Ensuring Security of Mobile Devices
The only way to fully protect texted information is to use an encrypted device.
With each new form of communication integrated into physicians' offices, HIPAA has evolved and expanded to ensure that health information is protected. As an increasing number of mobile devices are being used for patient care, this has become new Wild West. Here's what to know about keeping mobile technology safe.
If nurses at a dialysis facility wanted to get hold of a doctor, they used to call the office, leave a message, and get a return call when the physicians were between office visits. When physicians began carrying cell phones, they were more reachable, but often wouldn't answer during appointments so as not to disrupt patient care.
Then came texting.
“Texting quickly became accepted as a part of a non-interrupted stream of communication where a doctor could be with a patient, glance at a text, and make a decision whether it was urgent or not,” said Robert Provenzano, MD, vice president of medical affairs for DaVita HealthCare Partners Inc. “And nurses prefer texts because they can get an answer more rapidly.”
Texting has been somewhat ignored under HIPAA, but hospital systems are becoming increasingly concerned about its implications in the realm of patient confidentiality, Dr. Provenzano said.
Texting between doctors and nurses is generally frequent and informal. The only way to fully protect texted information is to use an encrypted device, something Dr. Provenzano said most doctors don't have.
Though encryption can keep messages safe, James Wieland, head of the Health Care Information Privacy, Security and Technology practice at Ober Kaler, discourages texting as a way to transmit patient's information.
“Unless you have special services that are available, text messaging is inherently insecure,” he said.
The gold standard for keeping all mobile devices, including smart phones, laptops, and thumb drives, safe is encryption. “These days, there is no excuse not to have them encrypted,” Wieland said. “The risk is too great.”
While there are organizations that provide this service, to make it truly secure, it has to be performed end-to-end, Wieland said. In other words, it requires encryption of the device sending the text and the device receiving it.
If there is a breach of more than 500 records, it is automatically investigated and an office can be sanctioned, he said. This makes the cost of encryption appear manageable, at only $20 to $25 per device – or less than the cost spent when “your lawyer picks up the phone and puts an earpiece in their ear,” he said.
If an office opts not to encrypt devices, there are other options for protecting information. Strong password protection is one route, but it can be difficult to implement across the workforce. Most people want to use quick passwords like 1234. Ensuring everyone creates passwords like 7R*F3@ can be a challenge.
Offices can also set phones so they do not retain data or ensure emails sent via smart phone are encrypted and not downloaded into the phone's memory. If a phone is reported lost, there is also technology that can wipe the device's memory.
A final step is establishing and then enforcing clear policies, said Emily Wein, a principal at Ober Kaler's health law group. Once procedures are put in place, they have to be enforced through disciplinary action to have any “teeth,” she said.
Another burgeoning realm is apps. Not often used by physicians, there is dramatic growth on the consumer side. Not all apps used, however, require security measures on the part of the physician, said Robert Hancock, vice president of sales with MobileSmith Inc.
Some apps require no patient information. They could be general instructional information for a condition, disease warning signs, or prevention advice. Physicians don't need to worry about security on these apps.
A second category lets a patient have some control over care. These include medication alarms or tracking health information or side effects of medications. Assuming this information is always on the patient's device, a physician just needs a disclosure when the app is downloaded, attesting that their office is not responsible for the information.
The final scenario occurs when information is exchanged between a patient and a provider. If at any time information is transmitted to a physician and stored to use for clinical processes, it becomes protected health information that must be secured.
Physicians can use existing pathways, like those on a patient portal, for transmission and storage. Sometimes, though, that isn't possible. If this is the case, an office can opt for something like Amazon's cloud storage that is HIPAA compliant, Hancock said. He recommends physicians partner with a solutions provider when delving into the security of mobile apps that involve protected health information.