SlideShare a Scribd company logo

Regulations and Compliace for Enterprise Mobile Health Applications - A Whitepaper by RapidValue Solutions

RapidValue
RapidValue

The rapid explosion of mobile platforms and adoption of smart devices have provided greater flexibility and opportunity for physicians and other staff at hospitals to deliver real-time information at the Point of care. Mobile Healthcare, or what is more commonly called as mHealth, has created a channel to facilitate, communicate and deliver healthcare services via mobile communication devices. Over the last few months, increasing number of mHealth apps have gained traction, that help physicians and other healthcare providers to keep track of reference drugs, monitor patient health records and status, and manage schedules. While this provides a plethora of opportunities and possibilities for healthcare organizations to reduce costs and improve efficiency, this increased mobility trend has created new challenges towards healthcare IT. According to ‘Research and Markets’, the market for mobile health applications and associated devices will grow at a compound annual growth rate of 61% to reach $26 billion in revenue by 2017. However, healthcare organizations and software firms looking to make investments in mobile applications need to assess implications of HIPAA and FDA in order to protect patient health information and ensure compliance are met. Enclosed is a whitepaper on this topic by RapidValue Solutions. This paper outlines some of the key evaluation criteria on regulations and security considerations in healthcare sector that need to be addressed while implementing mobility solutions. The paper also provides a guide for healthcare organizations and their IT department, to assess and identify basic requirements, help healthcare organizations reduce risk, improve operational efficiency and achieve compliance goals to enable them to provide a higher quality of patient care. The healthcare industry has mandated a few regulations and compliance (such as HIPAA, HITEC Act and FDA) to ensure patient information is safe. The whitepaper combines industry’s best practices along with RapidValue’s experience in implementing solutions for many customers. To know more, click here and download the whitepaper.

TechnologyBusiness
1 of 13
Download to read offline
A RapidValue Solutions Whitepaper Author: Dilip Chatulingath REGULATIONS AND COMPLIANCE FOR ENTERPRISE MOBILE HEALTH APPLICATIONS
Contents Mobilizing healthcare applications 01 02 03 05 05 06 09 10 11 02 Security concerns and challenges A. Assess the user base B. Design a strategy C. Deploy and manage Defining the application – Does your mobile app need FDA approval? Secure your mobile app – Understanding HIPAA compliances Conclusion About RapidValue ©RapidValue Solutions
Mobilizing healthcare applications The rapid explosion of mobile platforms and adoption of smart devices have provided greater flexibility and opportunity for physicians and other staff at hospitals to deliver real-time information at the Point of care. Mobile Healthcare, or what is more commonly called as mHealth, has created a channel to facilitate, communicate and deliver healthcare services via mobile communication devices. Over the last few months, increasing number of mHealth apps have gained traction, that help physicians and other healthcare providers to keep track of reference drugs, monitor patient health records and status, and manage schedules. While this provides a plethora of opportunities and possibilities for healthcare organizations to reduce costs and improve efficiency, this increased mobility trend has created new challenges towards healthcare IT. mHealth market 2015: 500m people will be using healthcare smartphone applications 01 Healthcare organizations and software firms looking to make investments in mobile applications need to assess implications of HIPAA and FDA in order to protect patient health information and ensure compliances are met. This document outlines some of the key evaluation criteria on regulations and security considerations in healthcare sector that need to be addressed while implementing mobility solutions. (research2guidance, November 2010 report) ©RapidValue Solutions
This paper is a guide for healthcare organizations and their IT department, to assess and identify basic requirements, help healthcare organizations reduce risk, improve operational efficiencies and achieve compliance goals to enable them to provide a higher quality of patient care. The whitepaper combines industry's best practices along with RapidValue's experience in implementing solutions for many customers. 02 Security concerns and challenges The influx and usage of mobile devices have threatened the traditional policies and processes towards security. The mode of data transmission over the last few years through client/server approach and fixed-line infrastructures have become obsolete due to invention of mobile and internet technologies. Mobile devices provide access to corporate resources and applications from anywhere, through cloud services and remote mobile desktops. As more sensitive information is being fed into mobile applications and into the network cloud in general, the complete security, privacy and regulatory compliance of such information must be assured. Since security breaches are not uncommon in any industry, the healthcare industry has mandated a few regulations and compliances to ensure patient information is safe. – HIPAA (Health Insurance Portability and Accountability Act) - HIPAA in correlation with PHI (Protected Health Information) requires healthcare organizations to ensure that applications are secure, and sensitive patient and business data is protected when in use, during transmission or when stored in a mobile device. – FDA regulations - Federal Food, Drug, and Cosmetic Act requires that any standalone device or an accessory (software applications) that is directly consumed by the end user is subjected to regulations and approval by the FDA. – HITECH (Health Information Technology for Economic and Clinical Health) Act - HITECH is part of the American Recovery and Reinvestment Act of 2009 (ARRA). The HITECH Act is intended to encourage more effective and efficient healthcare through the use of technology, like implementing electronic health records (eHR), thereby reducing the healthcare costs and enabling greater access to the system. It aims to address the privacy and security concerns associated with the electronic transmission of health information. ©RapidValue Solutions
03 Defining the application – Does your mobile app need FDA approval? One of the key steps in defining the security compliance strategy for your mobile app is to determine whether the application requires FDA approval. FDA clearance is typically required for apps that are involved in diagnosis, treatment, cure or mitigation of a device. A few examples are given below: – Standalone device – Device in finished form, perhaps ready to use with accessories with an intended sale to end-user. Example: iPod touch integrated with an external device to view the blood pressure of a patient. FDA clearance – Yes, requires assessment for exemption – Accessory – Software/articles within a standalone device intended for use by end-user. Example: A) An app that is used by a patient to download information from a blood glucose meter. B) An app focused on helping people with weight loss and everyday management of diabetes. FDA clearance - Yes, requires assessment for the type of application On the other hand, applications that are informational and reference-only do not require FDA approvals. So how do we know, if the app you developed will be subjected to FDA approval or not? Based on research and years of experience, we at RapidValue suggest you to consider the below listed questions to help you evaluate, if your app is not to be subjected to FDA approval. ©RapidValue Solutions
04 Brainstorm and evaluate# Possible considerations for app not being subject to FDA approval 1 How is the data going to be entered into the app? Make sure the data to the app is – Entered manually – Not connected to external device/machine through which it receives data – Does not require physical contact with the patient specimen 2 What is the output of the app? The output – Should not connect to any other device and guide with any instruction – Should only interpret the input and provide meaningful data to the patient – Should not cure/mitigate/treat the patient 3 Does the app provide real-time updates of a patient? 4 RapidValue's assessment The app should not – Monitor the patient in real-time – Notify users on alarms about the physical condition of a patient – Patient-specific result using processing algorithms Apps that do not need approval – Wellness related app like track/log/record food habits, physical fitness exercise – Medical reference application – Medical EHRs/PHRs – Apps that improve efficiency like mobile hospital management care (mHMC), workflow management – Practice-management applications like track billing, determine medical billing codes, remote physician consultation (mPrescribing) and appointments Apps that need approval – PACS apps (Picture Archiving and Communication Systems) that display radiological images for diagnosis is classified under class II PACS like X-rays scan reports – Monitor blood pressure of patient, display heartbeat of a patient, attachments of ECG reports, device connected to patient to monitor sleep pattern ©RapidValue Solutions
05 Secure your mobile app - Understanding HIPAA compliances For any healthcare application, security and compliance go hand in hand and it is absolutely essential to adopt all healthcare compliances and regulations including HIPAA, HITECH, ITRF Regulation or PCI/PHI compliances governing the Healthcare sector. While a technical architect or product manager takes the decision of whether an application is subjected to FDA regulation, compliances and security need to be incorporated by the development team building the application. Below are the key steps in ensuring a design that addresses compliance and regulation requirements. Unlike applications that run on desktop environments where majority of systems run on a single platform/operating system, the market share of mobile platforms is pretty fragmented. Assessing information on the above questions will help the IT team to strategize and tailor unique security policies on corporate servers constantly which are accessed by wireless devices. A. Assess the user base Brainstorm# Diagnose 1 What is the type of user-group that will access the application? – Is the application going to be accessed by consumers? – Is it an enterprise application, which will be accessed only by employees of the organization? 2 Mobile platforms – On what platforms does the mobile application need to be supported? – iOS (Apple), Android, Blackberry, Windows or All? 3 Server requirements – Is the application a standalone app or does it communicate with backend server for data synchronization? – What will be the application usage at most times? Will the application be utilized by a large user base? The bandwidth which the server can handle needs to be evaluated ©RapidValue Solutions
06 Over the very few years of inception, smartphones have got smarter and powerful by the year with the capabilities of communicating through multiple channels combined with significant processing power and large storage capabilities. Hence these devices have become the easiest threat to data vulnerability and security compared to laptops. B. Design a strategy The Center for Medicare and Medicaid Services (CMS), which oversees HIPAA security rule enforcement, has published a 'HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information' to help organizations determine the best way to protect ePHI available to mobile device users. Our framework of implementing a secure mobile application is based around the CMS guidance with recommendations from a development and implementation perspective. Access to data through external entities (hacking/ theft) Loss of device Exposure of device to Malware Primary risk Areas ©RapidValue Solutions
07 Make sure the mHealth application requires a set of unique credentials (username and password) to access the application. Risk scenario: Login credentials are lost/stolen, which could potentially result in unauthorized access to view/modify ePHI. Solution: a) Implement a two-factor authentication for granting remote access to systems that contain ePHI. Other than username and password, – Create a security question like 'Which city you were born’ – Create a four-digit security code that will always be requested when the application has been inactive for a specific period of time – The four-digit security code can be used for logging into the application when device is in offline mode b) Enable access to application using a VPN client connection through 'Cisco anytime connect' or 'RSA secure ID'. c) Set password protection rules such as 6 character pin, expirations, failure thresholds, data wipe after failure. d) Implement a technical process for creating unique user names and performing authentication when granting remote access to a workforce member. e) Set up devices to automatically lock after a specified period of inactivity. f) Whenever a device is stolen, the IT helpdesk should be notified on the same and a user interface should be provided on the backend system for the representative to de-register the username. 1. Secure your device ©RapidValue Solutions
08 Make sure the data sent to the mobile application is secure on the device as well as during transmission. Risk scenario: Hacking the network or a mobile device from unprotected access points (like hotel business center, airport) is a growing concern and can potentially result in loss of ePHI data Solution: a) Prevent downloading and storing of ePHI data on the device whenever possible. Ensure the data when downloaded is operationally justifiable. b) Minimize caching of data on browsers for web-based applications. c) Implement strong encryption solutions (validated encryption AES256 & Triple DES) for transmission of ePHI using SSL (Secure Socket Layer) as the minimum requirement for mHealth applications. d) Create policies to prevent use of and/or encrypt SD cards and other removable media on mobile devices. e) Ensure that the server to which all web-services request are sent/received from the mobile devices is firewall protected. f) Ability to perform 'Remote wipe-off' from the server to delete ePHI data from the device. Remote wipe-off can be designed in any of the following ways – Monitor the application 'Agent' continuously during online/offline activities and perform remote wipe-off from the server for suspicious activities. – Monitor application 'Agent' during online activities and perform remote wipe-off from the server. If ‘Agent' cannot be tracked during offline mode, the data on the device should be deleted for inactive activity of application for about five days. 2. Secure your data FACILITYFIREWALL DATABASE 128 bit encrypted pipeline Authentication + SSL SERVER MOBILE DEVICES Data (text and pictures) sent over the SSL pipeline is encrypted and cannot be deciphered Unique username and password authenticated against device on every login ©RapidValue Solutions
09 Once the development team implements the application with the compliances discussed above, the next step is in assessing how to deploy the application and manage them over subsequent releases and upgrades. For applications that are not going to be used by consumers but rather within the organization employees, we recommend rolling out using the enterprise distribution model, through which users have access to and download the recommended enterprise apps, receive them in a secure way over-the-air (OTA), and are alerted to and download updates when available. Moreover organizations can leverage this feature to keep an accurate inventory of the mobile apps that are installed at any given time, and be able to monitor them by device and user groups. While there is a significant concern about application vulnerability, integrity and user privacy in Apple app store and Android market, we believe that implementing some of the below security measures will strengthen the compliance policies significantly. – Develop processes to ensure backup of all ePHI data sent/received by the mobile are preformed on the server side regularly. – For enterprise controlled apps/devices, apply Over-the-Air (OTA) provisioning and management of smartphones. – Scan for suspicious activities and malware on server network platform regularly. – Ensure workforce is appropriately trained on policies and also on the application usage that require accessing any ePHI data. Recommend users to search for and delete any files intentionally or unintentionally saved to external devices. – Perform regular internal HIPAA audits when an application is planned for an upgrade to include new enhancements/bug fixes. C. Deploy and manage ©RapidValue Solutions
Conclusion When considering the trends towards adoption of different digital technologies, today's healthcare organizations are facing enormous challenges in compliance and regulation. As we have witnessed more recently, personal information theft have proven to be costly for organizations, resulting in loosing their credibility and being forced out of business. With robust auditing required for HIPAA security compliance, IT groups can no longer ignore mobile devices in their security policy implementation. Companies looking to develop mHealth solutions should consider leveraging their existing IT infrastructure, policies, and services and ensure that newer technologies are seamlessly integrated. This will add significant value to the organization by providing quality care for their patients. Disclaimer This white paper brings out the evaluation criteria of mobile health apps related to FDA and HIPAA compliance aspects based on our research, analysis and understanding. Any architectural assessment and/or design decisions related to the above policies should not be implemented based solely on the recommendations in the document. RapidValue shall have no liability for any direct, incidental, or consequential damages suffered by any third party as a result of decisions/actions taken, or not taken, based on this document. 10©RapidValue Solutions
About RapidValue A global leader in digital transformation for enterprise providing end-to-end mobility, omni-channel, IoT and cloud solutions. Armed with a large team of experts in consulting, UX design, application development, integration and testing, along with experience delivering projects worldwide, in mobility and cloud, we offer a wide range of services across industry verticals. We deliver services to the world’s top brands, fortune 1000 companies, Multinational companies and emerging start-ups. We have www.rapidvaluesolutions.com www.rapidvaluesolutions.com/blog +1 877.643.1850 contactus@rapidvaluesolutions.com July 2012 offices in the United States, the United Kingdom and India.

Recommended

Mobile first ux
Mobile first uxMobile first ux
Mobile first uxBaidurjya Sinha ( Tatan )
 
2014 Android and iOS Design Trends
2014 Android and iOS Design Trends2014 Android and iOS Design Trends
2014 Android and iOS Design TrendsRapidValue
 
iOS Native Development with Xamarin
iOS Native Development with XamariniOS Native Development with Xamarin
iOS Native Development with XamarinArul Kumaran
 
UX and best practices for mobile apps
UX and best practices for mobile appsUX and best practices for mobile apps
UX and best practices for mobile appsRobert Surpateanu
 
Xamarin Traditional Approach & Xamarin.Forms
Xamarin Traditional Approach & Xamarin.FormsXamarin Traditional Approach & Xamarin.Forms
Xamarin Traditional Approach & Xamarin.FormsWilliam S. Rodriguez
 
Mobile UX Design Best Practices for Advertising
Mobile UX Design Best Practices for AdvertisingMobile UX Design Best Practices for Advertising
Mobile UX Design Best Practices for AdvertisingBrant Nesbitt
 
Cross platform Xamarin Apps With MVVM
Cross platform Xamarin Apps With MVVMCross platform Xamarin Apps With MVVM
Cross platform Xamarin Apps With MVVMJim Bennett
 
Mobile Banking Apps with Xamarin
Mobile Banking Apps with XamarinMobile Banking Apps with Xamarin
Mobile Banking Apps with XamarinXpand IT
 

Recommended

Mobile first ux
Mobile first uxMobile first ux
Mobile first uxBaidurjya Sinha ( Tatan )
 
2014 Android and iOS Design Trends
2014 Android and iOS Design Trends2014 Android and iOS Design Trends
2014 Android and iOS Design TrendsRapidValue
 
iOS Native Development with Xamarin
iOS Native Development with XamariniOS Native Development with Xamarin
iOS Native Development with XamarinArul Kumaran
 
UX and best practices for mobile apps
UX and best practices for mobile appsUX and best practices for mobile apps
UX and best practices for mobile appsRobert Surpateanu
 
Xamarin Traditional Approach & Xamarin.Forms
Xamarin Traditional Approach & Xamarin.FormsXamarin Traditional Approach & Xamarin.Forms
Xamarin Traditional Approach & Xamarin.FormsWilliam S. Rodriguez
 
Mobile UX Design Best Practices for Advertising
Mobile UX Design Best Practices for AdvertisingMobile UX Design Best Practices for Advertising
Mobile UX Design Best Practices for AdvertisingBrant Nesbitt
 
Cross platform Xamarin Apps With MVVM
Cross platform Xamarin Apps With MVVMCross platform Xamarin Apps With MVVM
Cross platform Xamarin Apps With MVVMJim Bennett
 
Mobile Banking Apps with Xamarin
Mobile Banking Apps with XamarinMobile Banking Apps with Xamarin
Mobile Banking Apps with XamarinXpand IT
 
How to Build a Micro-Application using Single-Spa
How to Build a Micro-Application using Single-SpaHow to Build a Micro-Application using Single-Spa
How to Build a Micro-Application using Single-SpaRapidValue
 
Play with Jenkins Pipeline
Play with Jenkins PipelinePlay with Jenkins Pipeline
Play with Jenkins PipelineRapidValue
 
Accessibility Testing using Axe
Accessibility Testing using AxeAccessibility Testing using Axe
Accessibility Testing using AxeRapidValue
 
Guide to Generate Extent Report in Kotlin
Guide to Generate Extent Report in KotlinGuide to Generate Extent Report in Kotlin
Guide to Generate Extent Report in KotlinRapidValue
 
Automation in Digital Cloud Labs
Automation in Digital Cloud LabsAutomation in Digital Cloud Labs
Automation in Digital Cloud LabsRapidValue
 
Microservices Architecture - Top Trends & Key Business Benefits
Microservices Architecture - Top Trends & Key Business BenefitsMicroservices Architecture - Top Trends & Key Business Benefits
Microservices Architecture - Top Trends & Key Business BenefitsRapidValue
 
Uploading Data Using Oracle Web ADI
Uploading Data Using Oracle Web ADIUploading Data Using Oracle Web ADI
Uploading Data Using Oracle Web ADIRapidValue
 
Appium Automation with Kotlin
Appium Automation with KotlinAppium Automation with Kotlin
Appium Automation with KotlinRapidValue
 
Build UI of the Future with React 360
Build UI of the Future with React 360Build UI of the Future with React 360
Build UI of the Future with React 360RapidValue
 
Python Google Cloud Function with CORS
Python Google Cloud Function with CORSPython Google Cloud Function with CORS
Python Google Cloud Function with CORSRapidValue
 
Real-time Automation Result in Slack Channel
Real-time Automation Result in Slack ChannelReal-time Automation Result in Slack Channel
Real-time Automation Result in Slack ChannelRapidValue
 
Automation Testing with KATALON Cucumber BDD
Automation Testing with KATALON Cucumber BDDAutomation Testing with KATALON Cucumber BDD
Automation Testing with KATALON Cucumber BDDRapidValue
 
How to Implement Micro Frontend Architecture using Angular Framework
How to Implement Micro Frontend Architecture using Angular FrameworkHow to Implement Micro Frontend Architecture using Angular Framework
How to Implement Micro Frontend Architecture using Angular FrameworkRapidValue
 
Video Recording of Selenium Automation Flows
Video Recording of Selenium Automation FlowsVideo Recording of Selenium Automation Flows
Video Recording of Selenium Automation FlowsRapidValue
 
JMeter JMX Script Creation via BlazeMeter
JMeter JMX Script Creation via BlazeMeterJMeter JMX Script Creation via BlazeMeter
JMeter JMX Script Creation via BlazeMeterRapidValue
 
Migration to Extent Report 4
Migration to Extent Report 4Migration to Extent Report 4
Migration to Extent Report 4RapidValue
 
The Definitive Guide to Implementing Shift Left Testing in QA
The Definitive Guide to Implementing Shift Left Testing in QAThe Definitive Guide to Implementing Shift Left Testing in QA
The Definitive Guide to Implementing Shift Left Testing in QARapidValue
 
Data Seeding via Parameterized API Requests
Data Seeding via Parameterized API RequestsData Seeding via Parameterized API Requests
Data Seeding via Parameterized API RequestsRapidValue
 
Test Case Creation in Katalon Studio
Test Case Creation in Katalon StudioTest Case Creation in Katalon Studio
Test Case Creation in Katalon StudioRapidValue
 
How to Perform Memory Leak Test Using Valgrind
How to Perform Memory Leak Test Using ValgrindHow to Perform Memory Leak Test Using Valgrind
How to Perform Memory Leak Test Using ValgrindRapidValue
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

More Related Content

More from RapidValue

How to Build a Micro-Application using Single-Spa
How to Build a Micro-Application using Single-SpaHow to Build a Micro-Application using Single-Spa
How to Build a Micro-Application using Single-SpaRapidValue
 
Play with Jenkins Pipeline
Play with Jenkins PipelinePlay with Jenkins Pipeline
Play with Jenkins PipelineRapidValue
 
Accessibility Testing using Axe
Accessibility Testing using AxeAccessibility Testing using Axe
Accessibility Testing using AxeRapidValue
 
Guide to Generate Extent Report in Kotlin
Guide to Generate Extent Report in KotlinGuide to Generate Extent Report in Kotlin
Guide to Generate Extent Report in KotlinRapidValue
 
Automation in Digital Cloud Labs
Automation in Digital Cloud LabsAutomation in Digital Cloud Labs
Automation in Digital Cloud LabsRapidValue
 
Microservices Architecture - Top Trends & Key Business Benefits
Microservices Architecture - Top Trends & Key Business BenefitsMicroservices Architecture - Top Trends & Key Business Benefits
Microservices Architecture - Top Trends & Key Business BenefitsRapidValue
 
Uploading Data Using Oracle Web ADI
Uploading Data Using Oracle Web ADIUploading Data Using Oracle Web ADI
Uploading Data Using Oracle Web ADIRapidValue
 
Appium Automation with Kotlin
Appium Automation with KotlinAppium Automation with Kotlin
Appium Automation with KotlinRapidValue
 
Build UI of the Future with React 360
Build UI of the Future with React 360Build UI of the Future with React 360
Build UI of the Future with React 360RapidValue
 
Python Google Cloud Function with CORS
Python Google Cloud Function with CORSPython Google Cloud Function with CORS
Python Google Cloud Function with CORSRapidValue
 
Real-time Automation Result in Slack Channel
Real-time Automation Result in Slack ChannelReal-time Automation Result in Slack Channel
Real-time Automation Result in Slack ChannelRapidValue
 
Automation Testing with KATALON Cucumber BDD
Automation Testing with KATALON Cucumber BDDAutomation Testing with KATALON Cucumber BDD
Automation Testing with KATALON Cucumber BDDRapidValue
 
How to Implement Micro Frontend Architecture using Angular Framework
How to Implement Micro Frontend Architecture using Angular FrameworkHow to Implement Micro Frontend Architecture using Angular Framework
How to Implement Micro Frontend Architecture using Angular FrameworkRapidValue
 
Video Recording of Selenium Automation Flows
Video Recording of Selenium Automation FlowsVideo Recording of Selenium Automation Flows
Video Recording of Selenium Automation FlowsRapidValue
 
JMeter JMX Script Creation via BlazeMeter
JMeter JMX Script Creation via BlazeMeterJMeter JMX Script Creation via BlazeMeter
JMeter JMX Script Creation via BlazeMeterRapidValue
 
Migration to Extent Report 4
Migration to Extent Report 4Migration to Extent Report 4
Migration to Extent Report 4RapidValue
 
The Definitive Guide to Implementing Shift Left Testing in QA
The Definitive Guide to Implementing Shift Left Testing in QAThe Definitive Guide to Implementing Shift Left Testing in QA
The Definitive Guide to Implementing Shift Left Testing in QARapidValue
 
Data Seeding via Parameterized API Requests
Data Seeding via Parameterized API RequestsData Seeding via Parameterized API Requests
Data Seeding via Parameterized API RequestsRapidValue
 
Test Case Creation in Katalon Studio
Test Case Creation in Katalon StudioTest Case Creation in Katalon Studio
Test Case Creation in Katalon StudioRapidValue
 
How to Perform Memory Leak Test Using Valgrind
How to Perform Memory Leak Test Using ValgrindHow to Perform Memory Leak Test Using Valgrind
How to Perform Memory Leak Test Using ValgrindRapidValue
 

More from RapidValue (20)

How to Build a Micro-Application using Single-Spa
How to Build a Micro-Application using Single-SpaHow to Build a Micro-Application using Single-Spa
How to Build a Micro-Application using Single-Spa
 
Play with Jenkins Pipeline
Play with Jenkins PipelinePlay with Jenkins Pipeline
Play with Jenkins Pipeline
 
Accessibility Testing using Axe
Accessibility Testing using AxeAccessibility Testing using Axe
Accessibility Testing using Axe
 
Guide to Generate Extent Report in Kotlin
Guide to Generate Extent Report in KotlinGuide to Generate Extent Report in Kotlin
Guide to Generate Extent Report in Kotlin
 
Automation in Digital Cloud Labs
Automation in Digital Cloud LabsAutomation in Digital Cloud Labs
Automation in Digital Cloud Labs
 
Microservices Architecture - Top Trends & Key Business Benefits
Microservices Architecture - Top Trends & Key Business BenefitsMicroservices Architecture - Top Trends & Key Business Benefits
Microservices Architecture - Top Trends & Key Business Benefits
 
Uploading Data Using Oracle Web ADI
Uploading Data Using Oracle Web ADIUploading Data Using Oracle Web ADI
Uploading Data Using Oracle Web ADI
 
Appium Automation with Kotlin
Appium Automation with KotlinAppium Automation with Kotlin
Appium Automation with Kotlin
 
Build UI of the Future with React 360
Build UI of the Future with React 360Build UI of the Future with React 360
Build UI of the Future with React 360
 
Python Google Cloud Function with CORS
Python Google Cloud Function with CORSPython Google Cloud Function with CORS
Python Google Cloud Function with CORS
 
Real-time Automation Result in Slack Channel
Real-time Automation Result in Slack ChannelReal-time Automation Result in Slack Channel
Real-time Automation Result in Slack Channel
 
Automation Testing with KATALON Cucumber BDD
Automation Testing with KATALON Cucumber BDDAutomation Testing with KATALON Cucumber BDD
Automation Testing with KATALON Cucumber BDD
 
How to Implement Micro Frontend Architecture using Angular Framework
How to Implement Micro Frontend Architecture using Angular FrameworkHow to Implement Micro Frontend Architecture using Angular Framework
How to Implement Micro Frontend Architecture using Angular Framework
 
Video Recording of Selenium Automation Flows
Video Recording of Selenium Automation FlowsVideo Recording of Selenium Automation Flows
Video Recording of Selenium Automation Flows
 
JMeter JMX Script Creation via BlazeMeter
JMeter JMX Script Creation via BlazeMeterJMeter JMX Script Creation via BlazeMeter
JMeter JMX Script Creation via BlazeMeter
 
Migration to Extent Report 4
Migration to Extent Report 4Migration to Extent Report 4
Migration to Extent Report 4
 
The Definitive Guide to Implementing Shift Left Testing in QA
The Definitive Guide to Implementing Shift Left Testing in QAThe Definitive Guide to Implementing Shift Left Testing in QA
The Definitive Guide to Implementing Shift Left Testing in QA
 
Data Seeding via Parameterized API Requests
Data Seeding via Parameterized API RequestsData Seeding via Parameterized API Requests
Data Seeding via Parameterized API Requests
 
Test Case Creation in Katalon Studio
Test Case Creation in Katalon StudioTest Case Creation in Katalon Studio
Test Case Creation in Katalon Studio
 
How to Perform Memory Leak Test Using Valgrind
How to Perform Memory Leak Test Using ValgrindHow to Perform Memory Leak Test Using Valgrind
How to Perform Memory Leak Test Using Valgrind
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 

Regulations and Compliace for Enterprise Mobile Health Applications - A Whitepaper by RapidValue Solutions

  • 1. A RapidValue Solutions Whitepaper Author: Dilip Chatulingath REGULATIONS AND COMPLIANCE FOR ENTERPRISE MOBILE HEALTH APPLICATIONS
  • 2. Contents Mobilizing healthcare applications 01 02 03 05 05 06 09 10 11 02 Security concerns and challenges A. Assess the user base B. Design a strategy C. Deploy and manage Defining the application – Does your mobile app need FDA approval? Secure your mobile app – Understanding HIPAA compliances Conclusion About RapidValue ©RapidValue Solutions
  • 3. Mobilizing healthcare applications The rapid explosion of mobile platforms and adoption of smart devices have provided greater flexibility and opportunity for physicians and other staff at hospitals to deliver real-time information at the Point of care. Mobile Healthcare, or what is more commonly called as mHealth, has created a channel to facilitate, communicate and deliver healthcare services via mobile communication devices. Over the last few months, increasing number of mHealth apps have gained traction, that help physicians and other healthcare providers to keep track of reference drugs, monitor patient health records and status, and manage schedules. While this provides a plethora of opportunities and possibilities for healthcare organizations to reduce costs and improve efficiency, this increased mobility trend has created new challenges towards healthcare IT. mHealth market 2015: 500m people will be using healthcare smartphone applications 01 Healthcare organizations and software firms looking to make investments in mobile applications need to assess implications of HIPAA and FDA in order to protect patient health information and ensure compliances are met. This document outlines some of the key evaluation criteria on regulations and security considerations in healthcare sector that need to be addressed while implementing mobility solutions. (research2guidance, November 2010 report) ©RapidValue Solutions
  • 4. This paper is a guide for healthcare organizations and their IT department, to assess and identify basic requirements, help healthcare organizations reduce risk, improve operational efficiencies and achieve compliance goals to enable them to provide a higher quality of patient care. The whitepaper combines industry's best practices along with RapidValue's experience in implementing solutions for many customers. 02 Security concerns and challenges The influx and usage of mobile devices have threatened the traditional policies and processes towards security. The mode of data transmission over the last few years through client/server approach and fixed-line infrastructures have become obsolete due to invention of mobile and internet technologies. Mobile devices provide access to corporate resources and applications from anywhere, through cloud services and remote mobile desktops. As more sensitive information is being fed into mobile applications and into the network cloud in general, the complete security, privacy and regulatory compliance of such information must be assured. Since security breaches are not uncommon in any industry, the healthcare industry has mandated a few regulations and compliances to ensure patient information is safe. – HIPAA (Health Insurance Portability and Accountability Act) - HIPAA in correlation with PHI (Protected Health Information) requires healthcare organizations to ensure that applications are secure, and sensitive patient and business data is protected when in use, during transmission or when stored in a mobile device. – FDA regulations - Federal Food, Drug, and Cosmetic Act requires that any standalone device or an accessory (software applications) that is directly consumed by the end user is subjected to regulations and approval by the FDA. – HITECH (Health Information Technology for Economic and Clinical Health) Act - HITECH is part of the American Recovery and Reinvestment Act of 2009 (ARRA). The HITECH Act is intended to encourage more effective and efficient healthcare through the use of technology, like implementing electronic health records (eHR), thereby reducing the healthcare costs and enabling greater access to the system. It aims to address the privacy and security concerns associated with the electronic transmission of health information. ©RapidValue Solutions
  • 5. 03 Defining the application – Does your mobile app need FDA approval? One of the key steps in defining the security compliance strategy for your mobile app is to determine whether the application requires FDA approval. FDA clearance is typically required for apps that are involved in diagnosis, treatment, cure or mitigation of a device. A few examples are given below: – Standalone device – Device in finished form, perhaps ready to use with accessories with an intended sale to end-user. Example: iPod touch integrated with an external device to view the blood pressure of a patient. FDA clearance – Yes, requires assessment for exemption – Accessory – Software/articles within a standalone device intended for use by end-user. Example: A) An app that is used by a patient to download information from a blood glucose meter. B) An app focused on helping people with weight loss and everyday management of diabetes. FDA clearance - Yes, requires assessment for the type of application On the other hand, applications that are informational and reference-only do not require FDA approvals. So how do we know, if the app you developed will be subjected to FDA approval or not? Based on research and years of experience, we at RapidValue suggest you to consider the below listed questions to help you evaluate, if your app is not to be subjected to FDA approval. ©RapidValue Solutions
  • 6. 04 Brainstorm and evaluate# Possible considerations for app not being subject to FDA approval 1 How is the data going to be entered into the app? Make sure the data to the app is – Entered manually – Not connected to external device/machine through which it receives data – Does not require physical contact with the patient specimen 2 What is the output of the app? The output – Should not connect to any other device and guide with any instruction – Should only interpret the input and provide meaningful data to the patient – Should not cure/mitigate/treat the patient 3 Does the app provide real-time updates of a patient? 4 RapidValue's assessment The app should not – Monitor the patient in real-time – Notify users on alarms about the physical condition of a patient – Patient-specific result using processing algorithms Apps that do not need approval – Wellness related app like track/log/record food habits, physical fitness exercise – Medical reference application – Medical EHRs/PHRs – Apps that improve efficiency like mobile hospital management care (mHMC), workflow management – Practice-management applications like track billing, determine medical billing codes, remote physician consultation (mPrescribing) and appointments Apps that need approval – PACS apps (Picture Archiving and Communication Systems) that display radiological images for diagnosis is classified under class II PACS like X-rays scan reports – Monitor blood pressure of patient, display heartbeat of a patient, attachments of ECG reports, device connected to patient to monitor sleep pattern ©RapidValue Solutions
  • 7. 05 Secure your mobile app - Understanding HIPAA compliances For any healthcare application, security and compliance go hand in hand and it is absolutely essential to adopt all healthcare compliances and regulations including HIPAA, HITECH, ITRF Regulation or PCI/PHI compliances governing the Healthcare sector. While a technical architect or product manager takes the decision of whether an application is subjected to FDA regulation, compliances and security need to be incorporated by the development team building the application. Below are the key steps in ensuring a design that addresses compliance and regulation requirements. Unlike applications that run on desktop environments where majority of systems run on a single platform/operating system, the market share of mobile platforms is pretty fragmented. Assessing information on the above questions will help the IT team to strategize and tailor unique security policies on corporate servers constantly which are accessed by wireless devices. A. Assess the user base Brainstorm# Diagnose 1 What is the type of user-group that will access the application? – Is the application going to be accessed by consumers? – Is it an enterprise application, which will be accessed only by employees of the organization? 2 Mobile platforms – On what platforms does the mobile application need to be supported? – iOS (Apple), Android, Blackberry, Windows or All? 3 Server requirements – Is the application a standalone app or does it communicate with backend server for data synchronization? – What will be the application usage at most times? Will the application be utilized by a large user base? The bandwidth which the server can handle needs to be evaluated ©RapidValue Solutions
  • 8. 06 Over the very few years of inception, smartphones have got smarter and powerful by the year with the capabilities of communicating through multiple channels combined with significant processing power and large storage capabilities. Hence these devices have become the easiest threat to data vulnerability and security compared to laptops. B. Design a strategy The Center for Medicare and Medicaid Services (CMS), which oversees HIPAA security rule enforcement, has published a 'HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information' to help organizations determine the best way to protect ePHI available to mobile device users. Our framework of implementing a secure mobile application is based around the CMS guidance with recommendations from a development and implementation perspective. Access to data through external entities (hacking/ theft) Loss of device Exposure of device to Malware Primary risk Areas ©RapidValue Solutions
  • 9. 07 Make sure the mHealth application requires a set of unique credentials (username and password) to access the application. Risk scenario: Login credentials are lost/stolen, which could potentially result in unauthorized access to view/modify ePHI. Solution: a) Implement a two-factor authentication for granting remote access to systems that contain ePHI. Other than username and password, – Create a security question like 'Which city you were born’ – Create a four-digit security code that will always be requested when the application has been inactive for a specific period of time – The four-digit security code can be used for logging into the application when device is in offline mode b) Enable access to application using a VPN client connection through 'Cisco anytime connect' or 'RSA secure ID'. c) Set password protection rules such as 6 character pin, expirations, failure thresholds, data wipe after failure. d) Implement a technical process for creating unique user names and performing authentication when granting remote access to a workforce member. e) Set up devices to automatically lock after a specified period of inactivity. f) Whenever a device is stolen, the IT helpdesk should be notified on the same and a user interface should be provided on the backend system for the representative to de-register the username. 1. Secure your device ©RapidValue Solutions
  • 10. 08 Make sure the data sent to the mobile application is secure on the device as well as during transmission. Risk scenario: Hacking the network or a mobile device from unprotected access points (like hotel business center, airport) is a growing concern and can potentially result in loss of ePHI data Solution: a) Prevent downloading and storing of ePHI data on the device whenever possible. Ensure the data when downloaded is operationally justifiable. b) Minimize caching of data on browsers for web-based applications. c) Implement strong encryption solutions (validated encryption AES256 & Triple DES) for transmission of ePHI using SSL (Secure Socket Layer) as the minimum requirement for mHealth applications. d) Create policies to prevent use of and/or encrypt SD cards and other removable media on mobile devices. e) Ensure that the server to which all web-services request are sent/received from the mobile devices is firewall protected. f) Ability to perform 'Remote wipe-off' from the server to delete ePHI data from the device. Remote wipe-off can be designed in any of the following ways – Monitor the application 'Agent' continuously during online/offline activities and perform remote wipe-off from the server for suspicious activities. – Monitor application 'Agent' during online activities and perform remote wipe-off from the server. If ‘Agent' cannot be tracked during offline mode, the data on the device should be deleted for inactive activity of application for about five days. 2. Secure your data FACILITYFIREWALL DATABASE 128 bit encrypted pipeline Authentication + SSL SERVER MOBILE DEVICES Data (text and pictures) sent over the SSL pipeline is encrypted and cannot be deciphered Unique username and password authenticated against device on every login ©RapidValue Solutions
  • 11. 09 Once the development team implements the application with the compliances discussed above, the next step is in assessing how to deploy the application and manage them over subsequent releases and upgrades. For applications that are not going to be used by consumers but rather within the organization employees, we recommend rolling out using the enterprise distribution model, through which users have access to and download the recommended enterprise apps, receive them in a secure way over-the-air (OTA), and are alerted to and download updates when available. Moreover organizations can leverage this feature to keep an accurate inventory of the mobile apps that are installed at any given time, and be able to monitor them by device and user groups. While there is a significant concern about application vulnerability, integrity and user privacy in Apple app store and Android market, we believe that implementing some of the below security measures will strengthen the compliance policies significantly. – Develop processes to ensure backup of all ePHI data sent/received by the mobile are preformed on the server side regularly. – For enterprise controlled apps/devices, apply Over-the-Air (OTA) provisioning and management of smartphones. – Scan for suspicious activities and malware on server network platform regularly. – Ensure workforce is appropriately trained on policies and also on the application usage that require accessing any ePHI data. Recommend users to search for and delete any files intentionally or unintentionally saved to external devices. – Perform regular internal HIPAA audits when an application is planned for an upgrade to include new enhancements/bug fixes. C. Deploy and manage ©RapidValue Solutions
  • 12. Conclusion When considering the trends towards adoption of different digital technologies, today's healthcare organizations are facing enormous challenges in compliance and regulation. As we have witnessed more recently, personal information theft have proven to be costly for organizations, resulting in loosing their credibility and being forced out of business. With robust auditing required for HIPAA security compliance, IT groups can no longer ignore mobile devices in their security policy implementation. Companies looking to develop mHealth solutions should consider leveraging their existing IT infrastructure, policies, and services and ensure that newer technologies are seamlessly integrated. This will add significant value to the organization by providing quality care for their patients. Disclaimer This white paper brings out the evaluation criteria of mobile health apps related to FDA and HIPAA compliance aspects based on our research, analysis and understanding. Any architectural assessment and/or design decisions related to the above policies should not be implemented based solely on the recommendations in the document. RapidValue shall have no liability for any direct, incidental, or consequential damages suffered by any third party as a result of decisions/actions taken, or not taken, based on this document. 10©RapidValue Solutions
  • 13. About RapidValue A global leader in digital transformation for enterprise providing end-to-end mobility, omni-channel, IoT and cloud solutions. Armed with a large team of experts in consulting, UX design, application development, integration and testing, along with experience delivering projects worldwide, in mobility and cloud, we offer a wide range of services across industry verticals. We deliver services to the world’s top brands, fortune 1000 companies, Multinational companies and emerging start-ups. We have www.rapidvaluesolutions.com www.rapidvaluesolutions.com/blog +1 877.643.1850 contactus@rapidvaluesolutions.com July 2012 offices in the United States, the United Kingdom and India.