Mobile devices and apps are increasingly becoming integrated into the healthcare continuum. Physicians use smartphones at work and recommend apps to their patients, hospitals use data generated through smartphone apps to keep tabs on patients with chronic conditions and consumers use non-ubiquitous smartphones a variety of apps to monitor and engage in their own care.
However, there are a variety of issues to be considered before providers embark on a mobile health strategy. Most already know about the HIPAA compliance complications mobile devices and apps introduce, says Patricia King, associate general counsel at Swedish Covenant Hospital in Chicago. Providers know mobile devices do not have the same encryption capabilities as computers, and unsecured mobile networks and third-party apps on the device increase the risk for exposed data.
"Most hospitals are very aware of the security risks of mobile devices, and are taking steps to address the privacy and security concerns, especially through use of encryption," says Ms. King.
However, she says many providers have not fully prepared against more malicious threats. "I think that there is less awareness of the cybersecurity risks identified by the [Food and Drug Administration]," she says. To combat this risk, she recommends implementing FDA-recommended security procedures, including periodic checks of firewalls and other security patches and reducing the number of entry points to only those that are necessary.
For Swedish Covenant, the challenge of effectively managing mobile device security is why the hospital does not allow its physicians or employees to use personal mobile devices for work-related purposes, such as accessing patient information from the hospital's electronic health record system.
"Swedish Covenant is not yet permitting 'bring your own device' practices, because of the complexity involved in mobile device management where there are two information owners — the organization and the individual," she says. "Currently, we allow clinicians to access information on their devices through a secure Web portal, but do not push data to a device not owned by the hospital.". However, she notes physicians at organizations across the country increasingly expect to be able to use their smartphones to view patient data and interact with hospital IT systems, which might compel a policy change down the road.
Because physicians and staff members do have their smartphones on them at work, Swedish Covenant has begun to provide training on how to avoid violating HIPAA or exposing protected health information when texting seems the most expedient form of communication. "[We're providing] guidance to staff and physicians on how to convey urgent information via text message without including PHI, and can push secure text messages to an app that can be loaded on a smartphone," she says.
More Articles on Mobile Security:
5 Noncertified IT Skills Rising in Demand
Data Privacy, Security Advice From the ONC
5 Important Federal Agencies for Mobile Health Regulation