Cybersecurity tips for handling patient-generated health data

Andis Robeznieks , Senior News Writer

Successfully engaging patients to achieve superior care outcomes often means accepting and using the health data they provide, but doing so could pose a cybersecurity risk. Physician practices must have their guard up.

More than half of physicians participating in an AMA cybersecurity survey said they will soon be accepting patient-generated data. Louisiana’s Ochsner Health System provided an example of how this can help patients.

Ochsner connected its electronic health record to the Apple HealthKit to collect weight and blood pressure readings from patients with uncontrolled BP. Within 90 days, two-thirds of patients had their BP under control.

Shared patient data can be an important treatment aid, especially for patients with chronic conditions. But it must be uncorrupted.

The AMA has many cybersecurity resources available for physicians looking to safely accept their patients’ data that give actionable advice to prevent attacks.

“Data should be cleaned of malicious code before it’s fully incorporated into the patient’s general health record and we encourage the health IT community to be proactive in assisting physicians with this need,” said Matt Reid, an AMA senior health IT consultant. “There’s also the concern beyond just the data. The applications that send the data can themselves be a route to attack a physician’s health IT network.”

The AMA offers a checklist for office computers (PDF) that recommends purchasing and installing anti-virus software and updating it weekly.

The AMA Digital Health Implementation Playbook includes advice on how to collect patient health information using devices, trackers and sensors to improve the management of chronic disease.

The Playbook has a cybersecurity 101 section on basics that physicians need to know. These include key messages that cybersecurity is not just a technical issue, but a patient safety issue, and that most small practices rely on third-party vendors for cybersecurity support.

The Playbook offers a  checklist of key financial and legal documents that outlines what practices need to have in writing from their vendor. These include:

  • An agreement ensuring all entities associated with the business who will interact with private health information are HIPAA-compliant. It also outlines liability for data breaches.
  • Validation of vendor IT security systems and a risk assessment of their security and data processes.
  • A third-party HIPAA auditing report.

Reid added that the health IT industry needs to promote methods that build trust. He noted the wisdom of the adage that “data flows at the speed of trust.”

The AMA is using cybersecurity survey data to encourage the federal government to provide positive incentives to physicians integrate good cybersecurity practices.

The AMA survey found that nearly half of physicians in smaller practices would like to obtain cybersecurity-related hardware, software or expertise from other provider groups. To do this, however, would require safe-harbor exemptions from the Stark Law and Anti-Kickback Statute.

Safe harbor exemptions were outlined in an AMA letter to the Health and Human Services Department Inspector General.

The AMA recommended the creation of safe harbors to facilitate coordinated care and well-designed alternative payment models by allowing for the sharing of cybersecurity items and services.

“Put simply, small practices may be priced out of participation in alternative payment models if they cannot access affordable cybersecurity tools,” AMA Executive Vice President and CEO James L. Madara, MD, wrote in the letter. “Allowing hospitals and other large providers to share and donate cybersecurity support to physicians will help ensure the security of patient information and improve care coordination among the ecosystem.”