Analysis: Call for Industry Change on the Perception of Protected Health Information.

Abstract

Medical device security is a topic of great interest for healthcare delivery organizations (HDOs). Considering that more than 400 breaches currently are under investigation by the Department of Health & Human Services, the loss and theft of protected health information (PHI), including that stored on or transmitted by medical devices, is a very real concern. In general, medical records are of high value to threat actors, who could use the information to, for example, get prescription drugs or file claims under another person’s medical identity. Within an HDO, these records can be found and are stored on the medical devices of multiple manufacturers. HDOs are taking steps to assess risks on medical devices that store, transmit, and display PHI. This article addresses a privacy risk found on medical devices. HDOs should be mindful of and concerned about patient safety and care delivery risks when conducting risk assessments; however, this is not the focus of the current work. A security review of a medical device (i.e., Windows Embedded tablet with leads to capture various patient health measurements) raised concerns regarding the extent of PHI it contained. A sample set of five patient records stored on the device was analyzed. Table 1 shows a representation of the labels and format used for the dataset. (Actual data were removed for patient safety reasons.) In documentation (i.e., the Manufacturer Disclosure Statement for Medical Device Security [MDS2] form) and interviews, the manufacturer of the medical device stated that the device does not contain PHI. In the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, PHI is defined as any information about health conditions, provision of healthcare, or payment for healthcare that can be linked to a specific individual (45 CFR § 160.103). Furthermore, for a record to not be considered PHI, all 18 identifiers listed under 45 CFR § 164.514 (e.g., name, geographic location, date of birth, social security number) must be removed. In other words, de-identifying PHI (and creating data that cannot be restricted under HIPAA and can be shared [e.g., for research purposes]) requires removal of these 18 identifiers. Therefore, according to the current industry perception of PHI, the manufacturer would be correct because the combination of first name and date of birth (as shown in Table 1) is not sufficient to uniquely identify a patient. However, taking into consideration the visual record of a patient’s first name and date of birth, along with the knowledge of the geographic state of the HDO, could a patient be uniquely identified with the assumption that he/she resides in close proximity to the HDO? A quick search at a reverse lookup website, using only the date of birth and state for one patient, yielded fewer than 100 results, which included last names and addresses. After the first name was added to the filter, the number of results was fewer than 10. Knowledge of last name becomes trivial at this point, as J.P. Larson, CISSP, CISA, CIoTSP,