Mar 25, 2016 - RE: Comments of ACT | The App Association regarding the White .... In practice the software application d
March 25, 2016 Precision Medicine Initiative The White House 1600 Pennsylvania Avenue NW Washington, DC 20500 RE:
Comments of ACT | The App Association regarding the White House’s Precision Medicine Initiative Draft Data Security Policy Principles and Framework
ACT | The App Association writes to provide input on the White House’s Precision Medicine Initiative Draft Data Security Policy Principles and Framework 1 (Draft). ACT | The App Association represents more than 5,000 app companies and technology firms that create the apps used on mobile devices around the globe. ACT | The App Association supports the Precision Medicine Initiative (PMI), and is proud to have partnered with the White House and other stakeholders as this effort has progressed. We applaud the White House for working with a broad cross-section of relevant federal departments and independent agencies to develop, and for seeking public input on, these draft principles. As the world has quickly embraced mobile technology, our member companies have been creating innovative solutions across modalities and segments of the economy, with no stronger an example than healthcare. ACT | The App Association is spearheading the Connected Health Initiative, an effort to clarify outdated health regulations, incentivize the use of remote patient monitoring, and ensure the environment is one in which patients and consumers can see improvement in their health.2 This coalition of leading mobile health companies and key stakeholders urge the White House, Congress, the FDA, the Center for Medicare & Medicaid Services (CMS), and other key policymakers to adopt policies that encourage mobile health innovation while keeping sensitive health data private and secure. We urge the PMI to fully appreciate that innovative advances in software applications can promote approaches to medicine that take into account individual differences in people’s genes, environments, and lifestyles; and also give medical professionals the resources they need to target the specific treatments. While mobile apps hold the potential to revolutionize precision medicine, these solutions are unlikely to be leveraged to their full potential without The White House, Precision Medicine Initiative: Data Security Policy Principles and Framework (Feb. 25, 2016), available at https://www.whitehouse.gov/sites/whitehouse.gov/files/documents/PMI_Security_Principles_and_Framework_FIN AL_022516.pdf. 1
2
“Connected Health Initiative,” available at http://connectedhi.com.
legal clarity and guidance around use of advanced data collection and communication methods, including the integration of consumer-facing Bring Your Own Device (BYOD) models in which the patient uses their own device to provide health information to inform and improve decisions made about their medical issues and care plans. I.
General Views of ACT | The App Association on the Benefits of Mobile Apps in Advancing Precision Medicine
The integration of remote monitoring of patient-generated health data (PGHD) has been – and continues to be – proven an integral aspect of any healthcare system and a cornerstone to the advancement of precision medicine. The demonstrated benefits of remote patient monitoring (RPM) services include improved care, reduced hospitalizations, avoidance of complications, and improved satisfaction, particularly for the chronically ill. 3 A particularly compelling example of the use of virtual chronic care management is by the Department of Veterans Affairs, which resulted in a substantial decrease in hospital and emergency room use. 4 Telemedicine tools, wireless communication systems, portable monitors, and cloud-based patient portals that provide access to health records are all emerging technologies that revolutionize remote patient monitoring (including asynchronous technologies) and the medical care industry, representing a significant opportunity.5 There is also a growing body of potential cost savings to providers, noted most recently by a study predicting that remote monitoring will result in savings of $36 billion globally by 2018, with North America accounting for 75% of those savings.6 RPM has the potential to positively engage patients when addressing chronic and persistent disease states to improve management of chronic conditions. With 60% of the population already using mobile apps to help track their conditions and make informed choices about their health,7 mobile-app enabled telehealth and remote monitoring of PGHD continues to represent the most promising avenue for improving care quality while lowering costs despite significant statutory and regulatory burdens that prevent these innovations from being fully utilized. As notable examples, Section 1834(m) of the Social
See Hindricks, et al., The Lancet, Volume 384, Issue 9943, Pages 583 - 590, 16 August 2014 doi:10.1016/S0140-6736(14)61176-4. See also U.S. Agency for Healthcare Research and Quality (“AHRQ”) Service Delivery Innovation Profile, Care Coordinators Remotely Monitor Chronically Ill Veterans via Messaging Device, Leading to Lower Inpatient Utilization and Costs (last updated Feb. 6, 2013), available at http://www.innovations.ahrq.gov/content.aspx?id=3006. 3
Darkins, Telehealth Services in the United States Department of Veterans Affairs (VA), available at http://c.ymcdn.com/sites/www.hisa.org.au/resource/resmgr/telehealth2014/Adam-Darkins.pdf. 4
Kalorama Information, Advanced Remote Patient Monitoring Systems, 8th Edition (2015), available at http://www.kaloramainformation.com/redirect.asp?progid=87656&productid=9123949. 5
Juniper Research, Mobile Health & Fitness: Monitoring, App-enabled Devices & Cost Savings 2013-2018 (rel. Jul. 17, 2013), available at http://www.juniperresearch.com/reports/mobile_health_fitness. 6
Get Mobile, Get Healthy: The Appification of Health & Fitness Report, Mobiquity (2014), available at http://www.mobiquityinc.com/mobiquity-white-papers?ref=mHealth-report-2014. 7
2
Security Act has resulted in significant restrictions on telehealth services;8 further, remote patient monitoring, independent of telehealth services, is unreasonably restrained by CMS’ decision to bundle it with other codes, resulting in a lack of reimbursement for remote patient monitoring. As a result, Medicare coverage for telehealth is astonishingly low, 9 while support for RPM is non-existent and denies reasonable reimbursement for the monitoring of patientgenerated health data (PGHD). The same technologies that enable telehealth and RPM – such as electronic health records with view, download, and transmit capability enabled through the use of application programming interfaces (APIs)10 – are poised to provide similar benefits to the PMI process. Because technologies that integrate patient-generated health data into the continuum of care generally will also benefit the PMI, we urge for the PMI to ensure that it recognizes the broad transformative nature of these advances and to ensure that regulation of such technologies does not restrict the associated benefits to any particular aspect of the healthcare system. Traditionally, there has been limited clinical use of mobile apps that leverage PGHD. With the revolution of smartphones, the adoption of which has occurred more quickly than any other technology in history, clinicians now have the ability to leverage the BYOD model, which can utilize specialized instruments as accessories to smartphones/tablets/etc. While much progress remains to be made, promising (and foundational) examples of advanced telehealth and RPM technologies being used include: Rimidi11 uses both the BYOD model as well as connected glucometers to better understand and improve the treatment of diabetes. Physicians are using the Rimidi platform to monitor their patients’ glucose levels, as well as to help their patients determine the correct balance of insulin more efficiently. AirStrip®12 technology is a critical tool to keeping doctors informed on patient vitals while they’re still in the ambulance. The company’s products use Department of Defense-level encryption that allows doctors to remotely view live patient waveform data 8
See 42 CFR § 410.78.
According to CMS, Medicare telemedicine reimbursement totaled a mere $13.9 million in Calendar Year 2014. See http://ctel.org/2015/05/cms-medicarereimburses-nearly-14-million-for-telemedicine-in-2014/. 9
CMS defines an API as “a set of programming protocols established for multiple purposes…[that] may be enabled by a provider or provider organization to provide the patient with access to their health information through a third-party application with more flexibility than often found in many current ‘patient portals.’” CMS further explains that “[i]f the provider elects to implement an API, the provider would only need to fully enable the API functionality, provide patients with detailed instructions on how to authenticate, and provide supplemental information on available applications which leverage the API.” 80 FR 16753. 10
In practice the software application developer community relies on APIs to establish interoperability in a safe and secure manner across contexts. APIs are not just technical specifications regulating how data can be exchanged on a network, but should be understood as a technique for governing the relations these networks contain. 11
http://www.rimidi.com/.
12
http://www.airstrip.com/.
3
from multiple devices and systems on a single mobile screen securely, in advance of the patient entering a hospital room. CareSync13 provides a software platform that digitally connects doctors, patients, and caregivers, reducing the paper chase burden for doctors and delivering better care to happier patients, including chronic care management for Medicare. Apple's CareKit™14 is a new software framework designed to help developers enable people to actively manage their own medical conditions. iPhone® apps using CareKit make it easier for individuals to keep track of care plans and monitor symptoms and medications while providing insights that help people better understand their own health. With the ability to share information with doctors, nurses, or family members, CareKit apps help people take a more active role in their health. CareKit will be released as an open source framework next month allowing the developer community to continue building on the first four modules designed by Apple, that include: o Care Card helps people track their individual care plans and action items, such as taking medication or completing physical therapy exercises. Activities can automatically be tracked and entered using sensors in Apple Watch® or iPhone; o Symptom and Measurement Tracker lets users easily record their symptoms and how they’re feeling, like monitoring temperature for possible infections or measuring pain or fatigue. Progress updates could include simple surveys, photos that capture the progression of a wound, or activities calculated using the iPhone’s accelerometer and gyroscope, like quantifying range of motion; o Insight Dashboard maps symptoms against the action items in the Care Card to easily show how treatments are working; and o Connect makes it easy for people to share information and communicate with doctors, care teams, or family members about their health and any change in condition. Developers of health and wellness apps are excited to build these CareKit modules into apps for Parkinson’s patients, post-surgery progress, home health monitoring, diabetes management, mental health, and maternal health. o Sage Bionetworks and the University of Rochester are using CareKit to turn the mPower ResearchKit™ study into a valuable tool to help better inform patients about their condition and care providers about treatment. o The Texas Medical Center is designing apps to guide and support care pathways for its 8 million patients to improve their health through enhanced connectivity with their care teams.
13
http://www.caresync.com/consumers/index.php.
14
http://www.apple.com/pr/library/2016/03/21Apple-Advances-Health-Apps-with-CareKit.html.
4
o Beth Israel Deaconess Medical Center will provide patients with more insight into their own chronic care management through home health monitoring devices that securely store data in HealthKit™. o Start, by Iodine, helps people on antidepressants understand if their medication is working for them or not, and helps their doctors deliver more informed care. o Glow, Inc., will incorporate CareKit modules into its pregnancy app, Glow Nurture, to guide women through a healthier pregnancy.
5
II.
Specific Input of ACT | The App Association on the PMI Draft Data Security Policy Principles and Framework
The PMI is a crucial step towards embracing advanced technology and connectivity in the healthcare continuum, and the Draft, which was informed through collaborative work with key federal agencies, is particularly important given that no data is more personal to Americans than their own health data. ACT | The App Association has recently provided insight into key areas where transparency and clarity in legal and regulatory responsibilities for mobile health apps is a necessity, including the applicability of Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules to modern communication and data storage technologies; as well as clarity on the ability to fully leverage technical measures to ensure the protection of patient data, including end-to-end encryption. 15 Below, we provide specific views on the Draft and propose ways to improve it towards ensuring the success of the PMI: Initially, ACT | The App Association notes our support for the PMI’s utilization of the National Institute of Standards & Technology’s Cybersecurity Framework, 16 which will promote a harmonized approach to cybersecurity risk management. It is important to note that, while the Cybersecurity Framework is a voluntary, flexible, and scalable risk management tool built on public-private collaboration, it is targeted to critical infrastructure. However, the Draft does not accurately reflect that the NIST Cybersecurity Framework is built on these characteristics. To address this concern, we urge for a Data Security Policy Principle to be added which recommends the use of a holistic risk management approach based on the NIST Cybersecurity Framework (or an equivalent construct) be used which will be specific to the unique circumstances of an organization, requiring a scalable risk management approach. Generally, ACT | The App Association agrees with the proposed Data Security Policy Principles put forward in the Draft. Consistent with the above, ACT | The App Association is concerned that the PMI Data Security Policy Framework will face scalability issues that may give rise to unnecessary prohibitive costs, effectively excluding small- and medium-sized entities from the PMI (i.e., that small- and mediumsized organizations may find difficulty in applying the specific PMI Data Security Policy Framework measures under each of the NIST Framework Core Functions). For example, small- and medium-sized entities may find difficulty in attaining independent third-party reviews of their security plans that, at minimum, includes “a review of the organization’s adherence to its security plan; regular vulnerability assessments (e.g., See Testimony of Morgan Reed, Executive Director, ACT | The App Association, Smart Health: Empowering the Future of Mobile Apps, Before the House Committee on Science, Space, & Technology, Subcommittee on Research and Technology (March 2, 2016), available at https://science.house.gov/sites/republicans.science.house.gov/files/documents/HHRG-114-SY15-WState-MReed20160302.pdf. 15
NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 (Feb. 12, 2014), available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf. 16
6
network scans and penetration testing); and evaluation and adjustment of the security program in light of vulnerability assessments and evolving circumstances” 17 without facing prohibitive costs that are not scaled to the risk they should be managing per the NIST Cybersecurity Framework’s approach. To address this concern, the Draft should be updated to include use cases and examples specifically as to how small- and medium-sized entities may comply with these standards. ACT | The App Association pledges its support to an effort to develop these use cases with the PMI staff and other stakeholders. ACT | The App Association agrees that PMI organizations should ensure that participants are fully aware and consenting to validation processes, and supports this concept being reflected in the Identify and Protect functions.18 The functionality exists today to ensure that participants are trained on how to use a mobile device, any accessories to a BYOD device, and any mobile apps, required for a PMI organization to execute its goals. ACT | The App Association wishes to expressly note our support for the inclusion of transparency and training themes throughout the NIST Framework Core Functions mapping included in the Draft. Specifically, we support the inclusion of “Transparency” under the Identify function, as well as “Awareness and Training” under the Protect function.19 By including these themes, the PMI will promote an approach harmonized to that of the Federal Trade Commission. ACT | The App Association members appreciate that no data is more personal to Americans than their own health data, and put extensive resources into ensuring the security and privacy of sensitive health data to earn the trust of consumers, hospital systems, and providers. Fully leveraging technical measures, including end-to-end encryption, is a critical element to accomplishing this; more broadly, encryption enables key segments of the economy, from banking to national security, by protecting access to, and the integrity, of data. For example, the use of encryption is critical to meeting obligations under the above-noted HIPAA security and privacy rules. Despite the important role encryption plays, some interests persist in demanding that “back doors” be built into encryption for the purposes of lawful access. We reject such proposals as mandates that degrade the safety and security of patient information, and the trust of patients. Worse still, these “back doors” could create vulnerabilities that are guaranteed to be exploited by state-backed hackers and criminals (e.g., recent “ransom-ware” situations faced by Hollywood Presbyterian Medical Center). 20 Due to 17
Draft at 5.
18
Draft at 4-5.
19
Draft at 5-6.
E.g., Violet Blue, Hospital ransomware: A chilling wake-up call, http://www.engadget.com/2016/02/19/hospitalransomware-a-chilling-wake-up-call/ (last visited Feb. 25, 2016). 20
7
the ubiquity of software in our lives, these mobile health apps which rely on strong encryption are directly impacted by such a policy. For these reasons, ACT | The App Association strongly supports the Draft’s inclusion of “Encryption” and “Encryption Key Security” under the Data Security function, 21 and urges for these important recommendations to be retained as the Draft moves towards finalization. ACT | The App Association supports the inclusion of “Threat Information Sharing” under the Detect function, and the Draft’s related text that endorses a flexible path forward to the timely sharing of cybersecurity threat indicators.22 While the HITRUST Alliance and the NH-ISAC are effective means to accomplish this critical goal, they may be resourceprohibitive for small- and medium-sized entities. ACT | The App Association agrees that future Information Sharing and Analysis Organizations may be formed that will also be of help to PMI organizations in the sharing of this important information which will help mitigate cyber-based attacks.
21
Draft at 6.
22
Draft at 7.
8
ACT | The App Association appreciates the opportunity to submit comments on the Draft, and looks forward to the opportunity to meet with you and your team to discuss these issues, and the PMI’s path forward, in more depth. Thank you for your consideration. Sincerely,
Morgan Reed Executive Director ACT | The App Association
9
