The Wired article, "What Doctors Wish You Knew About HIPAA and Data Security," delves into the limitations and misunderstandings surrounding the Health Insurance Portability and Accountability Act (HIPAA) in safeguarding personal health data. It highlights that HIPAA primarily regulates healthcare entities but does not cover consumer-generated data or information shared outside traditional medical settings, such as through personal devices or social media. The piece underscores the importance of individual vigilance in data protection, emphasizing the use of multi-factor authentication and careful sharing of personal health information, especially in non-regulated platforms. This article serves as a crucial reminder of the evolving challenges in health data security and the shared responsibility between healthcare providers and individuals in protecting sensitive health information.

It is crucial to have a Cybersecurity Action Plan for Protecting Personal Health Data because personal health data is sensitive and valuable information. A well-designed plan helps safeguard this data from unauthorized access, cyber threats, and potential misuse, ensuring privacy and maintaining trust between individuals and healthcare providers. Additionally, protecting personal health data reduces the risk of identity theft, fraud, and financial loss while also preserving the integrity and accuracy of medical records. Implementing a cybersecurity action plan promotes compliance with relevant data protection regulations, fosters a culture of security awareness, and contributes to overall digital safety.

A new Senate bill introduced in early April 2022 (including legislation in the House) would require medical device developers to be more accountable for the cybersecurity of their products.

Sens. Tammy Baldwin, D-Wisconsin, and Dr. Bill Cassidy, R-Louisiana, have introduced the bipartisan Protecting and Transforming Cyber Health Care Act.

From the MITRE website:

The Medical Device Cybersecurity Regional Incident Preparedness and Response Playbookoutlines a framework for health delivery organizations (HDOs) and other stakeholders to plan for and respond to cybersecurity incidents around medical devices, ensure effectiveness of devices, and protect patient safety.

The healthcare sector knows how to prepare for and respond to natural disasters. It is less prepared, however, to handle cybersecurity incidents, particularly those involving medical devices. Recent global cyber attacks highlighted the need for more robust cybersecurity preparedness to execute an enhanced, effective, real-time response that enables continuity of clinical operations.

Using mobile devices to store, process, and transmit patient information has become increasingly popular amongst healthcare providers. When health information is compromised, organizations can face penalties and lose consumer trust, and patient care and safety may be at risk.

To address this challenge, cybersecurity experts at the NCCoE collaborated with the healthcare industry and technology vendors to develop an example solution to show healthcare providers how they can secure electronic health records on mobile devices. The solution is guided by standards and best practices from NIST and others, including the Health Insurance Portability and Accountability Act (HIPAA) rules.

The Quantified Self website provides a current list of many of the self-tracking tools out there.

The FDA is informing patients and health care providers that pulse oximeters have limitations and a risk of inaccuracy that must be considered.

As medical devices become more networked, they may become vulnerable to cybersecurity threats. Patients should preserve their personal information, monitor their device for strange symptoms or behaviors, and receive a device check-up from their health care practitioner or the device maker, according to the US Food and Drug Administration (FDA).

From the PubMed abstract: "Participants enrolled in a 2x2 factorial RCT and were assigned to one of four semi-automated, text message-based walking interventions. Experimental components included adaptive versus static steps/day goals, and immediate versus delayed reinforcement. Principles of percentile shaping and behavioral economics were used to operationalize experimental components. A Fitbit Zip measured the main outcome: participants' daily physical activity (steps and cadence) over the 4-month duration of the study. Secondary outcomes included self-reported PA, psychosocial outcomes, aerobic fitness, and cardiorespiratory risk factors assessed pre/post in a laboratory setting. Participants were recruited through email listservs and websites affiliated with the university campus, community businesses and local government, social groups, and social media advertising."

mFHAST Implications: Opportunity for text-message based reinforcement to increase effectiveness of a behavioral intervention (encouraging increased walking habits)

From the PubMed abstract: "A number of 344 women who received TIV were randomly assigned to a telephone interview group. They were telephoned seven days post-vaccination and administered a standard survey soliciting any adverse events following immunisation (AEFI) they experienced. They were matched by brand of vaccine, age group, and residence to 344 women who were sent a SMS seven days post-vaccination. The SMS solicited similar information. AEFI reported by SMS and telephone interview were compared by calculating risk ratios."

mFHAST Implications: Opportunities to use SMS for vaccination program adverse event reporting collection. 

From the article abstract: "Trivalent influenza vaccine (TIV) has been recommended for pregnant women in Australia for more than a decade and funded since 2009, yet vaccination coverage remains low. Misperceptions of the safety of TIV in pregnancy have been identified as a major contributor to low vaccination rates. Ongoing safety monitoring with dissemination of results could help improve antenatal influenza vaccine uptake."

mFHAST Implications: Opportunity for use of SMS for pregnancy related vaccination adverse event reporting