products including connected devices, Software as a Medical Device (SaMD), and algorithms.
Prior to his focus on digital health at Amgen, Kal was the Global Marketing Lead for Enbrel, the company’s leading drug with over $6B in sales, where he created and launched major investments in novel clinical trials, innovative drug delivery devices, improved formulations and differentiated patient support programs. Kal started his Amgen career as Head of Corporate Strategy.

Kal also spent several years at Novartis Pharmaceuticals in various sales, marketing and account leadership roles. He began his professional career at the Boston Consulting Group where he worked for a broad portfolio of Healthcare companies across the U.S. and Europe. He transferred to the company’s Budapest office as part of BCG’s prestigious Ambassador program and was promoted early to Principal. Kal has also served as a Senior Advisor in Digital Health to the Boston Consulting Group where he helped C-level executives at pharma and medtech companies develop and execute digital health strategies

Topics