Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Will Growth In Mobile Use Compromise HIPAA Compliance?

Posted on May 31, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

There’s little doubt that giving doctors mobile access to data via their personal devices can be valuable. We’ve probably all read case studies in which doctors saved a great deal of time and made the right clinical call because they reached to via an iPad, smartphone or Android tablet.

And this is as it should be. We’ve been working to push intelligence to the network for at least the two decades I’ve been writing about IT.

That being said, we haven’t yet gotten our arms around the security problems posed by mobile computing during that period, as hard as IT managers have tried.  Adding a HIPAA compliance requirement to the mix makes things even more difficult. As John wrote about previously, Email is Not HIPAA Secure and Text is Not HIPAA Secure either.

According to one security expert, healthcare providers need to do at least the following to meet HIPAA standards with mobile devices:

  • Protect their private data and ePHI on personal-liable (BYOD) mobile devices;
  • Encrypt all corporate email, data and documents in transit and at rest on all devices ;
  • Remotely configure and manage device policies;
  • Apply dynamic policy controls that restrict access to certain data or applications;
  • Enforce strict access controls and data rights on individual apps and services;
  • Continuously monitor device integrity to ensure PHI transmission;
  • Protect against malicious applications, malware and cyber threats;
  • Centrally manage policies and configurations across all devices;
  • Generate comprehensive compliance reporting across all mobile devices and infrastructure.

Just a wild guess here, but my hunch is that very few providers have gone to these lengths to protect the ePHI on clinicians’ devices.  In fact, my sense is that if Mr. Bad Guy stole a few iPads or laptops from doctors at random right now, they’d find a wide open field. True, the thief probably couldn’t log into the EMR(s) the physician uses, but any other clinical observations or notes — think Microsoft Office apps — would be in the clear in most cases.

Being a journalist, not a security PhD, I can’t tell you I know what must be done. But having talked to countless IT administrators, I can definitely see that this is a nasty, hairy problem, for many reasons including the following:

–  I doubt it’s going to be solved by a single vendor, though I bet you will be or are already getting pitches to that effect  — given the diversity of systems even a modestly-large medical practice runs.

– Two factor authentication that locks up the device for all but the right user sounds good, but add-ons like, say, biometrics isn’t cheap.

– Add too many login steps to doctors already tired of extra clicks and you may see mass defections away from EMR use.

– Remotely managing and patching security software on devices with multiple operating systems and network capabilities is no joke.

If you feel your institution has gotten a grip on this problem, please do chime in and tell me. Or feel free to be a mean ol’ pessimist like myself. Either way, I’d love to hear some of your experiences in protecting mobile data.  Maybe you have a good news story to tell.

Lost Laptop with Patient Names, Treatment Summaries and Other PHI

Posted on June 21, 2009 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This story coming out of Oregon came across my feeds today which tells of the Oregon Health and Science University contacting 1,000 patients after a physician’s laptop was stolen from a car parked at the doctor’s home.

This story made me think of two things:
1. Why is PHI being stored on the laptop in the first place? I wish I could find out if there was an EMR involved. If there was, then the EMR should be storing all of the patient information on the server and none of that data should be stored on the laptop. So, if it gets stolen there’s no breach. That’s the beauty of an EMR these days. There should be no need for this to happen.

2. There’s some really cool technology that’s been coming out in recent laptops that will allow you to remotely wipe out the laptop if it ever gets connected to a network. Basically, once your laptop is stolen you report it stolen and they start tracking it down kind of like they do with stolen cars (same people from what I understand).

Once the stolen laptop is connected to the network, it will call back to the main center and receive the command to wipe out the laptop. Then, it will also give them information about where it was connected in order for police to possibly recover the stolen laptop as well. We’re implementing this on all our new laptops. I’ll be very happy once we have them all with this feature.