(Casandra) Welcome back to another PSI video. Most recently we have been working on a number of projects that involve protected health information, or PHI, also commonly know as personally identifiable information or PII. This is information that is collected by various databases that collect information such as full names, social security numbers, email addresses, and much more. Anything that can really identify an individual. But what’s important to know is that PHI (Protected Health Information) and PII, the key differentiator, is that PHI (Protected Health Information) is used when talking about medical or health records. HIPAA legally requires that this information is protected and so as a medical device manufacturer, it is important that you know and understand how to protect this information within your system.

The U.S. Department of Health and Human Services has set a standard for privacy, of individually identifiable health information, often called the Privacy Rule. This is a national set of standards that protects this information in all forms of media and that could be verbal or oral, that could be paper, or what we’re here to talk about today is electronic.

So, Elizabeth and Tim have sat down to discuss the various ways that we help our clients ensure that their devices and their databases, and their systems are protecting that information, so they are compliant to this privacy rule. So, Elizabeth and Tim, take it away.

(Elizabeth) Hey Tim, so as software engineers, we’re responsible for ensuring PHI (Protected Health Information) is protected on the devices and applications we design and develop. Here at PSI, we use a few different strategies to handle protecting health information. To start, can you talk a little bit about authentication?

(Tim) Hi Elizabeth, sure, authentication is really just the act of making sure that the person is who they say they are. So one way is just to use a simple username and password, which a lot of applications and websites already use, but if you want to get a little fancy with it, you can use multifactor authentication which typically involves having the user enter their cellphone number so they can log in from their cellphone as well, so then that application can ensure, from multiple facets, that you are who you say you are. As far as authorization, that has to do with making sure the user has access to what they’re supposed to have access to. So maybe a low-level user can only look at things when a high level user can make edits to something, delete something, like that.

(Elizabeth). Another buzzword in the world of app development and security is encryption. Is there anyway that can be worked into protecting health information?

(Tim) Absolutely, this is critical in protecting personal health information. When you talk about encryption, it typically means one of two things. Encryption at rest and encryption at transit. Encryption at rest is protecting data while it’s physically present somewhere, like in memory, persistent storage, whereas in transit you’re going to want to use something HTTPS, which is just like HTTP with transport layer security to ensure your data is encrypted over the internet.

(Elizabeth) Another common way of promoting security in apps is having regular app updates, can you talk a little about that too?

(Tim) Sure, one of the main reasons for this is that you want to make sure you’re keeping up to date with any of the latest security vulnerabilities that have been discovered, any attacks, anything of that nature that you need to protect your users, or your patient data from.

(Elizabeth) A lot of modern applications are using the cloud. Is there any way to leverage the cloud to add a layer of security or further help protect patient data?

(Tim) Absolutely, Elizabeth. One popular way to do this is to add functionality to be able to remotely wipe patient data from a device. There’s instances where a device may be stolen or lost, where you don’t want that information to get in the wrong hands. This is a useful tool in that respect. One other thing is to just protect your data by having multiple instances of it. A lot of cloud platforms actually provide the ability, some by default, to save your data in multiple locations to ensure durability of the patient data.

(Elizabeth) Those are just a few examples of how PSI implements strategies to handle protecting health information. Tim, do you have any other examples of things that are out there?

(Tim) Yeah, one simple example would be to only collect the data that you need. For instance, maybe you’re at the doctor’s office getting your blood taken for some sort of test. When the blood is taken and sent to a laboratory for testing, maybe you want to use a barcode rather than actual patient data. So then, the laboratory that sees that, sees the blood from the patient can’t associate it with anyone.

(Elizabeth) Alright, well thanks Tim for taking the time to explain all of this. We hope that you find this helpful and if you have any questions please don’t hesitate to reach out to PSI.