Healthcare providers like the benefits of mobile devices, but have to take security into account.
Smartphones and tablet computers are making patient data more accessible and mobile, but they’re also making that data less secure.
According to a survey last year by Manhattan Research, 85 percent of physicians use smartphones. Tablet usage by physicians nearly doubled in 2012 – to 62 percent from 35 percent. Mobile devices offer a wide array of benefits to health practitioners — the ability to communicate remotely with patients and colleagues, an inexpensive complement to diagnostic equipment, a fast transmitter of medical imagery, and a portal to access patient data.
But with increased usage comes greater vulnerability to data and privacy breaches. In a 2012 healthcare industry survey, 2012 HIMSS Analytics Report: Security of Patient Data, 27 percent of providers who responded indicated a breach within the previous 12 months.
The same study, commissioned by Kroll Advisory Solutions, reports, “As mobile devices proliferate in exam rooms and administrative areas, so do the associated vectors of potential attack…Added to this are the risks from employee negligence and organizational policies that have not kept pace with ever-changing technology.”
Because the federal government is requiring that records migrate to electronic platforms over the next few years, the stakes for privacy and security are high. Most medical professionals will have to confront these security issues whether they want to or not.
Dr. Gautam Gulati, of Washington, D.C.-based digital health solutions firm Physicians Interactive Holdings, noted that one of the most overwhelming aspects of new technology for physicians is simply taking the time to analyze whether that technology is going to be effective and safe to use.
“I don’t think there are any hurdles to creating HIPAA secure platforms,” said Gulati, referring to recent guidance for complying with Health Insurance Portability and Accountability Act rules.
“The technology is there. Companies know how to do it. The question is, who’s validating it? …There needs to be some level of credentialism,” Gulati said.
The app development process, which encourages a liberal amount of innovation on the part of software developers, can inspire wariness on the part of medical professionals, who might be overly cautious about an app harvesting patient data or downloading additional, malicious software.
The Food and Drug Administration has been hesitant to impose regulations on mobile devices used in healthcare settings. Last month it reiterated that it would not regulate the sale or consumer use of smartphones or tablets for fear of bogging down the market, and that it would primarily concern itself with apps that function alongside or in place of diagnostic equipment. Apps pertaining to electronic medical records would not be subject to these rules.
But that can lead to confusion and delay of fully employing best practices on the part of doctors, said Gulati, especially in smaller medical settings without staff dedicated to IT. “There’s no real certification process you have to go through—I could be some Joe Schmo starting out with some text message communication service out of a garage and make that into a HIPAA compliant platform,” he said.
Losing a device is the most common reason for a breach, with such incidents doubling from 2010 to 2012, according to the HIMSS report. Furthermore, the chance of complications increased if a third party vendor was involved with storing data. A vendor’s security procedures may ultimately not be in sync with those of a hospital, for example, or may have servers in a location that proves to be unstable.
The Office of the National Coordinator for Health Information Technology last year released a number of suggested guidelines healthcare providers can implement in order to shore up security on mobile platforms.
“We want to help them make the decisions that health care providers need to keep that information secure,” said Peter Ashkenaz, a spokesperson for ONC.
The guidelines suggest first identifying how mobile technology can be most usefully employed within a particular setting. Once those main uses are determined, potential risks in security should next be identified. Finding safeguards against those risks comes next, followed by developing workplace policies and support documentation. Lastly, staff training and regular audits of the procedures makes sure the system gets put into place effectively.
ONC placed special emphasis on providers using encryption in its guidelines. “People need to learn and know how to encrypt those mobile devices,” Ashkenaz said.
There are an estimated 40,000 healthcare-related apps and 500 mobile health initiatives. Smartphones and tablets are already proving to be robust additions to the medical workplace, according to Dr. Gilati, who added that providers must commit to carefully weighing the benefits and risks.
“I don’t think anyone can question that mobile technology can positively impact the workflow in a healthcare setting — the challenge is going to be, are we going to allow for it?” said Dr. Gilati. “We can’t be afraid to be innovative.”