The proliferation of mobile devices in health care, in conjunction with the push for electronic health records (EHRs) and health information exchange, has added a whole new chapter to the book of privacy and security best practices. Health care CIOs and IT departments must balance privacy and security with usability and cost. End users must be educated about how to keep devices secure and personal health information (PHI) private.
More mobile device security resources
Encryption is a common best practice when it comes to mobile device security
Does Skype meet HIPAA requirements? Explore this question on the Health IT Exchange.
No health care organization wants to be named on the HHS "wall of shame," or even worse, find out that patient information ended up on an employee's Facebook page. Securing mobile devices in health care remains an ever expanding challenge, as the number of devices continues to grow, bringing about significant changes in workflow.
The ONC is trying to help identify privacy and security best practices for mobile devices in health care, and recently held a roundtable where panelists discussed input from the public and industry experts. As the panelists discussed their own real-world experiences with using mobile devices, and the security implications that they bring, several themes emerged.
Users are adopting mobile devices faster than IT can set policy
One of the most worrisome trends seen by the Healthcare Information and Management Systems Society (HIMSS) is the tendency for health care organizations to deploy mobile devices without updating their security policies -- sometimes deploying devices before there even is a policy.
"That's not the case with EHR technology and other technologies," said Lisa Gallagher, senior director of privacy and security at HIMSS, during the ONC roundtable. "But with mobile tech, people use it in their everyday life. They want it now and they get it. So in a lot of cases we're actually going back and catching up on the policy. It's not just documenting what the policy is, but what it should be, regardless of how we got where we are and the fact that we deployed these things before we were organizationally ready."
The challenge from the provider standpoint, added Jacob DeLaRosa, chief of cardiothoracic and endovascular surgical services at Portneuf Medical Center in Pocatello, Idaho, is that when new technologies like the iPad come out, physicians want to use them right away, but "the policies aren't there yet." He said that it could take months for them to be put in place.
Mobile device security should not get in the way of usability
There's no question that mobile device security policies need to be in place to protect patient privacy. But sometimes these policies can hinder a provider's ability to benefit from using a mobile device. Panelist Christopher Tashjian, president of River Falls, Ellsworth and Spring Valley Medical Clinics in Wisconsin, is a small-town family doctor who sees patients in a variety of settings -- even the county jail -- and is passionate about both medicine and technology. He used to use text messaging in the emergency room to send pictures of X-rays to an orthopedic surgeon, who could advise him on how to handle patients with complex fractures.
To me, it's incumbent on the vendors to give us technology that satisfies patient privacy.
Dr. Christopher Tashjian, president, Spring Valley Medical Clinics
Though the practice was helpful, Tashjian said he was forced to stop "because the HIPAA people at the hospital said 'you can't do that.'" He is working on ways to work around it, such as using a picture that has no patient identifiable data, but he would like to see the vendors step in and build something from the ground up that he can use.
"[T]echnology can do a lot of things," said Tashjian, who has previously presented to ONC on a variety of health IT issues. "To me, it's incumbent on the vendors to give us technology that satisfies patient privacy."
Never make assumptions when it comes to mobile device security
One rule of thumb for using mobile devices in health care is when in doubt, assume it's not secure. When asked about using public Wi-Fi to input confidential patient information, panelists agreed that you have to assume the pipe is not secure.
But monitoring providers who are off site presents a challenge. "Because most of our providers are out in the field, they want to be able to download their information," said panelist Meri Shaffer, registered nurse and a clinical systems analyst with Montefiore Home Care in New York City, adding that her organization was "definitely not" comfortable with allowing employees to go to a McDonald's or Starbucks to log on.
"There's policies we have about not allowing them to do that," she said, "but it's difficult to monitor that and regulate it." Montefiore gave out Sprint cards to health care providers in the field, but found the cards weren't always very reliable.