Mobile device security in healthcare: It comes down to common sense

The team at mHIMSS asked Mac to create a blog for them around mobile device security.  We hope you enjoy Mac’s inaugural post and will also make it a point to peruse the great online presence that mHIMSS has created at http://www.mhimss.org/ to further your learning about mobile device management in the healthcare industry.

Recently I took part in the Office of the National Coordinator for Health IT’s Mobile Device Roundtable in Washington, D.C., where three panels of experts (federal agency representatives, practicing providers and security practitioners) came together to discuss the use of mobile devices in healthcare, the legal framework that exists now and how to best protect sensitive information being transmitted via mobile devices.

As the discussions went on, one thing became clear – there is currently no coordinated approach to managing the mobile device spectrum. Because of this lack of a coordinated approach, it’s ultimately up to the users to manage mobile devices and, most importantly, ensure their security.

The physicians on the panel noted that they would like to use mobile technology to accomplish the following:

• Communication between themselves, the providers they work with and service organizations like labs, radiologists, etc.;
• Communication with patients to provide a rapid medium for communicating results;
• Education, primarily around giving patients detailed information with respect to their condition; and
• Real-time test results, x-rays, etc., to show to and discuss with patients.

The ability to text was also noted as an increasingly popular mechanism for physicians communicating from a workflow perspective. Studies have shown that more than 70 percent of physicians now use text as a regular means of communicating in the workplace.

While these are all valid uses of mobile devices for physicians, and they certainly offer the potential to enhance patient care and the patient/provider experience, it’s important to remember the vulnerability of most mobile platforms and their inability to secure sensitive patient information that’s being transmitted. In most of these cases, physicians seem to understand that mobile platforms and texting are not sufficiently secure to communicate electronic protected health information (ePHI), and they are looking to the mobile device manufacturers to deliver that level of protection. Under the HIPAA Security Rule, there are huge ramifications for failing to secure PHI, often resulting in significant monetary fines and reputational damage, and if the device companies are not going to step up, then we as an industry need to find ways to fill that gap.

So what’s the solution? How do we make it possible for physicians to use mobile devices in a way that would bridge communication gaps between colleagues and patients while ensuring the security of sensitive data?

On one level, the answer is pretty simple: use common sense. We use our cell phones and other mobile devices for personal reasons and carry them with us everywhere. So, as common sense would tell us, it wouldn’t be prudent to house sensitive information (such as patient data) on such devices. PHI and other data should not live on the mobile device itself because it puts the device and the physician at risk. To ensure mobile security in healthcare, mobile devices need to allow physicians to review and act on sensitive information, but in most cases that data should always remain on a secure server – when the physician disconnects, the device retains zero sensitive information.

The first step in making this “data-centric,” common-sense approach to mobile device security work is to get people to recognize the difference between needing the sensitive data on their mobile device and simply wanting it on there out of convenience. This is made more difficult and more important as the mobile device industry continues to focus on allowing access to data anywhere, anytime (the idea of “bring your own device,” or BYOD). If we begin to balance convenience around dissemination of data with the actual practical clinical requirements by using technologies that enable connectivity and only store data on the devices that are able to protect it properly, we can greatly reduce the magnitude of the risk. The proposed EHR implementation standard and certification criteria for encryption of devices that connect to EHRs and retain ePHI after termination of their session will certainly heighten this need.

By thinking about where the data needs to be, who needs to have access to it and what kind of access is required and building this “data-centric” security into mobile device strategies, physicians will be able to use their mobile devices in a way that optimizes workflow and quality of care while still ensuring the security of all sensitive data reasonably and responsibly.