Despite their upsides, mobile health projects present a whole new set of security and privacy problems, ones that differ from those associated with wired hospital networks. These issues include smartphones running lightweight applications (with lightweight security to go with them) and Web apps transmitting data over the public Internet (which can't be locked down like a closed hospital network).
Yet health care CIOs are beholden to the same Health Insurance Portability and Accountability Act (HIPAA) regulations for wireless, Web and mobile communications as they are with their wired networks. (The Health Information Technology for Economic and Clinical Health, or HITECH Act strengthened several provisions of HIPAA enforcement and significantly increased fines for data breaches of personal health information [PHI].)
At last month's Foundation for the National Institutes of Health's mHealth Summit, three speakers discussed the issue of mobile health security and privacy: Col. Ronald Poropatich, MD, deputy director of the U.S. Army Medical Research & Material Command; Herbert Lin, chief scientist at the National Research Council's Computer Science and Telecommunications Board; and Adam Greene, senior health IT and privacy specialist at the Office for Civil Rights, the agency overseeing HIPAA enforcement.
Health care providers tuning up their HIPAA compliance programs should focus on the biggest known vulnerabilities first, Greene advised. He broke down the first year of health care data-breach statistics since the HITECH Act's updates to HIPAA went into effect in September 2009: The biggest culprits are laptops (24%), paper records (22%), desktop computers (16%) and portable computer workstations (14%). Electronic medical record systems, servers and email messages also are vulnerabilities, but they are less statistically significant, he said.
In breaking down the same health care data-breach stats by the processes involved, Greene said that hackers are indeed a problem, but they are not as significant to health care CIOs as their portrayal in the media might lead executives to believe: Hackers account for only 5% of data breaches, while thieves account for 52%.
Following thieves are non-hackers who somehow are exposed without authorization to HIPAA-protected patient data. Those incidents account for 20% of data breaches. (This type of breach could happen any number of ways. One scenario is that a doctor intends to send PHI to patient A but has the email system prepopulate the "To:" field with patient B's name.) Finally, outright loss of data accounted for 16% of breaches, with improper disposal of data checking in at 6%.
"What this highlights is [that] in the race to have top-notch technical safeguards, it's very important to not underestimate the importance of both administrative and physical safeguards, because those are going to be the tools, oftentimes, for fighting theft and loss," Greene said.
Most health care data breaches can be prevented with one simple technology fix, said Greene, who summarized his No. 1 HIPAA compliance tip in three words: "Encrypt, encrypt, encrypt."
Best practices for mobile health security
As mobile health technology advances, such devices as smartphones and tablet PCs, many of which fit into coat pockets, will create more -- and more attractive -- targets for thieves. When these devices store patient data locally, theft equals data breach.
To that end, Greene, Lin and Poropatich offered several tips to CIOs creating or tuning up their security schemes for mobile health patient interactions:
- Perform a risk analysis before implementing mobile technology. Ferret out weak points and buttress them with security. For example, if you are distributing protected health information on smartphones, imagine the scenario of a physician or patient losing the phone, and determine how to protect the data stored on it well in advance of a breach.
- Create and enforce sound employee policies that prevent improper sharing of information. Privacy and security are separate things, and require different maintenance methods. Patient privacy typically is maintained by an organization's written policies, which cover everything from password-sharing to data disposal and also need provisions for enforcement when errors are made. Security, meanwhile, is technology, such as encryption, that keeps the bad guys from accessing HIPAA-protected data.
- Make security simple. If a password is too hard to remember -- or figure out in the first place -- employees and patients either will not use it or will create workarounds. The same goes for routines built around security policies. One example would be a portable, wireless-enabled emergency-room computer workstation set up to log out the most recent user automatically after the computer has been idle a minute or two, keeping unauthorized parties from viewing open medical records. Automated logouts are usually effective, but in this case the frequency is such that it interrupts the workflow of physicians and nurses in a typically bustling environment, Lin said.
Privacy is what you're trying to achieve; security is what you do to get that.
Herbert Lin, chief scientist, National Research Council's Computer Science and Telecommunications Board
- Tell them what you're going to tell them with an open messaging system. Phones and their networks can be less secure than laptop and desktop computers. If you're texting or emailing patients reminders about routine care matters (upcoming appointments, tests or prescription refills, for example) perhaps the most secure HIPAA-compliant method is to make the message itself free of protected health information. One way to do this is to write something along the lines of "Your doctor has an important message for you at …", and refer them to a secure Web link where they have to log on with a password to get specifics. This method keeps sensitive information stored in the cloud, not locally on a phone that can be hacked or lost, Poropatich said
- Use two-factor, bidirectional authentication. An example of this type of authentication would be checking a password and token at both the device level and the server level. Doing this confirms that the person trying to log onto that Web link to retrieve a message is the actual patient. This authentication method also offers an additional safeguard before HIPAA-protected information is pushed to a smartphone.
"Privacy is what you're trying to achieve," Lin said. "Security is what you do to get that."
Let us know what you think about the story; email Don Fluckinger, Features Writer.