One of the hottest trends in health care organizations is that of using mobile devices to access electronic health records. Although accessing electronic health records (EHRs) through mobile devices provides an unprecedented level of convenience, it also exposes health care organizations to new security risks.
Mobile device encryption helps mitigate security risks. Data must be encrypted while it is in transit, but it must also be encrypted when it is stored. In spite of the need for encryption, some health care organizations have been reluctant to require encryption for mobile access of EHRs for fear that the encryption process will cause a major performance impact.
Currently there are a number of different vendors offering solutions for accessing EHRs on mobile devices such as smart phones or tablets. Most of the mobile EHR solutions do not store large patient health databases on the mobile devices. Factors such as limited device capacity, the need for databases to be centrally accessible and the potential for data exposure if the device is ever lost or stolen have lead most vendors to create mobile EHR solutions to act as a front-end application that interfaces with a back-end database.
Although most mobile EHR applications do not attempt to locally store patient data, mobile device storage encryption is still important. Mobile applications often cache patient health data in an effort to improve the application's response time. Unless encrypted, this cached data potentially could be exposed if a mobile device were lost or stolen.
Data encryption in health care
Encryption in health IT in 2013
Health care encryption strategy
More on mobile device encryption
Encryption a part of HIPAA risk analysis
When it comes to storage encryption, health care organizations should insist on hardware-level encryption. Although there are a number of software-based encryption solutions for mobile devices, software solutions consume system resources such as memory and CPU cycles, thereby leading to diminished performance. Conversely, hardware-level encryption usually has no noticeable impact on performance.
Most of the major mobile device manufacturers offer hardware level encryption, but there are certain nuances on each platform that IT pros need to be aware of. For example, Android devices offer hardware-level encryption, but only on Honeycomb- and Ice-Cream-Sandwich-based devices. Likewise, iPhones and iPads running iOS 4.0 or later also support hardware-level encryption, but the encryption is not turned on by default.
Windows Phone 8 devices support hardware-level encryption that is always turned on. However, because the encryption is based on the use of a trusted module platform chip, Microsoft Corp. chose not to perform hardware-level encryption of removable secure digital (SD) cards. Because SD cards are not encrypted, the Windows Phone 8 operating system will not allow sensitive data to be stored on them. SD cards can only store music, photos, videos and eBooks.
Data transmission encryption
Storage encryption for mobile devices is critically important in health care organizations, but encrypting data while it is in transit is even more important. Often times mobile EHR applications do not take measures to encrypt data as it flows across the network. The software assumes that the administrator has already secured the network.
Some health care organizations reduce the chances of sensitive data being exposed by using firewalls to control the boundaries at which patient data may be accessed. For example, mobile devices might be allowed to access patient data over the facility's Wi-Fi network, but not over a cellular network or an external Wi-Fi network.
Of course, the facility Wi-Fi network must be encrypted. The encryption process does tend to make the wireless network run more slowly than it otherwise would, but there are a number of different factors that determine the true performance impact.
One of the big factors is the wireless access point itself. As a general rule, older or low-end wireless access points tend to be less efficient than the newer access points. Some access points offload the encryption process to a dedicated chip. As such, organizations with aging wireless access points might experience better performance by upgrading to a newer model.
If employees access health care data from outside of the organization, they most likely do so either through a virtual private network or through a transmission core protocol tunnel. In either case the connection is encrypted, but there isn't a lot that can be done on the user's device to mitigate any performance impact the encryption process causes. However, you might be able to improve the performance of encrypted sessions by using a wide area network optimization solution to reduce the amount of traffic that flows between mobile devices and the corporate network.
Unfortunately, there isn't one single magic fix for overcoming the overhead that encrypting data causes. The best approach is often to use performance monitoring techniques to look for network bottlenecks and then work to resolve those bottlenecks.
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as chief information officer for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. Write to him at email@example.com or contact @SearchHealthIT on Twitter.
This was first published in January 2013