Mobile device security in healthcare: Changing the mobile mindset

Please enjoy Mac’s latest mHIMSS blog post

I wanted to follow up my last post on mobile security in healthcare by bringing to light the need for a general shift in mindset in terms of how healthcare professionals are using mobile devices.

There is no question that mobile technology has become tightly integrated into most people’s personal and professional lives, with healthcare being no exception. In fact, it is very likely that a fair percentage of the current readers of this post have accessed this material on a phone, tablet or some other portable device. I get it. It is easy and it is convenient. Mobile technology allows for work on the go and instant connectivity. While it may be a difficult task for healthcare professionals to deny themselves the expedience, convenience and perpetual connectivity of mobile devices, if they wish to remain compliant with HIPAA and avoid a breach of electronic Protected Health Information (ePHI), a serious change of mindset is in order.

While some covered entities issue mobile devices (phones, laptops, tablets, etc.) which are protected with encryption and/or hosted on a secure server, many do not, and staff use personal devices in droves and subsequently introduce serious security risks. It is understandable that employees may want to use their own technology in lieu of company-issued devices, as mobile devices can absolutely provide a boost in efficiency and foster instant communication and data exchange. An increasingly common security risk that is often overlooked is introduced when clinical staff (physicians and nurses) use text messaging as a primary means of communication. Whether it is as straightforward as storing a health record on a mobile device or as innocent as sending a text message containing ePHI, most employees are focused on getting their jobs done in the most efficient manner possible and are not thinking about the breach vulnerability of their personal devices.

So then, is the change in perception and practice needed at the individual or organizational level?

The answer to this question is that both organizations and their staff need to re-examine their approaches to allowing personal non-secure devices to receive, transmit or store ePHI. While it is true that a great deal of risk can be eliminated by providing employees with encrypted devices with remote data storage and adequate access controls, many organizations simply lack the resources for such investments. Educating staff about the insecurity of mobile devices and the specific HIPAA requirements relating to those devices is clearly an essential first step for any provider organization. Ignorance of HIPAA regulations is not an excuse for a breach of protected health data and will not prevent or curb the many associated potential consequences of a breach. So as long as healthcare professionals remain uninformed about what the rules are and how to avoid breaking them, organizational risk will remain high.

Education must begin at the organizational level and should be required for all employees responsible for storing or transmitting protected data. Staff education should include an overview of HIPAA regulations, the greatest threats to mobile devices, the potential consequences of a data breach, the best security practices and organizational security policy. As far as employees are concerned, the bottom line regarding HIPAA is that any covered entity responsible for storing or transmitting protected health data must secure the information from breach, or risk financial repercussions in the 4- to 7-million-dollar range, on average. Employees must understand that because personal mobile technology is produced for the masses and not with the security of health data in mind, their iPhone or tablet is simply not adequately protected out of the box.

Organizational policy should be implemented and strictly enforced to prevent the use of insufficiently protected personal mobile devices when ePHI is in play. If staff members either insist on using or, by policy, are permitted to use their own devices, they should be required to demonstrate that all the appropriate security measures are in place, such as encryption, remote storage, access control and the ability to wipe the device clean if lost or stolen.

I am an advocate for mobile technologies and believe that there are significant advantages to be gained from their use in the healthcare industry. However, I think that we often forget that there was a time when people functioned without smart phones and the constant ability to instantly access all information. This concept goes back to my previous post and the need to discern what data we may want and what is actually needed to provide the best care in the safest manner possible.

Healthcare professionals must understand and differentiate the way that mobile technology is used in professional versus personal settings. The consequences of a breach are too significant to justify the introduction of a potential point of breach for the sake of convenience.