Will Growth In Mobile Use Compromise HIPAA Compliance?

Posted on May 31, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

There’s little doubt that giving doctors mobile access to data via their personal devices can be valuable. We’ve probably all read case studies in which doctors saved a great deal of time and made the right clinical call because they reached to via an iPad, smartphone or Android tablet.

And this is as it should be. We’ve been working to push intelligence to the network for at least the two decades I’ve been writing about IT.

That being said, we haven’t yet gotten our arms around the security problems posed by mobile computing during that period, as hard as IT managers have tried.  Adding a HIPAA compliance requirement to the mix makes things even more difficult. As John wrote about previously, Email is Not HIPAA Secure and Text is Not HIPAA Secure either.

According to one security expert, healthcare providers need to do at least the following to meet HIPAA standards with mobile devices:

  • Protect their private data and ePHI on personal-liable (BYOD) mobile devices;
  • Encrypt all corporate email, data and documents in transit and at rest on all devices ;
  • Remotely configure and manage device policies;
  • Apply dynamic policy controls that restrict access to certain data or applications;
  • Enforce strict access controls and data rights on individual apps and services;
  • Continuously monitor device integrity to ensure PHI transmission;
  • Protect against malicious applications, malware and cyber threats;
  • Centrally manage policies and configurations across all devices;
  • Generate comprehensive compliance reporting across all mobile devices and infrastructure.

Just a wild guess here, but my hunch is that very few providers have gone to these lengths to protect the ePHI on clinicians’ devices.  In fact, my sense is that if Mr. Bad Guy stole a few iPads or laptops from doctors at random right now, they’d find a wide open field. True, the thief probably couldn’t log into the EMR(s) the physician uses, but any other clinical observations or notes — think Microsoft Office apps — would be in the clear in most cases.

Being a journalist, not a security PhD, I can’t tell you I know what must be done. But having talked to countless IT administrators, I can definitely see that this is a nasty, hairy problem, for many reasons including the following:

–  I doubt it’s going to be solved by a single vendor, though I bet you will be or are already getting pitches to that effect  — given the diversity of systems even a modestly-large medical practice runs.

– Two factor authentication that locks up the device for all but the right user sounds good, but add-ons like, say, biometrics isn’t cheap.

– Add too many login steps to doctors already tired of extra clicks and you may see mass defections away from EMR use.

– Remotely managing and patching security software on devices with multiple operating systems and network capabilities is no joke.

If you feel your institution has gotten a grip on this problem, please do chime in and tell me. Or feel free to be a mean ol’ pessimist like myself. Either way, I’d love to hear some of your experiences in protecting mobile data.  Maybe you have a good news story to tell.