bst2012 - Fotolia
The flexibility in care workflows, improved productivity for practitioners, and timely access to data are encouraging many providers to continue to give patients mobile access to their health records. On the flipside, opening mobile access poses significant data security risks to IT departments.
When IT adopts a new bring your own device (BYOD) policy, it affords users the opportunity to use their mobile devices to gain access to health information. This challenges the IT department to keep users' data secure and maintain HIPAA compliance -- particularly when the devices in use are not owned by the hospital.
Data breaches not only endanger patient's personal information, but may also subject an organization to criminal implications and monetary fines. In order to avoid data breaches, IT must ensure the implementation of strong healthcare mobile security practices.
Protect the devices
The security of mobile devices can also be compromised by loss and theft. It's nearly impossible to ensure a device won't fall into the wrong hands. Healthcare organizations must take precautionary steps to protect data in the event that a device goes missing. Some methods to accomplish this include remote wiping and locking, as well as tracking the device through GPS to locate and recover it.
Encrypt the data
Patient data that is accessed from mobile devices is likely stored remotely. The information is usually sent to smartphones or mobile devices from a server located in a secure facility, behind firewalls. Information that travels wirelessly and is stored within mobile devices can still pose a security risk if left unencrypted. It is a mobile healthcare security best practice to encrypt the sensitive health information while it's being transferred, as well as while it's at rest. This will help mitigate any leakage and offer strong data protection to ensure compliance.
Restrict and control access
Mobile devices must follow access control processes and procedures similar to restrictions seen within the world of desktops and laptops. This means only users with appropriate authorizations can gain access to protected data on mobile devices, and only IT has adequate tools to audit and manage all users' permissions.
Contain certain apps and data
With most healthcare professionals using their mobile devices for a mix of personal and business use, it's challenging for IT to implement restrictions without causing end users to feel locked out of their devices. It is critical that mHealth apps that capture patient data stay isolated and protected from other tools or apps within mobile devices to avoid putting patient data at risk.
To solve this issue, many hospitals and Fortune 500 companies have implemented app and data containment. This is done by running mobile apps separately from all other apps to prevent sensitive data from being copied or penetrated. Creating this separation between personal data and healthcare data reassures IT that patient data can be protected with the right BYOD policy.
Use strong policies and education
One of the best methods to improve the security of sensitive data within mobile devices is through user education. While users will have the best intentions at heart, implementing clear policies and procedures that define what can and can't be done on the devices is the surest way to avoid any gray areas. Some of the common requirements applied to accessing enterprise networks and health information are:
- The use of a passcode to access information on the device
- The use of application containment for all enterprise or health apps
- The IT department is notified when a device is lost or stolen
- Denying the sideloading of apps and device jailbreaking
- Unauthorized users are restricted from accessing a device while a healthcare app is in use
Failure to implement some of these processes can put patients' health information at risk.
Implementation of mobile protection tools
It is a common practice for IT to roll out antivirus and antimalware tools on employees' desktops. Unfortunately, with the increasing number of infections targeted at mobile devices, IT must recommend or even require end users to deploy tools to protect mobile devices against viruses and malware. An IT department can leverage a mobile device management platform to monitor and report any infections or risks affecting compromised mobile devices.
Install only trusted mobile apps
Not all available apps offer guaranteed data encryption. Vendors like Apple, Google and Microsoft do not validate or look for data encryption. This leaves IT solely responsible to work with app developers to ensure data encryption is available and enabled.
End users are continuously purchasing new devices and using new platforms and apps within the healthcare space to access protected health information. It is a challenge for IT departments to keep up with these changes and offer end users the flexibility to use their mobile devices while still ensuring all of their data is protected. With the selection of a robust mobile device management platform, and deployment of many of the highlighted best practices, it can be possible to secure health data on mobile devices.
About the author:
Reda Chouffani is vice president of development at Biz Technology Solutions Inc., which provides software design, development and deployment services for the healthcare industry. Let us know what you think about the story; email firstname.lastname@example.org or contact @SearchHealthIT on Twitter.
Mobile healthcare apps can drive innovation
How to write a HIPAA-compliant BYOD policy
Healthcare security survey shows growth in mobile threats