Five Essential Mobile Security StepsPrecautions to Ensure Patient Confidentiality
Tablets and other mobile devices are gaining in popularity and are emerging as great resources for physicians, other clinicians and patients. A recent survey by Manhattan Research reported that more than 60 percent of physicians own an iPad, almost double the percentage of a year ago.
Educating healthcare professionals upfront, rather than as a response to a breach, can help prevent security incidents.
As we near the conclusion of our pilot project with the Department of Health and Human Services' Office of the National Coordinator for Health IT, which involves the use of tablets to communicate educational material and capture electronic patient consent for health information exchange, tablet security has been on my mind (see: Using Tablets to Obtain Patient Consent). In a preliminary survey for the pilot, patients identified potential breaches and unauthorized access as the primary concern they would like addressed before providing consent to share health information. If patients choose to opt out because of distrust and fear in health information exchange, the overall viability and usefulness of data exchange is limited. Although not impacting the pilot, because there is no personal health information being accessed or stored on the tablets, security fears tied to health information exchange, especially when health data is accessed from mobile devices, need to be assuaged.
The list of major breaches compiled by the HHS Office for Civil Rights shows that more than half of incidents are tied to lost or stolen unencrypted computing (usually mobile) devices or media. And 31 percent of respondents to the 2012 HIMSS Analytics Report, "Security of Patient Data," indicated that information available on a portable device was among the factors most likely to contribute to the risk of a breach.
As mobile devices become ubiquitous in healthcare, more precautionary measures are needed to ensure patient confidentiality. To prevent data breaches, healthcare professionals and hospitals need to take charge of their mobile devices' security.
Following are five top security considerations:
1. User Education
Most data breaches are due to human errors and employee negligence. Proper education can inform users about how to minimize risks by limiting downloads, showing users how to encrypt data, clear the browser cache, and remind mobile users to never save passwords and to sign-off and to promptly report lost or stolen devices that may contain sensitive information. Educating healthcare professionals upfront, rather than as a response to a breach, can help prevent security incidents.
2. Registering Devices
Before allowing physicians to access patient health records via personally owned mobile devices, organizations should require doctors to register their devices through the hospital's IT departments to ensure these devices meet security requirements, such as installing necessary virus protection, enabling remote wipe capabilities, implementing automatic logouts, limiting the number of mobile devices on the network and including role based access control. Organizations can better monitor and minimize potential security breaches if they are proactive in identifying devices used to access sensitive information and installing these necessary security features.
3. Monitoring Use
By maintaining detailed audit logs, IT departments are more likely to stop a potential breach and/or track the depth of a breach if one occurs. Organizations should track how and when a device was used, finding out if it had logged onto an unsecured connection or if it had unintentionally downloaded malicious software.
The final software certification rule for Stage 2 of the HITECH Act electronic health record incentive program requires that mobile devices, including tablet computers, which retain patient data after a clinical encounter must encrypt the data by default.
But regardless of whether your organization is a participant in the incentive program, encryption is essential. It prevents those who obtain possession of a lost or stolen tablet from accessing any sensitive data. Whether personally owned or hospital-issued, mobile devices that store patient information must be encrypted. In addition to encrypting content, strong limits on patient data storage need to be placed on any mobile device. If possible, information should not be stored on a mobile device and instead should only be available via the network.
5. Remote Wipes
Last, but certainly not least, remote wipe capability should be installed on all mobile devices that may store protected health information. If a mobile device is lost or stolen, a remote wipe can delete such data. IT departments can choose to erase all data automatically when a device is missing or after a defined number of unsuccessful login attempts.
Each of these security measures provides additional layers of security to tablet computers used by healthcare professionals. Following these measures helps increase the security of patient data without disrupting the workflow of healthcare professionals while also addressing patient concerns. Additionally, once secured, it is imperative that we place emphasis on educating patients about the inherent benefits of health information exchange and how, with the proper precautions, their data is secure regardless of the device used to access it.
Rob Quinn is president of App Design, a software development firm.