As more personal health information flows through medical devices and over wireless networks, federal officials say more regulations are needed to ensure both device and data security.
The U.S. Government Accountability Office (GAO) in a report recommends the FDA more thoroughly regulate medical device security. However, the GAO said efforts to reduce security risks could “adversely affect device performance.” The potential for unintentional negative consequences like electromagnetic interference with wireless devices exists, in addition to intentional side effects including unauthorized device access. The FDA didn’t consider intentional information security risks like unauthorized access of a device as threats until recently, and will reevaluate their approach on how they review medical device software.
More of those devices are reporting information back to doctors, and it’s increasingly happening through mobile device applications. Users in health care environments should also take care to secure their own mobile devices, in addition to regulation from governing bodies like the FDA. A survey of physicians estimated that two-thirds of physicians will be using iPads for business by 2013. Widespread use of mobile devices in medical settings has led many organizations to adopt internal bring your own device (BYOD) policies. Regulating personal devices allows practitioners freedom of access to data, while also allowing health care organizations some control over device security.
Health care organizations can only go so far in securing their employee’s mobile devices. Some devices cannot be encrypted and companies can’t enforce their security policies on employee’s personal devices. User education has become a key aspect of overall device security due to these restrictions. Organizations are aware that mobile technologies are continuously changing, which creates the need for constant evaluation of their security policies.
Government and health care organizations need to protect data to maintain trust with patients. Nearly half (49%) of responding patients in a recent EHR security survey said they feel electronic health record (EHR) use will have a “significantly negative” or “somewhat negative” effect on health data privacy. Two-thirds (67%) of patients responded they trust their doctors’ office to maintain their health information, while only 6% indicated trust in the government with the same data.
Ideally, health care companies will increase device security and performance while maintaining patient trust. People are the most vulnerable aspect of security and privacy, says Rebecca Herold, an information privacy, security and compliance consultant. Providing staff with educational resources, such as an employee intranet page where staff can ask questions, can be a beneficial training method.