Ten iPad EHR security strategies for HIPAA compliance

When deploying an EHR system to iPhones and iPads, organizations need a sound security strategy. These 10 tips will make security policy, and HIPAA compliance, straightforward.

LAS VEGAS -- More than 80% of physicians tote smartphones, 71% of them carrying either an Apple Inc. iPad, iPhone...

or iPod Touch, according to 2011 Manhattan Research statistics quoted by United Health Services clinical systems analyst Rebecca Kennis. Some 30% already access an electronic health record (EHR) or radiology report via an iPad, making HIPAA-compliant iPad EHR security a top priority for IT staff at health care organizations.

"That sounds like kind of a 'wow' to me," Kennis said. "Why is it that the physician community seems to have made such a connection with this technology when HIT tends to be, kind of, not at the forefront of technology?"

Kennis feels the iPhone and iPad are a natural fit for clinical staff thanks to their instant-on feature, which doesn't require a long start-up time, not to mention their portability and 3G connectivity. Those aspects of the mobile devices let practitioners check on patients via the EHR inside their hospitals and offices, as well as at home or on the go -- which they want to do.

Why is it that the physician community seems to have made such a connection with this technology when HIT tends to be…not at the forefront?
Rebecca Kennisclinical systems analyst, United Health Services

Hospitals like them, too, because they keep physicians happy, require no additional PCs or desktop space and, as United found, promote better care documentation, resulting in fewer lost charges.

Steps for iPhone, iPad EHR security include encryption, authentication

With that mobility comes iPad EHR security problems. Kennis and United Health Services CMIO Afzal ur Rehman, M.D. shared strategies they employed for locking down patient data in their own mobile EHR deployment for iPads and iPhones in a presentation before a packed theater at the Heath Information and Management Systems Society's HIMSS 2012 conference. Their upstate New York nonprofit health system spans four hospitals (916 beds total) along with two nursing homes and 27 primary care and 15 specialist physician offices.

United chose to create its own EHR app, which is supported by two dedicated full-time IT staffers. The speakers shared their strategies for maintaining HIPAA compliance while giving clinical staff the flexibility -- and access to data -- they need:

  1. Store as little data as possible on the mobile devices. For the most part, patient data is passed through a gateway server to the back-end EHR storage server on United's network. That way, if a mobile device is lost or stolen, there's nothing to access.
  2. Make the device require a token and a user ID/password. This is crucial for bring-your-own-device (BYOD) mobile EHR implementations, Rehman said. That way, if a password is stolen, that specific ID cannot be used from any other device than the one to which it's assigned. Conversely, if a device is stolen, it can't be used to log into the system without the owner's password. Such an iPad EHR security policy also satisfies HIPAA guidelines for two-factor authentication.
  3. Encrypt data in motion. Just to double up on the encryption, United encrypts what little data is at rest on the device, too.
  4. Log off users after idle. United's protocol? Five minutes.
  5. Auto-delete EHR app cache after a specified time. Just in case there is any identifiable data rattling around in there. United does it after 48 hours.
  6. Set geographic access boundaries according to role. At United, physicians can access the EHR outside the hospital via 3G; nurses participating in a pilot implementation cannot. In fact, they need to be inside the hospital, and inside the firewall, to see the EHR, because their work doesn't require off-premises, off-hours access to patient data.
  7. Enable remote controls. IT staff at United can wipe the EHR application from a device remotely and, obviously, remove a device's access policy from the network.
  8. Require face-to-face encounters for device setup. When employees first want an iPhone or iPad EHR, they're required to appear in person at the IT department. At that time, they get the app and their password.
  9. Resolve patient lists for each practitioner. Nurses, residents, hospitalists and attending physicians do not necessarily need to access the whole patient database. This part of the system is still a work in process for United, which lets physicians add any patient so as to not prevent a physician from administering needed care for a patient or to plan for future procedures. However, the system also logs who adds which patients and sends alerts to relevant compliance-minded parties within the organization watching for HIPAA violations.
  10. Think twice about Android. Rehman said the Android operating system's ability to multitask is actually a HIPAA vulnerability, as it could let an ID could take a screen shot of a patient EHR. As a result, United doesn't plan to support it at this time.

While Rehman conceded that it might be possible to write a secure EHR on the Android platform today, at the time that United planned its EHR app, his team found the Apple iOS to be more secure, in part because iOS has very limited multitasking functions.

"It has more security features than Android or Windows at this time," Rehman said. "[In iOS] most apps stay dormant in the background. They cannot do things in the background."

Let us know what you think about the story; email Don Fluckinger, Features Writer or contact @DonFluckinger on Twitter.

Next Steps

How to address iPad EHR security requirements in the hospital

How to prepare network infrastructure for hospital iPad use

Experts debate merits of virtualized vs. native iPad EHR, security implementation

Dig Deeper on Mobile health systems and devices