Policies Lag Mobile Device DeploymentHow to Avoid 'Wild West' Environment
Many healthcare organizations are ramping up their use of mobile devices before they have appropriate privacy and security policies, procedures and technologies in place. That was one of the key messages at a half-day Mobile Device Roundtable hosted March 16 by the Department of Health and Human Services.
See Also: The Evolution of Email Security
"In a lot of cases, we're going back and catching up on the policies," says Lisa Gallagher, senior director of privacy and security at the Healthcare Information and Management Systems Society. Healthcare providers "are often deploying mobile devices before they are organizationally ready," she says, pointing to the results of a mobile device survey HIMSS recently conducted.
"The problem is, as mobile technology expands so rapidly, we're still trying to figure out how you can govern that," adds Steven Heilman, M.D., chief medical information officer at Norton Healthcare, a five-hospital system in Kentucky. "If you don't have policies, it becomes the wild west of healthcare."
He pointed to critical privacy issues, including physicians using unencrypted video conferencing when a patient is transferred from one facility to another as well as nurses using unsecure texting to discuss patients.
"Like it or not, mobile devices meant for a consumer marketplace ... are being increasingly used in healthcare," says Farzad Mostashari, who heads HHS's Office of the National Coordinator for Health IT. "We have to think not only about the possibilities, but also the potential perils."
One way to deal with potential perils is to make sure risk assessments adequately address the vulnerabilities of tablets, smart phones and other new mobile devices, says Susan McAndrew, deputy director for health information privacy at the HHS Office for Civil Rights, which enforces the HIPAA privacy and security rules. Healthcare organizations "need to use the same type of protections for mobile devices as they would for the main computers in the enterprise," she stresses.
McAndrew points out most of the major health information breaches reported so far have involved the loss or theft of unencrypted mobile devices or media. That's why encrypting any data stored on the devices is essential, she stresses.
What About Texting?
The explosion in the use of texting among physicians and nurses is creating new security issues. For example, some answering services send to a doctor's smart phone an unencrypted text message containing a patient's name, phone number and symptoms, which creates risks for privacy violations, notes Adam Kehler, quality and security specialist at the consultancy Quality Insights of Pennsylvania.
"So a risk assessment has to go beyond just electronic health records" when sizing up risks to protected health information, he stresses.
While it investigates secure texting technologies, Adventist Health System has banned communicating patient-specific information through texting, says Sharon Finney, corporate data security officer at the 44-hospital system.
The BYOD Trend
A growing number of healthcare organizations are permitting the use of personally-owned tablets and smart phones for work purposes. A critical first step, however, is entering a detailed user agreement that defines their security responsibilities, says Gallagher of HIMSS.
The association offers a mobile security toolkit that includes a sample agreement.
Accommodating the bring-your-own-device trend is important, Gallagher says, because the strategy can slash costs. But educating users on mitigating risks is essential, she stresses.
At Adventist Health System, a majority of physicians have migrated from corporate-owned to personally-owned devices now that the organization has created a separate wireless network the physicians can use to access patient information, Finney notes.
Mobile Applications and Malware
Another area of risk involved in using the latest smart phones is exposure to malware, says Jacob DeLaRosa, M.D, a cardiovascular surgeon at the Portneuf Medical Center, Idaho State University. He recently downloaded an application designed to help him calculate the Body Mass Index that turned out to include a virus that automatically sent messages about Viagra to his contacts.
When selecting new apps, "you have to assume that they're not secure," Gallagher stresses. Healthcare organizations must test-drive all apps before clinicians are allowed to use them and must educate users on the necessary security provisions tied to new apps, she says.
The roundtable was designed to kick off an HHS effort to identify best practices for mobile device privacy and security. ONC is soliciting comments on the issue through March 30 on its website.
By year's end, HHS plans to offer videos, tip sheets and other guidance on security for mobile devices, says Joy Pritts, ONC's chief privacy officer. "Given the rapid adoption of mobile devices against the backdrop of the breach incidents reported, there's been a growing concern about the use of these devices because of their vulnerability," Pritts says. "The mobile device privacy and security good practices project is one of the ways we hope to address these concerns."