Mobile devices have become as common as the stethoscope in patient’s rooms. Physicians routinely review patients’ electronic health records (EHR), read test results, access diagnostic tools, and take patient notes, all with a few touches on their iPad or tablet, smartphone, or using a flash drive. These mobile devices are ideal for information sharing and time savings, but they pose huge security risks to patient information.
In less than two years, from September 22, 2009, through May 8, 2011, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) indicates that 116 data breaches of 500 records or more were the direct result of the loss or theft of a mobile device, exposing more than 1.9 million patients’ PHI. A panel of five experts in the fields of healthcare IT, security and privacy, data breach and identity theft—Jill Arena, Chad Boeckmann, Rebecca Herold, Rick Kam, and Robert Siciliano—share their insights on how healthcare organizations and providers can optimize mobile health (mHealth) while protecting patients’ data.
Electronic Health Records Increase Mobile Device Usage
Sixty-four percent of physicians own smartphones and 30 percent of physicians have an iPad, with another 28 percent planning to buy one within six months, according to a recent Manhattan Research study. 10,000 mobile healthcare applications are available today on the iPad, with a larger number of them created to provide access to electronic health records. Additionally, one-third of physicians use their mobile devices to input to EHR while seeing patients, while the information is fresh.
Experts Offer Their Insights on mHealth
Jill Arena, managing partner, Health e Practice Solutions, LLC, consulting, and technology solutions: “In many ways, digitizing patient information can make it more secure, but only if the proper security measures are in place. As we move to introduce iPad applications that integrate with physicians’ Electronic Medical Records (EMR) products, we can edit, route, and capture signatures on patient forms without ever dropping them to paper. This allows physicians and their office staff to recapture valuable staff time, and it keeps paper forms with PHI, Social Security numbers, and other sensitive information from floating around the clinic and potentially falling into the wrong hands.”
Chad Boeckmann, president, Secure Digital Solutions, LLC, comprehensive privacy strategy: “Anytime an organization extends information beyond its walls, a risk assessment should be conducted to determine the level of security controls, including monitoring of those controls. Mobile devices are a great example of extending the enterprise. Organizations need to understand the complexities of securing mobile devices, applications, and the people who use them as part of well-rounded data security and risk management program.”
Rebecca Herold, Rebecca Herold & Associates, LLC, information security, privacy and compliance tools, education and consulting: “In healthcare, doctors and nurses are increasingly using mobile computing devices and storage devices as part of their caregiving activities, storing goldmines of patient information on them. Because of the combination of increased business and patient data storage and entrusting mobile workers with mobile computing devices, it is vital that an effective mobile computing device and storage media security and privacy management program is in place. Not only to meet HIPAA compliance requirements but also to protect your patients and your hospitals and clinics. A key component is providing training and awareness to those staff using such devices. After all, doctors and nurses cannot protect information on mobile devices if they are not taught effective ways to do so. If you don’t provide security knowledge to those using mobile devices, privacy breaches will occur.”
Rick Kam, president, and co-founder, ID Experts, comprehensive data breach solutions: “Many Wi-Fi networks in hospitals and doctor’s offices are not secure and coupled with the increased mobile device usage, patient data is at risk. Here are eight things you can do to protect sensitive patient data:
- Whenever possible, don’t store sensitive data on wireless devices. If required, ensure the data is encrypted.
- Enable password protection on wireless devices, and configure the lock screen to come on after a short period of inactivity.
- Turn on the Remote Wipe feature of wireless devices.
- Enable Wi-Fi network security. Do not use WEP, and only use WPA-1 with strong passphrases. Use WPA-2 if possible.
- Change the default SSID and administrative passwords.
- Don’t transmit your wireless router’s SSID.
- Only allow your devices to connect by specifying their hardware MAC address.
- Implement a Wireless Intrusion Prevention System.”
Robert Siciliano, CEO, IDTheftSecurity.com, personal security and identity theft expert: “Mobile isn’t just a convenient new gadget or toy, it’s a huge target for criminal hackers and needs to be treated accordingly.”
About the Panel of Industry Experts
Jill Arena, the managing partner with Health e Practice Solutions, LLC, holds a Fellowship from the American College of Medical Practice Executives and has extensive experience in practice start-up and workflow improvement, including the implementation and management of the newest health information technologies. Her professional focus and passion is the intersection of physician-patient-computer. Over the past 15 years, Jill has started more than 37 new clinics, where she has introduced EMRs and implemented complete clinical IT systems.
Chad Boeckmann, president of Secure Digital Solutions, LLC, assists organizations in government, financial, healthcare, and retail industries to achieve information security and compliance goals. Since 2005 Secure Digital Solutions (SDS) continually enables companies to gain confidence and trust from their clients and auditors through IT security and regulatory compliance services. Clients continually rely upon SDS to deliver customized solutions, thought leadership, a strong work ethic, and exceptional client service. SDS provides value by delivering business services and solutions effectively and tailor solutions to achieve client requirements.
Rebecca Herold, CISM, CISSP, CISA, CIPP, FLMI, The Privacy Professor®, has more than two decades of information security, privacy, and compliance experience. Rebecca is a partner and subject matter expert for the first cloud-based HIPAA/HITECH compliance service, Compliance Helper. As owner and principal of Rebecca Herold & Associates, LLC, Rebecca is a widely recognized and respected information security, privacy, and compliance expert and has been named multiple times as a “Best Privacy Adviser in the World” by Computerworld. She is currently working on her 15th published book.
Rick Kam, CIPP, is president and co-founder of ID Experts, and chairman of the “PHI Project,” a research effort to measure financial risk and implications of a data breach in healthcare. He is an expert in privacy and information security, with extensive experience leading organizations to address the growing problem of protecting PHI/PII and remediating privacy incidents and identity theft. Previously, Kam spent 20 years at IBM Corporation in sales, management, and customer relationship management consulting.
Robert Siciliano, CEO of IDTheftSecurity.com, is committed to informing, educating, and empowering Americans to protect themselves from violence and crime in the physical and virtual worlds. For more than 20 years, Robert has been working in all aspects of security. A blogger, consultant, and speaker on a wide variety of topics including computer security, identity theft, and social networking security, Robert is often interviewed on national television, to give advice to consumers and to weigh in on security issues.
SOURCE ID Experts