Reports indicate that over 80 percent of physicians use either a cell phone or tablet in patient care and that by 2017 over 50 percent will utilize mHealth apps in delivering healthcare. A recent NIH study shows that the convenience, ease-of-use and availability of mobile devices has resulted in better clinical decision making, improved accuracy, improved efficiency and enhanced productivity. In addition, the NIH associated use of mobile devices with better patient outcomes, evidenced by a reduction in adverse events and shorter hospital stays. Since healthcare services are mobile by nature, the appropriate use of properly secured smart phones, tablets and mobile apps can improve the delivery of healthcare and patient outcomes.
While the FDA continues regulation of mHealth apps which perform medical device functions such as those that analyze and transmit data from connected devices like ECGs, February 2015 guidelines indicate FDA movement away from regulation of mHealth apps that pose a low risk to the public. These are apps such as those through which providers may perform administrative functions or interact with patients’ medical records in the EHR/EMR, patient self-management or self-monitoring of health information and patient coaching or education. This FDA movement may enable more innovation in mHealth.
However, concern with privacy and security of patient information continues. The recent Ponemon Institute’s Fifth Annual Privacy and Security Healthcare Data Report states that 90 percent of healthcare organizations experienced a breach in the last year and, for the first year, criminal activity exceeded loss or theft as the largest cause. Human error is the largest contributing factor and smartphones and tablets are reported to be the most frequently compromised.
Criminal activity continues to follow the money. Criminal attacks on healthcare organizations have increased 100 percent since 2010. The World Privacy Forum reports that the street price for stolen medical information is about $50 compared to $1 for a social security number and the payout is 10 to one over financial information.
So, how can you reap the benefits of mHealth while securing the confidentiality, integrity and availability of your patient’s health information? The HIPAA Security Rule requires safeguards to maintain the security of ePHI.
OCR and HHS have issued guidelines (http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security) which recommend the following:
Encryption of the device and communications: Install and encrypt the device to insure that ePHI is secure and enable encryption of communications either through a VPN or a HIPAA compliant text messaging system.
Keys: Use passwords or other authentication methods. While a PIN is typically the first level of entry into the device, an additional level of authentication such as domain authentication is recommended.
Remote Wipe: Install or activate remote wiping to erase data in the event the device is lost or stolen.
Firewalls: Install firewalls between public and private networks accessed through the device to prevent unauthorized access.
Security software: Install antivirus, anti-malware and other software to protect against viruses, malicious attacks and spyware or malware attacks and do not allow any circumvention and update the security software.
Applications: Use only pre-approved mobile applications or research prior to downloading.
Physical control: Maintain physical control of devices and restrict access by unauthorized users. Prior to use, if personal devices are allowed (BYOD), or if organization issued devices are required, configure with appropriate security features. Prior to disposal of the device, insure all data is permanently removed.
Use of a mobile device management system is recommended and will include security features such as encryption, secure communication, remote wiping, firewalls and multi-level authentication. There are a variety of programs available through service providers and third parties. The National Institute of Standards and Technology (NIST) also provides guidelines for securing mobile devices. (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-124r1.pdf)
Given the variety of healthcare information, the large number of persons who will touch the information, and the portable nature of mobile devices, there is higher risk of human error in mobile health. So it is recommended:
- Instill privacy of patient information at the forefront of all technology uses and in the workplace culture.
- Implement policies which are clear, concise and enforceable and provide meaningful real-life training.
- Exercise control over the data. The HIPAA Privacy Rule mandates access or disclosure based on the “minimum necessary” rule. Limiting access or disclosure of patient information through mobile devices to those persons who need the information and limiting the content of information accessed or disclosed is critical.
- Properly dispose of the mobile device. Completely delete all data before replacing or disposing of the device.
- Finally, include mobile devices in your security risk assessment which is required by HIPAA.
Beth Pitman is Counsel with the Birmingham office of Waller where she works with the healthcare practice.